Best Practices to Supercharge Ediscovery in Investigations

Back to Blog Posts

This is part 2 of a two-part series. For a refresher on the types of investigations, head over to part 1.

There are differing approaches practitioners can use to meet the highly time-sensitive and touchy nature of an investigation while ensuring they are prepared for any future litigation or regulatory investigations. Below, we unpack best best practices for achieving the speed, inclusive precision, confidentiality, and readiness for follow-on actions that investigations require.

Accelerating speed to evidence

The ongoing pressure to mitigate risk, identify bad actors, and control the impact of triggering events places immense pressure on legal practitioners facing any flavor of investigation. There are some best practices to help accelerate time to evidence and insight in an investigation. 

Understand and prioritize your data universe

In investigations, understanding the potentially in-scope methods of communication and structured data sources across all potentially relevant custodians is key. Knowing what data is potentially in-scope, preserving it early, and then using custodial interviews to refine scope is a major accelerator for an investigation. 

Capitalize on AI

Platforms like DISCO AI are especially useful in an investigation context when looking at every single document is far less important than quickly surfacing the most relevant information. Continually refining the system algorithm results in richer information coming to light earlier in an ediscovery review and opens up the opportunity to completely eliminate from the review any unlikely to be relevant information. DISCO has seen upwards of 60% reduction in time to insight via strategic deployment of advanced analytics in managed review. 

Use multiple tools in your toolbox

Accelerate time to evidence by combining multiple analytic tools like social network analysis to identify key custodians, concept clustering to identify or validate key concepts or search terms with Al to accelerate surfacing of evidence. Investigations in particular can benefit from applying a multitude of the ediscovery tools in your toolbox to reduce time to insight. 

Determine if bad words resulted in bad acts that are actionable

Mapping unstructured communication to the structured data relevant in an investigation is especially important. In a securities litigation, understanding if the Bloomberg chat about spoofing granny in the was accompanied with the actual trades that the SEC prohibits is the difference between a penalty and no action. Having tools that can reflect both data types or professionals that can do so is important here. 

Don’t boil the ocean…

Investigations operate under challenging time and budgetary constraints and as a result it is simply not possible to look at every single potentially relevant piece of information. Because the objective is fact discovery vs. completely reviewing and categorizing all data, there are methods to maximize insight without breaking the bank. 

Prioritize data sources, and triangulate

Given the razor-thin timelines legal practitioners often operate under in an investigation, it is imperative to gain an understanding early of the methods of communication and key information sources. Use custodial interviews to determine whether a team is using Slack, WhatsApp, Teams or email; the times and ways they use these communication methods; and the likelihood a certain information source will have key custodians information is highly relevant. Additionally, using the insights from each data source to whittle down the volume of data in additional data sources is a great way to triangulate in on key evidence, interrogate multiple information sources, and not max out your timeline or budget. 

Let go of eyes on every document

People are (finally) beginning to move away from the concept of eyes on every document as the gold standard — not a moment too soon! In the case of an investigation, one needs to uncover the facts, not necessarily physically look at every document in a data universe. Rely on technology that can exclude irrelevant information and trust the algorithm (with appropriate statistical sampling). 

But cast your net wide

In the context of an investigation, it’s easy to want to play a bit of ostrich, looking deep but not so deep as to uncover other potentially reportable information. In general, this is a bad idea because it can lead to larger investigations and litigation down the road and under preservation of key information.

Preserve broadly because you don’t know what you don’t know

Especially when there is a high likelihood of follow-on investigations or litigation, it is important to cast the net widely in identifying and preserving data at the outset. Bad actors may still be fully employed and have an ability to destroy key evidence and/or a person not originally in scope may be later identified as of key relevance. The cost to preserve is small when compared to sanctions for spoliation. Err on the side of over-collecting and then prioritize what is processed and reviewed based on need. 

ID trends and bigger picture issues 

Ensure that prior similar matters are evaluated as potentially in scope or as evidence of a larger trend that requires remediation as well. 

Keeping lips sealed

Because of potential reputational damage and/or the ongoing employment of a bad actor, controlling the flow of information and maintaining strict confidentiality are key. Additionally, in the event that a person is exonerated during an investigation, you do not want to inadvertently message out the contents of the investigation. There are a few methods to maintain control and minimize risk of spoliation and breach of confidentiality. 

Limit the team

Limit the number of people who are privy to the claim or triggering event and only involve people deemed absolutely necessary to facilitate the investigation. Also ensure that all service providers are operating under strict confidentiality agreements. The exact players and actions should only include those dictated as necessary by the particular case at hand.

Speedy remote collection

The IT department of most organizations can remotely collect most employee emails and documents, and I recommend deploying the approach early in the investigation to avoid alerting the targets of an investigation or opening up the opportunity to destroy evidence. In the event of a physical device, a notice of upgrade or replacement can be used to gain access to a device. 

Hold and collect in parallel

In the event a hold notice has to be issued due to regulatory investigation, I recommend kicking off remote collection in parallel with the delivery of the notice for the same reasons outlined above. 

Getting ready for the headache after the headache

Since investigations can often lead to follow-on matters from litigation to government investigations, it is important to prepare to the same level as you would in a litigation despite the aggressive time and cost pressures practitioners often face in an investigation. 

Resist the urge to cut corners

In many instances, an investigation can lead to litigation or larger regulatory scrutiny, so the time and cost pressures facing a practitioner should not be used as a justification to cut corners. The same levels of forensically sound, appropriately inclusive collection and defensible application of workflows and technology should be deployed in an investigation as you would employ in a DOJ investigation or a litigation. 

In many cases, the outcome of an investigation or content therein may be grounds to trigger reasonable anticipation of litigation and as such the duty to preserve kicks in. See “Guideline 1” of The Sedona Conference Commentary on Legal Holds:

A reasonable anticipation of litigation arises when an organization is on notice of a credible probability that it will become involved in litigation, seriously contemplates initiating litigation, or when it takes specific actions to commence litigation.

Document and then document some more

Along with treating an investigation with the same level of forensically sound and defensible processes, it is imperative that the entire process is documented to form a comprehensive audit trail that can be referred to in the event of regulator scrutiny or follow-on litigation. Document everything from the investigative process and all decisions and reasoning with a granular focus on all preservation and collection actions undertaken. This helps with recall down the line as well as validation of steps taken. 


Many triggering events for an investigation are similar to those for more invasive regulatory investigation or litigation, so it is always important to apply the same levels of care despite the immense time and confidentiality pressures often present in an investigation. Whether the impetus for an investigation is internal, regulator-driven, or in anticipation of M&A activity, there are many advanced tools and defensible workflows that practitioners can exploit to manage the heightened pressures and differing objectives faced in an investigation.

Subscribe to the blog
Quick Menu
0%
100%