The epidemiological emergency due to COVID-19 and the consequent adoption of social distancing measures by governments has severely affected the way businesses conduct their activities. Companies had to adapt their internal procedures quickly and shift many of their daily activities, such as execution of contracts, shareholders meetings, and approval of financial statements, to remote environments. Internal investigations also fell into this category. Indeed, one of the legal emergencies resulting from COVID-19 is a possible increase in crimes such as corruption that may require conducting a corporate internal investigation.
Under Italian law, corporate internal investigations are often carried out following the formalities for “defensive investigations” (i.e. indagini difensive) pursuant to the provisions set forth in sections 391 bis et seq. of the Italian Code of Criminal Procedure. Under this specific procedure, it is possible to ensure legal privilege over the investigation findings, as well as to use the statements made by the witnesses and collected by an appointed defense counsel within a potential criminal proceeding.
As to interviews, one requirement is to identify the party making the statement and attribute the statements — to the same party — which are then recorded in the “minutes of interview conducted by the defense counsel pursuant to section 391-bis of the Italian Code of Criminal Procedure.” The minutes are executed by means of wet ink signature by the party making the statement and subsequently authenticated by the defense counsel, acting as a public official.
In order to identify the witness, the defense counsel collects the identity details of the witness in person. This makes it possible to identify with a high degree of certainty the person making the statements, who, by executing the minutes through wet ink signature, confirms, accepts, and attributes to himself/herself the related content.
In the current emergency scenario, the question is whether and how witness interviews in internal investigations may be validly carried out remotely while ensuring that the party making the statement has been firmly identified without being physically present and that the statements can be attributed to that party. The emergency regulations set forth a generic framework for remote investigation by the Public Prosecutor, but nothing has been provided with respect to remote corporate internal investigations.
There are other issues involved as well. Companies need to be sure that they can rely on the evidence collected in the investigation process. Consequently, they need to find digital instruments that are capable of ensuring — to a high degree of confidence — the immutability of the results of internal investigations.
In this context, companies have two options. One is to rely on existing authentication methods that are currently used in other contexts, such as SPID (the Public Digital Identification System available in Italy), qualified electronic signatures, and video-identification. The other option is for businesses to consider investing in the implementation of new technologies that in the future may continue to replace the existing procedures even after the emergency is over.
Electronic identification through existing means: SPID, qualified electronic signatures, and video-identification
A first possibility for companies is to rely on existing remote identification means as regulated under relevant laws.
In this regard, the EU Regulation on electronic identification and trust services for electronic transactions in the internal market (Regulation No. 910/2014 — also known as the eIDAS Regulation) sets up a common framework for electronic identification services in the European Union, establishing common security standards and interoperability between the identification systems introduced by Member states. The rules contained in the eIDAS Regulation are completed at the local level under the provisions of the Digital Administration Code (Legislative Decree No. 82/2005 — commonly known as the CAD), concerning the process for individuals to authenticate themselves electronically.
Electronic identification is defined under the eIDAS Regulation as the process of using a set of data in electronic form to establish the identity of a natural or legal person. For electronic identification to be truly effective, the method must ensure a substantial degree of confidence that the person claiming a certain identity is, in fact, the person to whom that identity has been assigned.
In this context, the first option is that those carrying out an internal investigation rely on the Public Digital Identity System (SPID, as regulated by section 64 of the CAD). In a nutshell, SPID is a system providing individuals with a digital identity to be used to authenticate themselves to access online public services requiring their identification. Notably, subject to affiliation, private businesses may also rely on SPID to authenticate their clients. Therefore, a company carrying out a defensive investigation may conduct the interviews through digital platforms, where their employees would authenticate through their SPID. But SPID has additional uses in this context: employees may also use SPID to execute the minutes of an interview (if the electronic signature is formed in accordance with the guidelines on the electronic execution of documents pursuant to section 20 of the CAD, recently issued by the Italian Digital Agency). Notably, in a recent decision, the Italian Supreme Court established that an electronic signature based on SPID can be used in criminal proceedings (for instance, to file a criminal complaint) because it establishes the identity of the owner by law.
The second option is requiring employees to sign the minutes of the interview using a qualified electronic signature device, i.e., a signature created by a qualified electronic signature creation device and based on a qualified certificate, issued by a trust service provider subject to the verification of the identity of the person using the signature (Article 24 of the eIDAS Regulation). In addition, under Italian law, the use of a qualified electronic signature creation device is presumed to be attributable to the signatory.
While systems and procedures based on SPID/qualified electronic signatures may be relatively straightforward to adopt and do not require significant investment from companies, nevertheless there are specific limitations arising from those situations in which the interviewee (e.g., the employee or a company operator) does not possess either SPID or a qualified electronic signature. Additionally, SPID is available only to Italian citizens, which may lead to some complications in the case of cross-border investigations.
To overcome the limitations outlined above, companies may consider resorting to remote identification procedures that are normally used in different fields and that are recognized by the relevant authorities in those fields as reliable means of remote identification. For instance, in 2019 the Bank of Italy issued Provisions concerning customer verification for the purpose of anti-money laundering and anti-terrorist financing. Under these guidelines, the Bank of Italy also provided steps to be followed to set up an identification procedure through videoconferencing, such as recording the video conference, exhibiting the ID of the interviewed individual (in such a way that the picture and the data reported therein are clearly visible), etc.
A first look at the near future: the use of the blockchain as a secure means of identity management
While the above-described systems may serve as a first response to the emergency, companies may consider investing in blockchain systems to carry out internal investigations in a protected and secure electronic environment as a long-term solution. Indeed, although such solutions are still under scrutiny as to their compatibility with the Italian legal framework in this context, they appear to be promising.
To put it simply, blockchain is a form of distributed ledger technology where details of transactions are held in the ledger as blocks of information. A block of new information is attached to the chain of pre-existing blocks via a computerized process through which transactions are validated. The validation process is managed by a consensus mechanism through which the participants check that the transaction proposed is correct and — if consensus is reached —validate the blocks for them to be inserted in the blockchain. Once a block is validated, it is almost impossible for anyone to intervene in the blockchain. The blocks may contain any type of information, which is the reason why blockchain has a variety of practical applications (in addition to cryptocurrencies, for which blockchain was first invented).
For our purposes, the applications of blockchain in the legal field are extremely interesting. For instance, one of the applications of blockchain that is currently being studied by experts relates to digital forensics and in particular the so-called “chain of custody.” In this context, blockchain would grant the integrity of the evidence and, therefore, prevent its alteration or destruction. Some governments have also started to implement blockchain technology in their justice systems: the states of Vermont, Arizona, and Ohio in the United States have introduced specific regulations for accepting the use of blockchain records in court when accompanied by an electronic signature; China’s Supreme People’s Court adopted blockchain technology for the storage and authentication of digital evidence during the processing of legal disputes; the head of digital architecture and cybersecurity at the UK Ministry of Justice announced a pilot program that will introduce a blockchain evidence system.
In keeping with the above examples, companies may consider implementing private blockchains (meaning that the participants in the blockchain are overseen by the owner of the blockchain) where investigations can be conducted. Through these systems, companies may unequivocally identify their employees at an initial stage (for instance, when the hiring process is completed) and provide them with unique tokens that allow them to participate in the blockchain controlled by the company. This could allow employees to be identified in the context of internal procedures or decision chains within the organization. In addition, an investigation could be conducted in this protected environment with the advantages of the blockchain, such as the immutability of the information registered therein, the possibility to trace every step of the investigation, and the resistance to hacking attacks. Since the implementation of such systems may require significant investments of time, economic resources, and know-how, companies may also consider turning to external consultants acting as technological partners.
In conclusion, the pandemic and consequent social distancing measures will have impact for longer than we initially predicted, and we can expect a growing need to carry out almost all types of activities remotely. Companies should use this period as an opportunity to update their internal processes and — why not? — invest in new technologies that can ensure leaner and safer internal management.