Member Article

The daunting experience of dawn raids

Daniel Kavan, manager of electronic disclosure consultancy, Kroll Ontrack, advises business what to do in the event of a data investigation.

Imagine a group of investigators come knocking on your office door demanding to have access to your files. This is what’s called a ‘dawn raid’. If unprepared and unfamiliar with the practice, this can be a daunting experience.

How to prepare for a potential dawn raid?

The key aspect to prepare in case of a dawn raid is to make sure that you know where your data is and an inventory is available to enable investigators to navigate through your IT system. Conducting an internal audit to uncover potential breaches is a good idea. Remember that regulators can fine for poor access control, so ensure suitable encryption exists.

The final steps of the preparation should include creating dawn raid procedures, assigning a response team and getting it trained.

What to do during a raid?

When the investigators arrive, always get a lawyer to check and understand the warrant or search order. However, there may be nothing to stop the investigators from proceeding immediately.

Consider enlisting the help and advice of a forensic technology consultant to shadow the investigators. This will enable you to keep track of what data is being looked at, copied or taken away.

Get your IT people involved early in order to grant access to electronic data. Investigators might require internet access, LAN access and USB access to install and run their forensic imaging software.

Ensure all employees are aware of the company’s legal obligation. They should not turn off computers or delete data. Deleting data can leave a trace and lead to uncomfortable enquiries.

Negotiate – business continuity is important, so ask the investigators if it is necessary for whole computers to be seized or for servers to be taken offline.

Take copies of everything seized, copied or seen by investigators. This may or may not be possible during the course of the execution of the warrant, but as a rule investigators are obliged to provide a list of seized items.

It is important to take copious notes of what they are searching for and on which machines.

Finally, check that the investigators have taken adequate steps in securing the data to ensure protection and data integrity. Are they taking documents outside the scope of the investigation? Are they using suitable software, tamper-proof evidence bags and maintaining chain of custody? Are they avoiding cross-contamination of data?

What happens after?

Technology can be used after the raid to help the company get on top of the facts fast and work out its potential exposure and legal strategy.

If sufficient notes are made during the course of the search, it will often possible for a forensic company to reconstruct the searches. Consider an audit to determine whether preserving and analysing more data than the regulator might strengthen your case.

Using Early Case Assessment technology, conduct an analysis of all the documents seized by the regulator plus any further documents identified. A litigation technology provider can provide a platform and consultancy on how to do this efficiently and cost-effectively. They will filter and prioritise documents for review using the latest technology to quickly prepare your response.

This was posted in Bdaily's Members' News section by Daniel Kavan .