The Serious Fraud Office (SFO) has released new guidance on how companies should co-operate; but what does it really mean for your business?

Earlier this month (6th August) the SFO released their guidelines on corporate cooperation. The document seeks to provide companies who are considering entering into a Deferred Prosecution Agreement (DPA) with guidance on what would be considered appropriate cooperation. DPAs are a tool that the SFO (like many other enforcement agencies around the world) has been turning to. According to the SFO’s website there are currently five DPAs in operation; yet this count is expected to increase moving forward. 

Under the DPA guidelines, there are a significant number of points relating to digital evidence – this starts with the very first good general practices point: 

"Preserve both digital and hard copy relevant material using a method that prevents the risk of document destruction or damage."

Digital evidence is emphasised in the second point to "…ensure digital integrity is preserved". This means that any evidence needs to be identified and captured in a forensically sound manner.  

To maintain digital integrity, it is important that it is handled in a forensically sound matter from the outset. This is because data can be highly volatile and can be easily altered or deleted, intentionally or otherwise. This does not mean that every single byte of corporate data needs to be fully captured and investigated. Rather that companies must ensure all relevant systems are appropriately managed. 

It is essential during any investigation that the process followed to capture, prepare and investigate data is always robust and complete. If it isn’t, then the results may not be admissible in a court of law or the investigation itself may become publicly criticised. 

In the guidance, there is also an entire section on "Digital evidence and devices" which covers a number of areas. Given that personal devices are being used more frequently in a business capacity and the use of technology is constantly evolving, this is a key section for firms to be aware of. As such, A&M has mapped out details on each point below to shed some more light on what it all means:

1.    The guidance demands that any documents provided are able to be loaded onto the SFO’s own document review platform

Although this is an unsurprising point from an eDiscovery perspective, it may come as a surprise for companies not familiar with the disclosure requirements in litigation. What is important here is to note the second and final sentence of the point in which it will require the actions and decisions taken to identify relevant documents to be described, and presumably defended. Although this may not be requested in every case (because of the possibility of the request) it would be best practice to produce this in all cases. This means ensuring that decisions are detailed at every point and that the technical process is fully understood, including all the details and options employed.  With the use of TAR and machine learning increasing through a document review exercise, it is important that the workings of this are understood as well.

2.    Production of a complete audit trail is a critical point of any forensic process

Firms need to be able to prove where the data originated from, who did what with it and when. This is a simple process to follow – but one that has caused many cases to be dropped.

3.    Ageing technology is often a key factor in investigations

This is because technology changes rapidly and because investigations can often cover an extensive period of time. This comes up most often in relation to back-up tapes from old, non-production servers, where the original systems backed up may have been decommissioned and are no longer in the company’s possession. However, this does not mean that the data cannot be accessed. In fact, A&M has worked on many cases where back-up tapes have provided vital evidence on acts from the past, and therefore should not be discarded. They may not be the first place an investigation would focus on, but at the very least, they need to be preserved at the outset of the investigation and not totally ignored.

4.    Relevant documents may not always be in the company’s control

There is, therefore, a need to make the SFO aware of this. This means that at the outset of the case, a wider lens should be applied beyond the internal corporate systems that are readily accessible. Specifically, the SFO document refers to sources of data owned by individuals rather than companies. This could mean the company has no access to certain devices such as personal phones, email accounts or messaging systems such as WhatsApp!

5.    Information should be in an accessible form

Any password or key required to decrypt data must be provided along with the documents themselves. Although this may be perceived as common sense, this can become a complicated request to fulfil. Not least in relation to specific files that a user themselves may have set a password for, rather than corporate system passwords which can generally be overridden by an administrator.

Ultimately, the SFO guidance will prove helpful to companies before and during an SFO investigation. It’s clear, however, that a one-size-fits-all approach won’t apply. As such, companies will need to carefully consider how to undertake an investigation, specifically in relation to digital evidence, to maximise the benefit of any cooperation. 

Hopefully these insights help provide a little more clarity on what the SFO guidance means for you and how it might impact the way you work. However, should you have further questions, please do not hesitate to contact the author or a member of A&M’s Disputes & Investigations team.