The SFO releases new guidance on how companies should co-operate; but what does it really mean for you?

Earlier this month (6th August) the SFO released their guidelines on corporate cooperation. The document seeks to provide companies who are considering entering into a Deferred Prosecution Agreement (DPA) with guidance on what would be considered appropriate cooperation. DPAs are a tool that the SFO (like many other enforcement agencies around the World) has been turning to. According to the SFO’s website there are five current DPAs in operation currently; yet we all expect this count to increase moving forward.

Under the guidelines, there are a significant number of points relating to digital evidence – this starts with the very first good general practices point:

“Preserve both digital and hard copy relevant material using a method that prevents the risk of document destruction or damage.”

Digital evidence is emphasised on the second point to “…ensure digital integrity is preserved.” This means that any evidence needs to be identified and captured in a forensically sound manner. 

As we all know data can be highly volatile and can be easily altered or deleted, intentionally or otherwise. As such, it is important that it is handled in a forensically sound matter from the outset. This does not mean that every single byte of corporate data needs to be fully captured and investigated. Rather all relevant systems need to be appropriately managed.

It is essential that during any investigation, that the process followed to capture, prepare and investigate data is always robust and complete. If it isn’t, then the results may not be admissible in a court of law or the investigation itself may become publicly criticised.

In the guidance, there is also an entire section on “Digital evidence and devices” which covers a number of areas. Given we are all using our own personal devices so much more in a business capacity and our use of tech is constantly evolving, this is a key section for firms to be aware of. As such we have mapped out some more detail on each point below to shed some more light on what it all means:

1.    The guidance demands that any documents provided are able to be loaded onto the SFO’s own document review platform. Although this is an unsurprising point from an ediscovery perspective, it may come as a surprise for companies not familiar with the disclosure requirements in litigation. What is important here is to note the second and final sentence of the point in which it will require the actions and decisions taken to identify relevant documents to be described, and presumably defended. Although this may not be requested in every case (because of the possibility of the request) it would be best practice to produce this in all cases. This means ensuring that decisions are detailed at every point and that the technical process is fully understood, including all of the details and options employed. With the use of TAR and machine learning increasing through a document review exercise, it is important that the workings of this is understood as well.

2.    Production of a complete audit trail is a critical point of any forensic process. Firms need to be able to prove where the data originated from, who did what with it and when. This is a simple process to follow – but one that has caused many a case to be dropped.

3.    Ageing technology is often a key factor. This is because technology changes rapidly and because investigations can often cover a very wide period of time. This comes up most often in relation to back-up tapes from old, non-production servers, where the original systems backed up may have been decommissioned and no longer by in the company’s possession. This does not mean that the data cannot be accessed, though. In fact, we have worked on many cases where backup tapes have provided vital evidence on acts from the past, and therefore they should not be forgotten. They may not be the first place an investigation would focus on, but at the very least, they need to be preserved at the outset of the investigation and not ignored totally.

4.    Relevant documents may not always be in the company’s control. There is therefore a need to make the SFO aware of this. This means that at the outset of the case a wider lens should to be applied than simply the internal corporate systems that are readily accessible. Specifically, the document refers to sources of data owned by individuals rather than companies. This could mean the company has no access to certain devices such as personal phones, email accounts or messaging systems such as WhatsApp!

5.    Information should be in an accessible form. Any password or key etc required to decrypt data must be provided along with the documents themselves. Although this may be perceived as common sense, this can become a complicated request to fulfil. Not least in relation to specific files that a user themselves may have set a password for, rather than corporate system passwords which can generally be overrode by an administrator.

Ultimately, the guidance will prove helpful to companies before and during an SFO investigation. But it’s clear that a one-size-fits-all approach won’t apply. As such, companies will need to consider carefully how to undertake an investigation, specifically in relation to digital evidence, to maximise the benefit of any cooperation.

We hope that the above provides a little more clarity on what the SFO guidance means for you and how it might impact the way you work. However, if you have any further questions about it please do not hesitate to contact me on here.