[Exclusive] Conducting Effective Internal Investigations and Procuring Evidence in India

In the wake of recent corporate scandals and the enactment of tougher corporate accountability standards, internal investigations have emerged as an important element of good corporate governance. Internal investigations may be triggered for a variety of reasons, including inter alia, allegations around corporate fraud, bribery, kickbacks or other misconduct and ethical lapses. By way of this article, the authors aim to discuss the key concerns that must be borne in mind while initiating and conducting an internal investigation, with special emphasis on maintaining the credibility of evidence collected during the course of the investigation.  

One of the first priorities of an investigating counsel is to establish the identity of the client. Ordinarily, it is recommended that the investigation be controlled by the company’s Board of Directors or a standing committee of the board (such as the audit committee or a special committee formed to assume responsibility of the investigation) as they would more likely be viewed as impartial. Once this has been established, the next concern would be to identify an effective investigation team. While there exist certain apparent advantages of relying upon in-house counsels to undertake the investigation (in terms of costs involved and the familiarity with the company’s business and operations), there exist more compelling reasons to retain outside counsel. Firstly, retaining an outside counsel provides a greater assurance that the investigation would be viewed as objective and independent. Secondly, given the ambiguous jurisprudence that exists in India, an outside counsel would generally have an easier task in establishing attorney-client privilege over documents and data created in the course of the investigation.  

Once the investigation team is identified, obtaining data of relevant custodians is the next natural step of any investigation. The importance of a document hold notice cannot be overemphasized here in ensuring that relevant data is preserved. A document hold notice should be immediately rolled out to the company’s relevant employees informing them of the investigation and specifically requiring that they do not destroy or erase any data potentially relevant to the subject matter of the investigation. Further, all automated data destruction or deletion processes should be suspended during the investigation. A legal point of contact should also be ideally identified, so as to ensure that any questions that employees may have are appropriately answered and panic is minimised. 

Once the document preservation notice has been served, the investigating counsel may proceed with the collection of all electronic and physical data in the possession of the relevant employees, so as to process the same using forensic tools and undertake a formal review. The manner of collection of such data and its handling at this stage becomes extremely important and the company needs to exercise extreme caution while processing such data. Specifically, The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the Data Protection Rules) framed under the Information Technology Act, 2000 (the IT Act) prescribe that reasonable security practices and procedures must be adopted by companies while handling personal information and sensitive personal data during an internal investigation.. An important constituent of such security procedures would be to formally document the chain of custody. The chain of custody is a chronological paper trail that documents who collected, handled or otherwise controlled evidence during an investigation. Having a clear and well-documented chain of custody in place is crucial in upholding the sanctity of the evidence collected. Furthermore, it is equally crucial to obtain a consent form from each custodian evidencing their knowledge of and consent to the data collection process. It is pertinent to note that section 43A of the IT Act specifically penalises companies for negligence in implementing and maintaining reasonable security practices and procedures in relation to sensitive personal data or information. Accordingly, if a company is negligent in implementing and maintaining reasonable security practices and thereby causes wrongful loss or wrongful gain to any person, it shall be liable to pay damages by way of compensation to the person so affected. Furthermore, section 72A of the IT Act provides that if a company discloses personal information in breach of a lawful contract, or without obtaining the information provider’s consent, it may be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both.  

As highlighted above, a significant concern while collecting and handling electronic data is to preserve its authenticity and credibility, in compliance with the local law requirements to ensure its admissibility in a court of law. This becomes increasingly relevant in cases where future litigation is anticipated. A three-judge bench of the Supreme Court of India has recently, in Arjun Panditrao Khotkar vs. Kailash Kushanrao Gorantyal & Ors4 clarified and elaborated the law on admissibility of electronic evidence in judicial proceedings. The Court held that Anvar P.V. v. P.K. Basheer & Ors.5 continues to be the correct position of law and noted that the provisions of section 65A and section 65B of the Indian Evidence Act, 1872 (the Evidence Act) provide a complete code for proof of electronic records. Specifically, it was noted that a certificate under section 65(B)(4) is condition precedent to the admissibility of secondary evidence of contents of an electronic record, and oral evidence in place of such a certificate does not suffice. Therefore, the investigating counsel must ensure that a certificate in compliance with the requirements of the Evidence Act is appropriately documented.  

Furthermore, as noted above, obtaining consent from custodians while collecting data or information (including information collected during in-person interviews) is important for protecting the information from being challenged in future. However, it might be interesting to note the view taken by Indian courts regarding evidence collected via illegal or improper means; more popularly known as the ‘doctrine of fruits of a poisonous tree’6. Notably, courts in India have time and again held that if a certain piece of information is relevant, has strong probative value and is admissible as under the Evidence Act, it will be taken into cognizance, irrespective of how it was obtained (i.e. the ends justify the means). In R. M. Malkani v. State of Maharashtra7, the police had fixed a tape-recording instrument to a telephone without the consent of all parties and it was subsequently contended that the tape-recorded conversation had been procured through illegal means. In this background, it was held that even if the evidence is illegally obtained, it is admissible. Moreover, recently the Delhi High Court in Deepti Kaur v Kunal Jhulka8 held that the right to privacy must yield to the right to a fair trial. In other words, it was noted that the right to privacy is not an absolute right (as opposed to the strict interpretation given to the right of privacy under the 4th Amendment in the United States of America) and that while the right to privacy is essentially a personal right, the right to a fair trial has wider ramifications and impacts public justice, which is a larger cause. Therefore, it was unequivocally opined that evidence collected in breach of the fundamental right would not make evidence inadmissible in the court of law. 

While it is clear that currently, the doctrine of fruits of a poisonous tree has no parallels in India, it is recommended that, in line with good corporate governance and best industry practices, evidence (in the form of electronic or physical data, verbal testimony etc.) should be obtained by legitimate and legal means. The consequentialist theory adopted by the Indian courts is not free from scepticism. In fact, it may be relevant to note that the 94th Law Commission Report suggested the incorporation of section 166-A in Chapter 10 of the Evidence Act which expressly provided courts with the discretion to exclude illegally obtained evidence. This further emphasises on the need for intervention by the legislature and/or the judiciary to disincentivise illegal investigations and protect due process.  

Concluding remarks  

While there can be no ‘one size fits all’ approach towards conducting internal investigations, there are certain common concerns that must be borne in mind to ensure that the investigation is viewed as credible, independent, objective, and fair. A key concern while conducting internal investigations is to ensure compliance with local law requirements including data protection requirements and evidentiary requirements, especially in cases where future litigation is anticipated. The investigating counsel must hence ensure that the requisite precautions are taken while undertaking an investigation, in order to adequately safeguard the interests of clients.  

Note: The article has been authored by Kunal Gupta, Partner, Trilegal with inputs from Tanuj Sharma, Senior Manager, Trilegal and Pankhuri Bhatnagar, Associate, Trilegal