Editor’s Note: White-collar investigations can send shockwaves through an organization, demanding swift, strategic, and legally sound responses. In a recent HaystackID® webcast, experts broke down the complexities of high-stakes investigations. From handling cross-border legal challenges to leveraging AI-driven forensics, their discussion focused on why an independent, well-structured approach is essential. With corporate reputation and regulatory compliance on the line, companies must balance urgency with precision. Ensuring credibility, verifying data authenticity, and mitigating cybersecurity risks are all critical steps in managing potential crises. Read the transcript to learn how your organization can deploy a proactive approach to handle these high-stakes investigations.

Host

+ Bryan Bellack
Executive Vice President, HaystackID

Expert Panelists

+ Anna Domyancic
Deputy Chief Legal Officer, US, Scotiabank

+ Christopher Wall [Moderator]
DPO and Special Counsel for Global Privacy and Forensics, HaystackID

+ John Wilson, ACE, AME, CBE
Chief Information Security Officer and President of Forensics, HaystackID

[Webcast Transcript] Discovering Data Quickly in High-Stakes White-Collar Investigations

By HaystackID Staff

Imagine this: A shipping clerk in Brazil hits send on an explosive company-wide email alleging fraud at the highest levels of management. Within moments, legal, compliance, and executive teams scramble to assess the situation. Is the claim legitimate? Is the email even real? The stakes are immense—corporate reputation, regulatory scrutiny, and potential legal action hang in the balance. Every decision in the next few hours could shape the company’s future.

This hypothetical scenario was explored during a recent HaystackID webcast, “Discovering Data Quickly in High-Stakes White-Collar Investigations.” Expert panelists broke down what it takes to handle an international white-collar investigation, from the initial crisis response to the intricate details of cross-border legal compliance. The first step? Ensuring an independent and credible investigation. The usual crisis response teams may have conflicts of interest when senior executives are implicated. The panelists emphasized that companies must consider forming an independent committee, engaging external counsel, and leveraging forensic specialists to maintain integrity. The investigation must be airtight—companies should document every decision and carefully handle every piece of evidence, especially when maneuvering regulations like Brazil’s notary requirements or Germany’s worker council policies.

Beyond legal and regulatory hurdles, there is the cybersecurity aspect—was the email even authentic? During the informative program, the panelists stressed that verifying its origins is just as crucial as investigating the allegations. If an employee denies sending it, forensic teams must track access logs, audit trails, and authentication records to determine if the account was compromised. Meanwhile, AI-driven analytics and advanced forensic tools can streamline data review, uncover hidden connections, and expose bad actors. Investigations like these require more than a reactive approach; they demand a well-orchestrated strategy combining legal expertise, cybersecurity diligence, and precise communication. In high-stakes corporate investigations, one misstep can mean the difference between swift resolution and a full-blown crisis.

Watch the recording and read the transcript below to learn more about strategies for handling these types of investigations.

Transcript

Moderator

Hello everyone, and welcome to today’s webinar. We have a great session lined up for you today. Before we get started, there are just a few general housekeeping points to cover. First and foremost, please use the online question tool to post any questions you have, and we will share them with our speakers. Second, if you experience any technical difficulties today, please use the same question tool, and a member of our admin team will be on hand to support you. And finally, just to note, this session is being recorded, and we’ll be sharing a copy of the recording with you via email in the coming days. So, without further ado, I’d like to hand it over to our speakers to get us started.

Bryan Bellack

Hi, everyone, and welcome to another HaystackID webcast. I’m Bryan Bellack, EVP of Business Development for HaystackID. I’m also your host for today’s presentation and discussion, “Discovering Data Quickly in High-Stakes White-Collar Investigations.” This webcast is part of HaystackID’s ongoing educational series designed to help you stay ahead of the curve in achieving your cybersecurity, information governance, and eDiscovery objectives. We are recording today’s webcast for future on-demand viewing, and we’ll make the recording and a complete presentation transcript available on the HaystackID website. Now, today, we will take you behind the scenes with our panelists as they are confronted with a puzzle. A security incident has occurred at a major multinational organization and has raised fears of a data breach and potential fraud at the company. Our panelists will walk us through their process as they respond with insights into strategy, data collection, regulatory requirements, and new techniques for using analytics and AI to get through data quickly. With that, allow me to introduce our esteemed panelists so we can get started. This webcast’s expert moderator is Chris Wall. Chris serves as HaystackID’s Data Protection Officer and Special Counsel for Global Privacy and Forensics. In his role as Special Counsel, Chris helps clients navigate the cross-border privacy and data protection landscape, advising clients on privacy, security, and data protection issues associated with cyber investigations, data analytics, and discovery. Next, we have Anna Domyancic, the Deputy Chief Legal Officer for Scotiabank, where she oversees litigation, internal and regulatory investigations and employment matters, as well as cyber commercial contracts and legal operations. Prior to joining Scotiabank, Anna was a member of Debevoise & Plimpton’s white-collar litigation group, where she worked on internal investigations and enforcement matters brought by DOJ, SEC, FTC, state attorneys general, and other regulators. Last but not least, we have John Wilson, HaystackID’s CISO and President of Forensics. John is a highly motivated leader with over 20 years of experience in the information security and risk management field. John serves as an expert witness in major litigation and regulatory settings, providing expertise on matters relating to digital forensics and eDiscovery. He has conducted dozens of investigations on behalf of law firms, companies, and government agencies such as the FDIC, Senate oversight committees, the SEC, and DOJ. So now, I will turn things over to our moderator, Chris Wall, to get us started.

Christopher Wall

Hey. Thanks, Bryan. And as Bryan said, my name is Chris Wall. I’m DP, In-House Counsel, and Chair of HaystackID’s Privacy Advisory Practice. My day job is guiding clients through cross-border issues associated with cyber investigations, data analytics, and discovery. But more immediately, my job today is to help guide us through this discussion with four fantastic panelists to talk about minimizing the risk associated with cross-border investigations and cross-border white-collar enforcement. So, as Bryan mentioned, our goal in spending this next hour is to arm you with actionable information and to share relevant experience from these panelists to help you in your own practice, whether you’re in-house or outside counsel or if you’re providing third-party assistance as part of a white-collar investigation and litigation team. So before we begin, I’m going to add what has now become really a standard disclosure by saying that our panelists today are speaking on their own behalf. Their comments or any views that they express may or may not reflect the views or the positions of their respective employers or the organizations that they work for. And as we get started, and as a housekeeping matter, I want to mention a few things. First, this webinar is for you. It’s to help you make the best use of the hour and to spend with us. And so we want your input. We’re a big crowd; it looks like we’re about 200 registrants, but we want to make this next hour or so as practically beneficial as possible. So we’ll watch the chat box, and if you have a question, please drop it into the chat feature, and we’ll try to address the questions as we go. And so with that, let’s jump in, starting with the hypothetical. As Bryan mentioned, our discussion today starts with this scenario, a scenario ripped from the pages of a law school exam with got-yous, wrinkles, and all kinds of considerations that I think if they were, in fact, all rolled up into one real case, it’d bring all hands on deck and probably a lot of legal, technical, and executive resources to bear. And in this hypothetical, which is actually drawn from real-life investigations just all mixed together, we have an international company with a shipping clerk in Brazil who has apparently blasted an email worldwide. That email purports to blow the whistle on alleged fraud at the highest levels of management in offices worldwide. So we take a deep breath and ask ourselves, “Where do we start? Who is we? Where do we start?” I mean, we all got the email. Maybe we start with the who. Who do we get involved with? And I’ll start with you, Anna, and then we’ll go around, where do we want to start with this?

Anna Domyancic

Sure. This one raises a lot of questions and immediate concerns, and we’d be looking at initially engaging our internal crisis management group, whatever that may be. This might include your legal comms, cyber, and compliance. Obviously, your senior management and those decision-makers need to start to get your arms around what this is, whether it is real, and then what you do about it in terms of the various investigation channels and work streams.

Anna Domyancic

Oh, sure. If I could just add there, too, when we’re thinking about the allegations around senior management, we should also be looking at whether we need to inform one of the boards or several boards, depending on how this organization is structured. Then, should it be an independent committee of that board that’s really starting to engage external counsel and run that investigation to allow for further separation in terms of independence?

John Wilson

Yeah. So I think they’re right that you have to start that crisis management and that incident response internally. And then you have to start, first, on how we can get to a quick action of, “Hey, let’s validate. Did this email come from the individual in the organization, or was it an external threat that caused it?” Look at the possibilities around that because you have to figure out the legitimacy first. Is this the individual who actually sent it, or is this someone else who sent it using this person’s account? And often, we have clients that, “Oh, yeah, well, if we don’t think it was the shipping clerk that sent it, it’s an external threat,” but it’s not always; you have to look at internal threats. It could be somebody else, a manager of that person, who got into that account. It can still be an internal threat, so you still have to validate everything around that investigation. You really have to start with the questioning and the foundation of, “What can I validate about this? The statements that were made. Was this sent from an individual inside the company? Did we have an external threat that got into the system and compromised this individual and sent it, or was it another employee or another internal threat that did it?” And lastly, I think the big thing is sometimes you do have to get involved with the board, and you’ve got to start thinking, “Do I need to have a third party doing this investigation and not just the internal investigation?” You do have to start with some of that validation. You have to, again, raise your crisis management incident response process within the organization to figure out what might be at play. But many times, our recommendation is, “Hey, you need to engage a third party right away also, as soon as you have the foundation to believe that this is-

Christopher Wall

Just for the sake of independence, right?

John Wilson

Right. Just for the sake of independence. Because, again, if it is a high level like this, it says that it involves the high-level management and executives in the organization who are usually the people that are sitting on the crisis management and the incident response thing, so you do have to get that board involvement, get that third party involvement so that you have that independent assessment as well to validate those findings.

Christopher Wall

So, Anna, I’m going to ask you one more area. In this investigation. Do you see human resources brought in if there is no other reason to protect that whistleblower or if he is a whistleblower?

Anna Domyancic

Yes. From our fact pattern, HR also got the email in the blast. But yes, you would still want to treat that individual as a whistleblower and, therefore, afford them all those sorts of protections that they should be afforded. You would also want to ensure everyone is aware of that and what’s happening.

Christopher Wall

So, I think we discussed the really broad initial steps. The investigation team needs to consider that early defense strategy; you must get that team together. John, you mainly talked about preserving and analyzing what evidence you’ve got and then doing the actual investigation. So, how do we develop that defensible strategy for conducting that investigation without knowing what direction the investigation might go? We could talk about each of those steps we have on the screen in a little more detail, and we could do it by role within the organization. So, if we start with the GC, let’s discuss how developing that strategy would work. And so, Anna, I’m going to stick with you here for a second.

Anna Domyancic

Yeah.

Christopher Wall

Is that strategy development done in a vacuum? Do you have a playbook? How exactly should the general counsel’s office arrive at that defensible strategy?

Anna Domyancic

I’ve seen it internally, as well as working with a lot of other clients. A lot of that is to the extent you have a playbook; you need it to be flexible and able to fit the different circumstances, especially with something complicated. So you are looking at those basic steps in terms of making sure you have the right team in place like we were talking about, making sure you’re starting to think about the issues that might arise and the information that you’re looking at preserving, who are your key contacts and key groups that you need to get probably potentially on the ground to start talking to here.

Christopher Wall

And presumably, very early on, you’ve reached out to your trusted outside counsel, right? Hopefully, early on.

Anna Domyancic

Yes. Yes, yes, yes. The other thing would be to consider whether you might need additional local counsel or other things in some of these jurisdictions, especially starting, I think, in Brazil with where the supposed whistleblower is coming from. There could be other sorts of labor and employment issues, too, that we would also need to be sensitive to here in dealing with the employees down there.

Christopher Wall

Yep. Yeah, I mentioned privilege before, too, and if this is in multiple jurisdictions, of course, the privilege doctrine isn’t necessarily the same outside of the US as in the US. And so, in your experience, do you typically paper these relationships with these third-party experts and outside counsel to preserve that privilege?

Anna Domyancic

Yes. Yes. The expectation would be to have external counsel hire those different forensic and other sorts of third-party investigators that we might need and also to look at whether those vendors would be vendors that otherwise might have relationships with the company and whether we want to think about, again, for this conflict of interest independence piece, using a vendor who doesn’t normally do work with this shipping company.

Christopher Wall

So, to round out that legal team, we need that bridge between the GC and the CISO, and we have a forensic specialist, especially in this particular situation. Right? And so, John, do you want to talk to us about the forensic specialist role here?

John Wilson

Yeah. Well, I mean, yeah, it’s certainly really critical to have that understanding. Brazil is a great example. In Brazil, if you introduce any evidence in court, you must have data collection and observation through a notary. It’s not a notary like you think of in the United States. It’s the particular legal process where somebody says, “Yes, this is valid evidence for court,” so you have to do that introduction through that notary process. And so a big part of this whole discussion really starts with what is the company’s experience with litigation investigations and those things, because that’s going to really drive how sophisticated you need to go with that outside counsel’s selection of third parties to accomplish these tasks because they can get really challenging. There are many things to think through just from the forensics perspective, just as how we properly consult in this jurisdiction to provide assistance because you have to understand that localized climate you have to deal with there. And maybe it’s five different climates because, again, we’re looking at an international incident. We have offices in Germany, where you have to deal with the workers’ council, and you have Brazil, where you have to deal with the notary process. There are all these different factors you have to contemplate and think about and figure out how they will interplay across that global span.

Christopher Wall

So that’s a lot of global expertise, and I will throw this to all three of you here. Who pulls all that together? Ultimately, somebody has to be responsible for keeping track of the various hurdles in conducting a cross-border investigation like that. To whom does that usually fall? I’ll lead off with Anna. Sorry.

Anna Domyancic

Yeah, I think for a lot of that, you need an experienced external counsel who is tracking all of that and has a pretty intensive project management style way almost, where you’re making sure you’re thinking through all of these different issues for each jurisdiction. They would be keeping the internal client aware and informed and whatnot, but they would need to be tracking all that stuff.

Christopher Wall

Yeah. John, any insight from the forensic specialist’s standpoint?

John Wilson

Yeah. I mean, yeah, I think you’re absolutely right, Anna. It usually is that outside counsel that’s got that field of expertise and understands the international implications of the investigation process. You have vendors with localized jurisdiction or a vendor third party with international experience and the depth of knowledge to go into 10 different markets and handle things. So it’s a bit of a challenge and usually solved case by case. So there’s not really a great rule of thumb: “Hey, do I get one vendor that can do all of these jurisdictions, or do I really need a localized vendor in each of these jurisdictions because there are specific requirements that drive that?” And I’d love to say, “Hey, you just go to the big vendor with that deep experience,” but that’s not always the right way.

Christopher Wall

No, I think it’s a team effort. And, look, I think all fingers are pointing towards outside counsel here. We have a good question about one of those considerations for bringing this data together to the extent that you can or want to. So we talked about moving data across borders and jurisdictional concerns, and I think I mentioned privacy concerns or data protection concerns for moving that data across borders. But you want to talk to us a little bit about moving that data across borders from a data projection standpoint. We know that if you’re bringing data out of Europe, for instance, the GDPR presents certain obligations on the data exporter, or the data controller anyway, from the data leaving the EU to another jurisdiction to make sure that adequate protections are placed on that data before it leaves and especially for where it’s going. Where does that consideration come in? It’s not just the EU, of course, that has its data transfer protocols that you need to meet before you make the transfer. There are over 100 different jurisdictions around the world that have varying, well, similar to one degree or another, restrictions on data transfers. Do you guys want to briefly discuss where that analysis comes in here?

John Wilson

Yeah. Well, there’s quite a bit here that you have to delve into. So, first, you have to validate whether this email is authentic. Did the individual send it, or did somebody else send it on their behalf, or was it an external threat that just mimicked them or compromised that individual and sent that email? And you also have to start looking at… So you’ve got that phase, that’s that internal incident response; you’ve got to validate the email itself. Then you have to start moving into, “Hey, this is a low-level shipping clerk who has made all these allegations about financial fraud, and how would you even know these things? What collaborators might be involved? Where do I start looking to figure out how this person could have information or potentially have evidence about all of this?” You have to start looking in that avenue as well. Are there collaborators, or is he getting the data source because he has too much access to some systems that he shouldn’t have access to? So, again, back to that investigation, that incident response. You got to start looking at the activities of that individual, what system they’re getting into, what things they’re accessing, who they’re talking to, so you can figure out that collaborator problem, and bringing all that together into that forensics evidence and starting to build that evidence picture that says, “Hey, yes, this was an authentic email from this individual. We’ve identified they’re talking to five different people. Here are the people on the tree who could have potential access to some evidence about these accusations,” or “Here are the systems that they accessed that could have information about these accusations.” You have to do that deep dive investigation to figure out, first of all, what you need to preserve, and then how do you preserve those systems technically, how do you go get them, how do you make evidence of it, how do you get that evidence preserved so that you can move the matter forward, provide that to the outside counsel or the board or to the organization via reports to say, “Hey, this is what we’ve discovered. We think it was not the individual we suspected, but somebody else sent it on their behalf. That person that sent it on their behalf has access to these areas, was getting access to this data that he shouldn’t have had access to,” or “Was dealing with these collaborators that were providing information that they shouldn’t have shared; they had an obligation not to share,” et cetera.

Christopher Wall

But it starts, I’m sure. Well, actually, it probably starts with your interview. Let’s say during that interview, the employee actually said he didn’t send the email, right? Anna, if he makes that statement up front, where do you go from there?

Anna Domyancic

I think, yeah, it’s a lot of those steps that John was talking about that you’re looking at, forensically, in the data, who could have accessed that, how did they send that email, how did they compile this information? And you’re trying to run through that forensic data, audit logs, access logs, and other things. You can already see the different work streams in which this investigation would expand into a lot of different areas and things that you’d want to look into as an organization even after you resolve these initial questions.

Christopher Wall

I imagine this takes a different tenor at that point, right? A different tone. Rather than just being in a potential whistleblower situation, you’re now looking at cyber response, right? Hopefully, your organization has a cyber response playbook or an incident response playbook that you can turn to and draw from. Do you have to turn to that cyber playbook in this context? Maybe you can talk to us about how you identified it and how that came about. And I know, John, you touched on this; perhaps this is a good place for you to jump in and talk about that, too.

John Wilson

Yeah. I mean, absolutely. Having that sound cyber or incident response plan allows you to take those quick actions and look toward the systems and processes your CISO or your security team has implemented within the organization so that you have historical logs. Because in this hypothetical, you say we’ve gone, and we’ve interviewed, the shipping clerk says, “Hey, I didn’t do it,” and now you’re doing that investigation, now you figure out, “Hey, maybe there’s a third party got in, that his account was compromised.” So you have to start with that investigation. You have to look at that compromise of that individual, how they got compromised, what got compromised, how they escalated into other areas of the organization, and what path that compromise has taken. You really have to follow those incident response plans and ensure that the organization has a well-defined incident response plan because these are not things you want to figure out in the heat of the moment. You’ve got to have that plan that says, “Hey, here’s where we have all of our authentication logs; they’re preserved, and we have them for 180 days,” or whatever your preservation requirements are in your organization, and building out that playbook and that logistical plan to say, “Hey, okay, now we have to go look at the authentication logs. We have to look at data stores. We have to look at email, messaging, and MFA platforms. Did the person get compromised with a man-in-the-middle attack?” You’ve got to have that whole roadmap pre-built and ready. And so I really advise having that, but that’s not the point of being here. That’s really what has to happen. You’ve got to sit there and look at where this is going to divide because, again, we have the scenario where the person says, “Hey, it wasn’t me.” We figure out that there was a compromise, and you have to start looking down that tree, or you have a situation where the person says, “It wasn’t me.” You find out that somebody else impersonated him or another person came and logged into his system because he left it, logged in, and sent the email from his account. And so you’ve got to be able to take those different tracks, and that’s where these investigations tend to just… That’s why there’s not a single “Hey, here’s the easy button,” I just push this button, and it figures it all out. All of these things run in really many tracks, and you’ve got to figure out, is this an individual-

Christopher Wall

Well, John, I thought the easy button was calling on our outside counsel, to say, “Here, just take care of this for me.” I thought that was the easy button.

Anna Domyancic

Yeah. Even if you interview the person and they say they didn’t send it and you start looking at that, that is separate from whether those allegations that were made in the email have validity. So that investigation would still need to continue while you’re also now dealing with this cyber circumstance and trying to run down all of those tracks as well.

John Wilson

Great point, and I’ll make it even more complicated because we had one of these in recent months where we went to the person who was the whistleblower, and that person said, “It wasn’t me,” the investigation proved it was them, but also turned up that there was an incident response, there was an external threat that had gotten into the system and was feeding bogus information to the individual, it just makes it so much more fun and complicated. It gets really insane when you start thinking about, “Now I’ve got a person that’s a whistleblower that says they weren’t the whistleblower, but they were the whistleblower, but then they were being fed false information because of a third party exploits to the system adding to those deeper levels.” And you still have to have those investigations to say, “Hey, did the fraud occur or did the fraud not?”

Christopher Wall

Yeah, I think Anna mentioned that you do have to bifurcate this investigation. One is the technical potential IR incident, and the other is the actual fraud or the actual allegations themselves to see whether there’s anything there. Regardless of whether that blast was an actual whistleblower or an outside hack, one of the places the investigation will have to turn is the company’s data overall, right? Regardless. So often, I think we think about email when it comes to investigations like this. Still, statistically speaking, the volume of unstructured data like email is far outweighed, in most organizations anyway, by structured data or data that’s essentially stored in rows and columns in databases. That data can readily be mined for trends and patterns that often point to fraud, illegal activity, or things like that, which we usually call just big data. And so I’ve seen structured data put to really effective use in cartel investigations where publicly available data along with internal production pricing or capacity or other data are combined using tools like Spotfire or Tableau that allow you to tweak one data point or another to demonstrate the effects that such a change in pricing or capacity or whatever can illustrate trends in that data. And so you can put that structured data into all kinds of good use by visualizing it and demonstrating what’s going on with the business itself, not just what’s going on with the data, but with the business itself. I always say drawing a picture is always better than just telling enforcement about it. In a preventive vein, if we take that structured data, apply analytics to it, and apply it in as close to real-time as possible, we can often detect compliance issues or trends or patterns that indicate actual or potential compliance issues. When you use something like Relativity aiR, you effectively take unstructured data like email and put it into a structured form. And I think that’s a fantastic way to approach it. Anna or John, do you want to add anything here?

Anna Domyancic

No, I think the cost piece, especially as the requisite in-house person here, is always something. Especially in these white-collar investigations where there’s this fear of endless document review and all sorts of other horror stories, the use of AI, analytics, and other technologies to crunch through a lot of data quickly, efficiently, and in a cost-effective manner is extraordinarily valuable.

Christopher Wall

And, look, I’ll mention one… Go ahead, John. Go ahead, John.

John Wilson

I was just going to say I’ll even add on the forensics front that we’re doing things like using AI and analytics to figure out who the possible collaborators are. We’re starting to look through their communications. We’re using AI and analytics to say, “Hey, who are they possibly talking to? Where is the possible source of this data,” or various things around that. But using that intelligence to really help understand the who, what, when, where, and how of the data really helps us guide where we have to go in the investigation in a much faster timeframe than previously.

Christopher Wall

Yeah. In that same vein, I’ll mention our last bullet point in this slide. And because I’m the privacy guy, and because we had a great privacy or data protection question earlier, I’ll mention that AI is a fantastic tool that we’re using today to help identify personal information so that we can de-identify the document; we can take the PII out of these documents and reduce privacy risk or data protection risk before that data crosses borders, or even if you keep that data within a jurisdiction, you’re reducing that privacy risk by de-identifying it.

John Wilson

Yeah. Well, I’ll even add using it to get to the point where you can do entity recognition because now you’ve figured out that it was a third-party incident, and you have to do notifications and all those things. So, use it to identify things that are opposite to what you were just talking about.

Christopher Wall

Yeah. And again, I’m going to stick with privacy here, but anytime we talk about cross-border investigations, especially if it involves electronic data, we have to think about data protection. In this hypothetical scenario, if we need to bring data from Brazil, the EU, or other jurisdictions around the world, we have to make sure that we comply with data transfer rules under all data protection regulations in those jurisdictions. And, as I said, there are a lot of real risks in moving personal information from one jurisdiction to another, especially if that destination is the US. Again, there are well over 100 countries around the world with data protection laws in place. And a lot of those jurisdictions have restrictions on what data you can take from their country. Speaking of these different jurisdictions, data privacy and data protection regulations aren’t the only reasons you may not want your data being moved from one jurisdiction to another. We talked about this briefly earlier; simply moving that data to another jurisdiction may well subject that data to the jurisdiction of the destination country. Anna, John, anything you want to comment about on that brief point?

Anna Domyancic

Well, yeah, I think we’ve assumed that that email went out at some point in… Did it make its way to the government? Have any governmental authorities from these countries issued a subpoena or contacted the company or an inquiry? Or even if they haven’t, that has to be something the company and its counsel are all thinking about as a possibility. Then, I will think about all the follow-on implications of that. And, of course, if you’ve transferred all your data in a rush to the US or somewhere, you can’t unwind that clock once it’s here.

Christopher Wall

Yeah. So if we look at that little bottom purple icon on our slides, if we’re looking at potential enforcement actions by government agencies in multiple jurisdictions, we want to make sure that there’s seamless coordination among your global and local teams. Anna, John, what does that look like? How do you make sure that you have clear communications? How do you keep all of the teams apprised of how things are developing, and how do you collaborate with local enforcement authorities if necessary, while trying to maintain the investigation’s integrity?

Anna Domyancic

Yeah, I think that that makes sense, having that consistent information flow to the extent possible, though. Consistent information flow so that you’re being as accurate as possible and consistent when communicating across these regulators.

Christopher Wall

Anna, I’m curious about your perspective and how you like to be informed. If you’ve got essentially a global investigation here, how can outside counsel keep you apprised without burying you in the minutiae of this investigation? You want to be informed, obviously, of all the developments, but how do you prefer to be kept abreast, anyway?

Anna Domyancic

It can really depend. In something like this, I think we’re probably having a daily-ish call or something walking through at the end of the day, especially at the start to [talk about] where things are, where we’re moving, and what’s going on tomorrow. Internal counsel also has a lot of stakeholders that they’re updating and clamoring for information. So figuring out if these are calls or short-written summaries that I can then take and provide to the different internal stakeholders I need to talk to can depend. There’s a ton of minutiae, especially as you start engaging all these other vendors, and it’s potentially an avalanche of emails and other things. So that is typically not a way that I like to be kept in the loop with my counsel, but these are more like, “Here’s what happened today. Here’s next on deck tomorrow,” and we can work through that and plan for it.

John Wilson

Yeah. So, for me, it’s usually regularly scheduled, whether daily, bi-weekly, or weekly conversations, because we’re talking about one of the things that get real interesting. So I sent an email saying, “Hey, we’re starting to investigate if there was a third-party breach activity related to this incident.” Well, if you send that in the email report to the client, a regulator will request all the emails, and they will see that. Then, all of a sudden, it’s taken out of context to say, “Hey, wait, now there was a third-party breach. Now there was an incident. It wasn’t just an insider whistleblower,” so you have to be very intentional in the discussions and the information-passing because you have to think that a lot of these emails, even though we work very hard to make sure that privilege is maintained. Those things, messages can be taken out of context if you’re not framing them properly, stating them properly and clearly, and with the right confines. The communication of that information does become very critical, and having that regular cadence, like I said, generally for our team, we do them through conference calls or calls because we don’t want that information to be taken out of context. You have to think about all those things, but you also have to think about them, especially when discussing a third-party incident. But even when you don’t know if it’s a third-party incident, starting to monitor the dark web and looking at those things, engaging your providers that can provide that ability to look for mentions of the organization or mentions of the whistleblower or those activities or regulatory involvement and all those things. You’ve got to be monitoring the dark web, news media, social media, and all those different channels.

Christopher Wall

All right. Thanks, John. I know our audience joined because it’s an important topic, and they want to learn more. And I’ll just mention one more great resource for our listeners in addition to these fantastic panelists, of course, and that’s the Sedona International Investigations Principles. I spent several days last week with Sedona Working Group 6, discussing those principles that involve cross-border investigations and discovery, and I cannot recommend that white paper strongly enough. As we wrap up here, let’s leave our audience with a few final thoughts. And a question that I’ll put to each one of you, as our audience leaves the webinar and recognizes that they’re coming to us from a lot of different industries, what’s one thing that they can do today to prepare for fraud or other white-collar investigation? And I’ll start with John.

John Wilson

Yeah. From my perspective, it’s having that crisis management incident response plan in place and tested. So a lot of people go out and just build a plan, but they don’t actually test and validate, “Is this going to actually flow? Can I reach these people? Can they reach the things they need to reach?” So table-topping those incident plans, crisis plans, and media plans is really critical.

Christopher Wall

Proper preparation prevents poor performance. I appreciate that. Thank you, John. Anna?

Anna Domyancic

Yeah, that’s a good one, John. Knowing where all your data is, and especially as there are more and more data sources and different technologies that companies are constantly coming online, knowing where those are and how you’re going to get those if you ever needed them for an investigation, for litigation, et cetera.

Christopher Wall

Absolutely. All great tips. Thank you, all three. And with that, I’m going to pass it back to you, Bryan. And Bryan’s on mute there.

Bryan Bellack

Oh, apologies. Thank you very much, Chris. And thanks to everyone for joining us on today’s webcast. Our panelists covered a lot of ground, but I hope we demonstrated the complexities emerging more consistently on white-collar matters and investigations and the methods available to reduce the associated risks around discovery. You’ll see our contact information on the deck, and you can also reach me anytime at BBellack@HaystackID.com. We truly value your time and appreciate your interest in our educational series. Don’t miss our workshop with the EDRM next month on April 16th titled From Summation to AI Tokens, A Journey Through E-Discovery’s Most Transformative Shifts, where expert panelists will examine e-discovery’s past, present, and future, sharing how technology has reshaped workflows, what skills will be critical in the next phase, and how professionals can embrace what’s to come. Check also our website, HaystackID.com, to learn more about and register for this upcoming webcast and explore our extensive library of on-demand webcasts. Once again, thank you for attending, and we hope you have a wonderful day.

Moderator

Thank you all for joining us today. Special thanks to our speakers, Anna, Bryan, Chris, and John, for their time and efforts in preparing and delivering this session. As mentioned earlier, this session was recorded, and we’ll share a copy of the recording with you later today. Thank you once again, and enjoy the rest of your day.

Christopher Wall

Thanks.

Host

+ Bryan Bellack
Executive Vice President, HaystackID

In his role as the Executive Vice President of Business Development at HaystackID, Bryan Bellack is responsible for global sales and business development of HaystackID’s eDiscovery, Cyber Incident Response, White Collar and Investigations solutions. Before joining HaystackID, Bellack was a Managing Director in BDO’s Consulting practice where he led sales for their Forensic Technology Division. Bellack earned his B.A. from the University of Michigan, his law degree from the Maurice A. Deane School of Law at Hofstra University and is licensed to practice law in New York State. In addition, Bryan serves as an Advisory Board Member to Guardrail Technologies, an AI Risk Management Platform. Bellack has also attained the following certifications: Certified E-Discovery Specialist (CEDS) from ACEDS; Cybersecurity: Managing Risk in the Information Age from Harvard Online; and Data Analytics Foundations: Business Analytics from eCornell.

Expert Panelists

+ Anna Domyancic
Deputy Chief Legal Officer, US, Scotiabank

Anna Domyancic is the Deputy Chief Legal Officer, US for Scotiabank, where she oversees litigation, internal and regulatory investigations, and employment matters, as well as cyber, commercial contracts, and legal operations. Prior to joining Scotiabank, Anna was a member of Debevoise & Plimpton LLP’s white collar and litigation group with experience representing multinational companies and senior leaders in internal investigations and enforcement matters brought by DOJ, SEC, FTC, state attorneys general, and other regulators.

+ Christopher Wall (Moderator)
DPO and Special Counsel for Global Privacy and Forensics, HaystackID

Chris Wall is DPO and Special Counsel for Global Privacy and Forensics at HaystackID. In his Special Counsel role, Chris helps HaystackID clients navigate the cross-border privacy and data protection landscape and advises clients on technical privacy and data protection issues associated with cyber investigations, data analytics, and discovery. Chris began his legal career as an antitrust lawyer before leaving traditional legal practice to join the technology consulting ranks in 2002. Prior to joining HaystackID, Chris worked at several global consulting firms, where he led cross-border cybersecurity, forensic, structured data, and traditional discovery investigations.

+ John Wilson, ACE, AME, CBE
Chief Information Security Officer and President of Forensics, HaystackID

As Chief Information Security Officer and President of Forensics at HaystackID, John provides consulting and forensic services to help companies address various matters related to electronic discovery and computer forensics, including leading forensic investigations, cryptocurrency investigations, and ensuring proper preservation of evidence items and chain of custody. He regularly develops forensic workflows and processes for clients ranging from major financial institutions to governmental departments, including Fortune 500 companies and Am Law 100 law firms.

About HaystackID®

HaystackID® specializes in solving complex data challenges related to legal, compliance, regulatory, and cyber events. Core offerings include Global Advisory, Data Discovery Intelligence, the HaystackID Core® Platform, and AI-enhanced Global Managed Review powered by ReviewRight®. Recognized globally by industry leaders like Chambers, Gartner, IDC, and Legaltech News, HaystackID prioritizes security, privacy, and integrity in its innovative solutions for leading companies and legal practices worldwide.

Assisted by GAI and LLM technologies.

SOURCE: HaystackID