North American Forensic Accounting PC
North American Forensic Accounting PC
Navigating Privacy Laws While Conducting Internal Investigations

Navigating Privacy Laws While Conducting Internal Investigations

How management can shoot straight without shooting itself in the foot

We’ve all seen movies or TV shows where the lead cop is hot on the trail of a dangerous suspect. The clock is ticking down to certain disasters—the execution of a hostage, the detonation of a dirty bomb, etc.—and our guy is the only officer on the right track. But! He’s about to lose his badge because his superiors don’t like his methods. He’s got to rein himself in before he gives the department a black eye. The audience knows that if our guy plays nice, terrible things might happen. So, we root for him to toss the rule book out the window and do what’s necessary to save the day. Those of us munching the popcorn don’t really care how far our hero strays off the straight and narrow; the vanquishing of the villain will justify his means. But that’s not the way it goes in real life.

In reality, if you are conducting an internal investigation for an organization, you could get into deeper trouble for your processes than the target gets for his crimes. As a society, we sometimes are more concerned about constraining authorities who might threaten our freedoms than we are about thieves making off with company inventory. Because of that order of priorities, the good guys must always behave as such, and we’ve promulgated all sorts of regulations to ensure they do.

The patchwork landscape of U.S. privacy law

In the United States, the right to privacy is enshrined in our Bill of Rights, which constrains the government against illegal searches and seizures. Congress and state legislatures have also enacted privacy laws to deter private actors from the types of encroachments which have become far too common given the power dynamic between corporations and workers/consumers and far too easy with today’s technology. Though federal privacy laws apply everywhere, regulations at the state level can be inconsistent. Thus, rather than navigating a single, comprehensive privacy law, such as the GDPR in Europe, American companies face a patchwork of privacy regulations.

Here are a few of the key regulations that U.S. companies must observe:

  • The Federal Wiretap Act — This prohibits the interception of wire, oral, or electronic communications unless one of the parties to the communication consents. State recording or wiretapping regulations also exist and should be considered as well.
  • Health Insurance Portability and Accountability Act (HIPAA) — Protects the privacy of health-related information and applies to healthcare entities and their business associates.
  • Fair Credit Reporting Act (FCRA) — Regulates the use of consumer credit information.
  • California Consumer Privacy Act (CCPA) — One of the most significant state-level privacy laws, it gives California residents more control over their personal information and conveys specific rights regarding the personal information of residents including employees and applicants. Since the CCPA was enacted, many additional states have enacted similar state privacy laws.

State employee privacy protection laws vary, so business leaders must be well versed in the terms that apply to their home state and all states in which their company does business.

Privacy concerns during internal investigations

Private companies have a right and a duty to conduct investigations into employee misconduct, fraud, policy violations, or other matters. But they must operate within the boundaries of the law or expose themselves to liability, which could be more damaging than the problem that prompted the investigation in the first place.During an internal investigation, a company might need to access employee communications, devices, or other personal data to determine the facts of the matter.

Here are a few examples of how privacy laws can impose restrictions on the ways a company can obtain and handle information covered :

  • Electronic communications — If a company seeks to access employees’ email, chat logs, or other communications as part of an investigation, it must ensure that it is following laws governing the interception of electronic communications. Consent to monitoring may be required, and many organizations provide employees with clear notice that their communications may be monitored.
  • Employee monitoring — Employers can monitor employee activities (e.g., emails, internet usage, phone calls) in certain circumstances, but must do so within the boundaries of federal and state privacy laws. Many states have “two-party consent” laws, which require both parties to a conversation to consent to being recorded, and this can extend to workplace communications.
  • Confidentiality and data security — During internal investigations, sensitive employee data, such as personal identifiers, financial information, or health records, may need to be reviewed. Employers need to ensure that they handle this information in compliance with all applicable privacy laws (e.g., HIPAA, CCPA) and that they protect it securely from unauthorized access.
  • State consent laws — Companies conducting internal investigations in states that have strong privacy laws need to be particularly mindful of constraints. For example, in California, employees have specific rights regarding their personal data. Employers may need to obtain consent to gain access to certain types of personal information.

However, no regulatory regime should prevent a company from asserting its right to conduct a lawful investigation.

Striking the balance between aggressive investigation and regulatory compliance

Organizations must not be timid about performing their duty to investigate wrongdoing, but must fulfill their equally important duty to conduct internal investigations according to law. This balance requires affirmative steps to create a culture of ethics and compliance, in which the following elements come into play:

  • Clear policies — Employers should have clear internal policies on employee privacy and monitoring. These policies should outline the scope of acceptable use for company-provided devices and communications tools and should clearly inform employees about any monitoring that may occur.
  • Consent — Whenever possible, obtaining consent from employees can help mitigate privacy concerns. For example, employers might require employees to sign agreements acknowledging that the company might monitor their communications or devices as part of its investigative process.
  • Data minimization and necessity — This principle dictates that employers should only collect the data necessary for the investigation and avoid unnecessary or excessive data collection. Employers must limit the scope of their investigation to only information directly relevant to the investigation.
  • Protection of sensitive information — Employers must be especially protective of sensitive personal information uncovered during an investigation, including healthcare related information, private facts, or privileged communications (e.g., attorney-client privilege).
  • Use of external investigators — To avoid conflicts of interest or concerns over confidentiality, organizations might hire outside specialists, such as forensic investigators or law firms. These professionals are often better trained and equipped to navigate privacy and regulatory requirements while conducting investigations.

Business leadership can serve their organizations well by establishing expectations for workers to conduct themselves ethically while employed and for managers to respect privacy rights, even when observance of those rights might seem inconvenient.

Beware the ricochet! Or, When the hunter becomes the hunted

Internal investigations can take an ominous turn, when methods appear to violate privacy protections. You might get a call from an enforcement agency, such as the Federal Trade Commission, which oversees certain privacy protections relative to consumer and employee data. The Department of Labor might also become involved if your methods seem to violate workers’ rights. It’s also possible that your State Attorney General could step in, if it looks like you’ve transgressed state privacy laws.

Therefore, it’s important for business leaders to operate within their range of competence. Experienced managers might be adept at traditional methods of investigation, such as conducting interviews and reviewing documents. However, they can get into trouble performing deeper dives. Digital forensics, which analyzes devices and network logs, can reveal relevant information. But this method requires extreme care to operate within privacy laws.

If an internal investigation runs afoul of privacy laws (e.g., improper surveillance, unauthorized disclosure or data breaches), the employer might be subject to intense regulatory scrutiny, resulting in fines and subsequent lawsuits.

Sometimes, knowing what you don’t know and being willing to admit your limitations can keep you and your organization safe. Hiring a reputable forensic investigation firm can ensure your methodology is above reproach.

By North American Forensic Accounting | Published October 1, 2024 | Posted in Internal Investigations |  

Archives
Categories