CEOs are most likely to bear personal and professional risk from their organisations’ lack of action on how electronic evidence is managed – despite the fact that they are rarely involved in developing or enforcing that policy.  That’s the major finding of a new independent study commissioned by Kroll Ontrack  that was released this morning (12th December).

The report finds that less than half of organisations (48% in the UK, 43% US) have a strategy or policy in place on how to deal with electronically stored information (ESI).  In the UK, a quarter of organisations (25%) said that their legal department has primary responsibility for developing policy, yet 39% said that their CEOs would face the consequences resulting from a breach of that policy. In the US, 41% of respondents said that their organisations give responsibility for developing that policy to the in-house legal department.  However a fifth of organisations (19%) said that the CEO would be held accountable if that policy resulted in government fines, court-imposed sanctions or damage to reputation. 

“These statistics are frightening yet not surprising. The explosion of electronic information and the onslaught of new rules, regulations and laws have made it incredibly difficult for companies and counsel to stay on top of everything,” said Kristin Nimsger, president, Kroll Ontrack. “The fact that there is no clear definition of who should be developing or enforcing the policies shows there is a lack of ownership. With the size of fines and severity of sanctions that can be imposed, this has moved from being a concern for IT or the legal team to a core business issue in which today’s executives and Boards of Directors must now be involved.”

Statistics show that UK business alone lose £72 billion per year due to corporate fraud, which equates to approximately 6% of companies’ annual turnover, and yet only half of the UK’s 350 largest companies have put any additional measures in place to protect themselves.  European Commission fines can reach as high as 10% of the company’s turnover in their recent business year for cartel and fraud practices, much of which is executed and uncovered in electronic communications.

Incorrect handling of ESI has already led to a number of serious consequences for organisations, with several falling foul of the US Federal Rules of Civil Procedure and the UK Civil Procedures.   Since 2001, there have been 50,000 changes to the UK FSA rule book, including 4,000 pages of amendments in legal instruments between Oct 2006 and Jan 2007.  The NASD, the US provider of financial regulatory services, had 135 rule filings in 2006, 1,099 changes to the Manual since 2004 and the AMEX Rule 903 has changed six times since 2005.

Martin Carey, Managing Director of Kroll Ontrack in London said, “Clearly in the UK, in-house counsel and their external counsel are lacking significantly in their training and understanding of rules and regulations regarding their electronic information. They do not yet seem to be grasping the fact that all this data is no longer just information; rather it can now all be considered as evidence. This fact alone shows a severe lack of ownership and understanding.”

Despite the growing pressure to comply with regulation, only 17% of UK in-house legal counsels believe that they are fully up to speed with all case law, developments and regulations relating to ESI.  Less than half (42%) think they have a good understanding but could benefit from more knowledge.  More than a quarter (26%) say that they have a low level of understanding, while 14% say that they know little, if anything about ESI or have never heard of it.

US counsel outshines their UK counterparts yet still only 25% say that they are fully up to speed with all case law, developments and regulations relating to ESI.  Less than half (43%) believe that they have a fairly good understanding but could benefit from more knowledge. Almost a quarter (24%) have a low level of understanding while a further 9% either know little or have never heard of it. 

US legal teams are far more concerned than UK counterparts about the reality of growing volumes of ESI.  The biggest challenge faced by legal departments in the US will be unmanageable volumes of ESI (cited by 21% of respondents in the US compared to 11% in the UK).  By contrast, the UK’s primary concern was lack of training in legal trends (16%).

• You can find the full text of the 16 page report (as a Word document) by clicking on the attachment accompanying this story.

• Orange Rag comment: It's nice to hear about all these regulations but a little ironic that the biggest culprits are the government departments and agencies whose internal data protection procedures are so lax that they'd get sacked from even the most sloppily run private sector business. In the UK we are hearing about new lapses every couple of days (what is it about government departments and unencrypted CDs) however here's a story from the US you may not have heard before…

A US official overseeing a probe of former Bush aide Karl Rove – Special Counsel Scott J. Bloch – bypassed his own agency's computer
technicians and hired an outside firm to perform a seven-level
wipe of his computer hard drive, all but guaranteeing the files could never be restored. Although
the official said he contracted the work after suspecting his computer
was infected by a virus, a manager with the private firm said a wipe
that thorough is an unusual way to treat a malware infection. The
receipt for the work performed makes no mention of a virus.

Bloch's office is investigating whether Rove and other White House
officials improperly used government agencies to help re-elect
Republicans running from Congressional seats. In turn, Bloch has been
the subject of a White House-ordered probe into whether he improperly
retaliated against whistle-blowers in his own staff and dismissed cases
brought to his agency. Following the revelation of the computer wipes, federal
investigators have requested Bloch turn over copies of personal files
that he saved to his America Online account before his hard disk was
scrubbed. Bloch has refused, saying the data, which included medical
information, messages to his personal attorney and pictures from his
son's tours of duty in Iraq, don't involve his official work.