businessman using laptop standing working in modern office

What HR professionals need to know about conducting an internal investigation into employees’ digital activity

What HR professionals need to know about conducting an internal investigation into employees’ digital activity

4 Minute Read

HR professionals may need to work with digital forensic investigators to conduct internal investigations on employee digital activity. Before you begin your investigation, it is essential to ask yourself what you are trying to find out, the devices you must work with, and what time frames you suspect the theft took place to help investigators complete their work efficiently.

Additionally, digital forensic investigators recommend that you ensure you have the appropriate authority, check your organizational policies, determine compliance requirements, and review all relevant privacy laws and legislation before you begin your internal investigation. These considerations will help protect your findings during legal proceedings and ensure the success of your investigation.

Partner, National Leader – Digital Forensics

Many workplace investigations involve digital devices and may require HR professionals to work with digital forensic investigators to find evidence of harassment claims, fraud, or the misuse of company assets.

These types of investigations can be complex, and there are a few key considerations to keep in mind when working with a digital forensics team to review an employee’s digital activities. Our advisors have summarized the steps you can take to ensure the investigation meets the requirements of your organization and to help the process go smoothly.

How to guide your investigation

Digital forensic investigators ask clients four important questions before beginning an investigation to help complete the process efficiently. It is essential to keep these questions in mind to get the best results from an internal investigation:

What’s the story?

Digital forensic investigators want to be as efficient as possible — and knowledge about the bigger picture can help them provide guidance and suggestions. Share as much information as possible about the situation to help investigators meet your objectives.

Keeping the story in mind will also help you to determine what systems, devices, and data you need to access for your investigation and identify any potential roadblocks in your path. For example, you must have authorized access to every system you want to examine — and if you don’t have the necessary authorization, a court order may be required to gain access.

What are you trying to find out?

Determine the information you need to know to help digital forensic investigators narrow the focus of the investigation. You might be trying to find out if an employee accessed valuable files, why a breach attempt succeeded, or identify the employee who shared intellectual property (IP) assets with a competitor — and determining what you need will contribute to the success of a digital forensic investigation.

Include your legal counsel in this step as they can provide guidance and may need to use the findings of the investigation in court proceedings.

What have we got to work with?

Asking yourself this question will help digital forensic investigators identify the starting point for the examination — typically a system, a device such as a laptop or cellphone, cloud storage locations, or even internet-connected devices.

Identifying potential sources of information, the amount of data in scope, and who is involved will enable digital forensic investigators to simplify the approach and take the most direct route to obtain results. Are the systems and data sources owned by the organization or does the organization operate in a bring-your-own-device (BYOD) environment where systems and data sources are owned by the employee? This will be a significant factor to consider. 

What is the time frame of the investigation?

A timeline will help digital forensic investigators focus the examination to provide timely results for your organization. First, consider when the event or incident occurred and whether the investigation can be narrowed down to a point in time such as an hour, day, week, or month.

The next step is to determine when you need to receive the results of the investigation. For example, you may have a set court date, or your company may need to have measures in place before a compliance deadline. Informing your digital forensics team about your timelines can help prioritize investigative activities and ensure you receive the results you need on time.

What are the key considerations for an investigation?

Organizational policies, compliance requirements, and privacy laws will all influence your investigation into an employee’s digital activities and can have severe consequences if they are not followed appropriately.

HR professionals should keep these four considerations in mind before beginning an investigation:

Ensure you have authority to proceed

Ensure you have a formal written request signed by management before you begin your investigation. This request should outline the scope of the investigation and grant you the appropriate authority to proceed.

Again, consider involving your legal department from the outset, as the investigation may lead to legal proceedings where you will have to prove each step you took during the investigation and defend the integrity of your findings.

Check your policies

Review your organizational policies for any information related to activity monitoring or reviews. Next, take the steps to confirm employees — specifically those within the scope of your investigation — are aware of these policies, have completed training, and signed off on compliance.

Your company’s security department may have a list of employees who have completed awareness training. Additionally, you may already have a list of employees who have completed training and signed off on compliance within your HR records.

Determine compliance requirements

Review the regulatory standards or frameworks that apply to your industry or the jurisdictions where you operate. These will help you to determine the limitations on directly reviewing employee activity and whether your company’s compliance status may be at risk if you proceed with your investigation.

Discussions with your information security team may help to highlight any areas of concern. They can also provide feedback on whether aspects of your investigation are achievable and if the employee under investigation has access to any highly privileged data such as payment card numbers, personally identifiable information, or financial data.

It is essential to ensure your review does not compromise your company’s good standing. Consider what types of data the employee was authorized to access — if their authorization is above your own clearance level, you may need to call in someone with appropriate clearance in your organization to handle the data.

Check privacy laws and legislation

Your company may be subject to various privacy laws and legislations depending on location. For example, you may be asked to review the digital activity of an employee who is representing your business overseas. A country such as Germany has very strict guidelines to protect employee data contained on work systems. It is essential to check with your HR department, your compliance department, and your legal department before you begin an investigation to ensure compliance with all relevant laws and legislation.

Always keep in mind that any investigation on an employee’s digital activity may result in legal action and potential litigation. Document each step of your investigation and communicate your actions to stakeholders to ensure your testimony withstands any potential legal proceedings.

Digital Forensics

Let the evidence tell the story: MNP’s Digital Forensics team will preserve, analyze, and report on digital evidence to standards required for criminal or civil proceedings.

Take the next steps

Following each of these steps will ensure the integrity of your internal investigation and help digital forensic investigators complete their examination efficiently.

If you need more information about the guidelines you should follow when conducting an internal investigation, contact Ryan Duquette, National Leader, Digital Forensics at [email protected] or 289.695.4395. We can help you understand the requirements of your investigation and preserve, analyze, and report on digital evidence to meet the standards required for legal proceedings.


  • Agility

    June 20, 2024

    Why your credit union can’t afford to ignore scenario planning

    In today’s era of business, credit unions need scenario planning to anticipate and respond to future risks and opportunities.

  • Confidence

    June 20, 2024

    Three tips to keep your business insurance effective

    Avoid the pitfalls of inadequate business insurance with these three essential tips.

  • Progress

    June 19, 2024

    How the current market impacts the value of your energy business

    How do shifts in the energy sector impact the value of your business? A valuation can help you understand what your company is worth in a volatile market.