Data protection risks and other ‘emerging threats’ to legal departments

Speaking on a recent episode of The Corporate Counsel Show, produced in partnership with FTI Consulting, she delved into internal investigations, case studies she’s seen and broader data, digital and regulatory risks for legal departments moving forward.

In her role at FTI Consulting, Faulkner works with a number of specialists: forensic accountants, former law enforcement investigators, data analysts, AI specialists and more, where they jump in at “critical points” of internal investigations or to help in-house teams prepare for litigation or regulatory change.

FTI Consulting also did a recent global study, which found that internal investigations were one of the top challenges for in-house teams and legal departments.

“One case study that stands out is when I was working for a not-for-profit organisation, and there were two executives that conspired to invoice around half a million dollars for procedural documents that didn’t exist. So, one external to the organisation was producing the invoices and the internal general manager was approving those payments and then transferring the money to the two accused and one of their girlfriends,” she said.

“The GC engaged me to come and undertake an investigation and forensic accounting exercise. And I found over 100 fraudulent invoices. I prepared an expert report detailing the evidence of the fraud and quantifying the amounts of money that were taken. Then the two were then charged, and civil recovery was pursued.

VIEW ALL

“I’ve also done a lot of work in this space with retail, telecommunications, and construction, where we commonly see allegations of corruption, misconduct and fraud, which can relate to accounting misstatement, employees stealing inventory, assets, scrap building materials, and false invoicing.”

When dealing with cases like these, Faulkner said investigations need a “comprehensive approach” to be able to gather enough evidence.

“We often collect and image electronic devices like computers, iPads, mobile phones. We might subpoena banks to get bank statements, and so we can trace the flow of funds. When money’s involved, we’ll gather CCTV footage, company policies, and accounting records, and then we supplement that with that open-source intelligence around, you know, who are the parties, what are their relationships, do they have directorships, what assets do they hold?” she said.

“And it’s also important to look at the controls, like what, what broke down? How did it happen? How did it not get picked up for a period of time? Because that’s important to reduce the risk of an incident happening again. But there are some common important factors like preserving that evidence. So, it’s court admissible. You don’t want to have your IT team just start fishing around to try and find evidence. It’s not the right way to do it.”

There’s also a growing number of internal investigations cases Faulkner has seen with AI and deepfakes, and those emerging technologies being used in “targeted corporate attacks”.

“With digital transformation across all sectors, it’s important to be aware of emerging threats to your business. So, last year, there was a case in Hong Kong where a multinational employee, he attended a video conference, and it appeared that the CFO of the organisation and several other members of staff were instructing him to process around US$25 million in payments.

“But [in] the multi-person video conference, everyone looked and sounded like people he knew in the office, but it was all fake. And the payments were then processed and the money lost. So, publicly available content and footage is increasingly being used in scams, accounts and loan applications,” she said.

“Some technologies really only need 30 minutes of content, or even as less [as] three seconds to be able to clone a voice, spoof a phone number. So, we’re seeing deepfakes being used more and more in those types of cases. So, lawyers should be really aware of that.”

These emerging technologies mean that legal departments and lawyers have to stay on top of a multitude of different scenarios – and Faulkner said that, in particular, data privacy has been a key concern.

“What we’re finding in some of our studies is privacy and sort of, that data protection is really high on the list for lawyers because increasingly, if you don’t protect your data, you could have this data lost out of breach cases and then the risk of litigation and class action risk exponentially increases.

“And I’ve seen that firsthand in an investigation where we found where there weren’t sufficient controls around data in transit and how you’re managing your data, then there was a lot of regulatory and reputational damage,” she said.

This has been especially prevalent in recent years as GCs become more concerned with regulatory compliance.

“Over the last three years, we’ve found that regulatory compliance is also sort of number one on the list for general counsel keeping them up at night. We’ve worked with sort of a number of different organisations to help prepare and also then remediate incidents, particularly in those regulated sectors,” Faulkner said.

“And part of that process is really to help lawyers understand how far back does an incident go? What’s the root cause? Is it still occurring? What products, channels and customers are impacted and what needs to be done to stop the issue and report to regulators, if that’s needed.”

To listen to the full episode with Natalie Faulkner, click here.

Lawyers Weekly will host the Partner Summit on Thursday, 12 June 2025, at The Star, Sydney, at which speakers will address the range of opportunities and challenges for partners and partner equivalents, provide tips on how they can better approach their practice and team management, and propel their businesses towards success. Click here to book your tickets – don’t miss out! For more information, including agenda and speakers, click here.