Our Insights

Thought Leadership and Industry Trends

Home 9 Insights 9 Insights - Advisory Services 9 Data Collection and Investigation: Balancing Security and Accessibility

Data Collection and Investigation: Balancing Security and Accessibility

Jun 29, 2023

Getting your corporate data house in order is critical, but it’s only half the battle. Data collection in response to discovery requests, regulatory requests, and internal/external investigations requires a framework of policies that will help ensure a defensible process. For any scenario, an organization needs to clearly understand the “why, what, where, who, and how” in each response scenario: why the data is required, what data the company in its possession and where it resides, who has and/or needs access to that data, and how that data will be retrieved.

Responding to Requests for Data

When a corporation is faced with the requirement to collect and export its data, initial questions always start with “what is my applicable data set and how do I narrow down and control what needs to be captured?” But beyond just isolating data, internal policy and established framework can help guide the response and retrieval protocol, with the understanding that strict attention must be given to defining the discovery or regulatory scope of the requirement. What can help corporations to balance and measure this response in the best way? Here are some critical items and considerations that can help the effort to establish broader control and security, while maintaining adequate compliance response:

Data mapping: If an organization doesn’t already have a data map, it’s never too late to create one in any format, i.e., it doesn’t necessarily need to look like a map. However, no matter how comprehensive a data map might be, corporations may find that their employees inevitably find themselves operating outside of those elements. In other words, don’t just map your environment once. Establish and maintain a regular update schedule for all of your mapped data sources and audit regularly to discover what sources may not be part of your map.

User-friendly (or unfriendly) storage: When remote work flourished as a result of COVID, employees frequently saved data every place they could, including locations outside of company policy or best practices. Although data must be secure, if it is challenging or impossible to access, even for internal employees, this situation will present a myriad of extraction and collection problems.

Custodial interviews: Knowing what data exists is essential, and custodial interviews are the gold standard for obtaining critical information about “course of business” data activity and storage. Used in combination with transparent communication with your IT stakeholders, interviews led by counsel and subject matter experts can help organizations understand what information exists, what data needs to be targeted, and what the limitations might be.

Compliance roadmap policies: An effective roadmap policy guides the operational chemistry between groups related to individual, corporate, and customer data. However, what’s the good of having a policy that’s not followed? Policies should be reviewed regularly (at least annually) to ensure that they still apply, are workable, and are being used properly. And if not, they require adjustment. Pro tip: a compliance policy that is too tight and restricts employee’s ability to collaborate and innovate is no help either! A healthy balance must be struck for a good governance policy to be effective.

Stakeholders Buy-In: The right stakeholders can boost compliance with directional mandates and emphasize the importance that everyone should focus on keeping organizational data secure. When data is mishandled or leaked, the bills (penalties) can rack up quickly. It is critical that any company, no matter the size, has leadership and ownership that can champion the cause and take the appropriate steps ahead of time.

Technology and Risk Mitigation: It’s no secret – machines outperform people in certain types of work. However, organizations need to gain those efficiencies without opening themselves up to unnecessary risk. As an example, while opening a cloud API for direct 3rd party connection carries some risk, not doing so might introduce the risk of more manual steps, operational inefficiencies, and greater security concerns. While balancing the line on security, companies need to take a hard look at places where the right application of technology can make a difference.

Hold, Retention, and Deletion: Organizations must make their key people aware of what data is on hold and how long that hold will last, plus establish a clear and well communicated plan for the retention requirements on all organization content. Clear policy and procedures are also essential for defensively deleting data that no longer applies to the hold, or subject to standard retention.

Collection Analysis and Reporting: Many tools, whether as-needed forensic utilities or or enterprise applications that collect data directly from an archive or a document repository, come with built-in validation and comprehensive reporting that provides critical information on what was ultimately collected. These reports should present metrics and analysis in an accessible visual format, allowing organizations to make informed, data-driven compliance decisions.

Special Considerations, Practices, and Policies for Employee Investigations

In the specific scope of an investigation, companies should take a conservative approach when addressing collection of employee data, particularly if the collection requires a covert process. Some key questions and considerations to guide this process are:

  • What is the scope of the investigation and how will critical data sources be accessed and retrieved?
  • What are the appropriate privacy considerations, should the employees’ personal data sources be relevant?
  • What are the legal and ethical considerations involved with the subject investigation?
  • How can the investigative team isolate the collection and minimize the capture of irrelevant material?
  • Who is responsible for leading the investigative team and monitoring the progress of investigation tasks and assignments?
  • What access permissions are required for the investigative team to be successful?
  • Have communication protocols been established for the investigation and how will sensitive data be handled and accessed?
  • What security and retention measures are in place to ensure the proper handling of sensitive data sources?

Employee investigations often require “cloak and dagger” methods that won’t tip the target off regarding the investigation; these operations frequently require specific procedures, along with technology and processes to capture relevant data while also filtering out confidential private information. When the time comes to investigate, an established plan and protocol for investigations can greatly assist an organization with an effective and proportionate response.


The efforts that must be taken by corporations to balance security and accessibility are much different from those taken fifteen or twenty years ago, when email was the primary mode of communication and data collection was relatively simple. By contrast, today’s expansive data source environments are much more complex, as is the regulatory environment driving decisions on compliance strategy. Corporations of all sizes must be prepared to handle the challenges of a dispersed and diversified data landscape, and the possibility of a compliance requirement event.

CDS provides a full range of forensics services and advisory services related to information governance, data collection, analysis, and security. To discuss how we can help your organization balance data security and accessibility, contact us for a consultation today.

About the Author

Brad Berkshire

Brad Berkshire

Brad Berkshire is an eDiscovery, information governance, and digital forensics expert whose role at Complete Discovery Source includes leading complex projects and consulting, training, and educating internal teams as well as external clients on information governance, digital forensics, and data acquisition best practices. He also provides consulting and advisory services to the CDS forensic services team and direct support to clients with project scoping on information governance and forensics related projects. In his 25 plus years' experience working in information systems, digital forensics, and eDiscovery services, Brad has performed over 2,800 targeted data collections and forensic imaging acquisitions for cyber investigation, discovery response, and regulatory response engagements. These engagements include forensic data acquisition and data analysis for all types of digital storage including PC and Mac laptops and desktops, servers and enterprise application sources, structured databases, cloud data sources, social media sources, and mobile devices and mobile device applications sources.