New electronic data retention laws for US companies, and those with US subsidiaries, have come into force.
Companies must keep much better records of all their electronic information from now on following US Supreme Court amendments to federal rules in April that began on 1 December. They require any company involved in a federal lawsuit to produce any relevant electronically stored information in the discovery process. This is the method by which parties involved in a legal dispute share evidence before a trial.
While this is likely to prove troublesome for hundreds of thousands of companies, it is good news from a few. Marketing head of Nexsan Technologies, Brendan Kinkade, for example: "To comply, companies need to have easy access to archived documents - stored on or offline. They will have to prove these documents are original, authentic and have not been tampered with. This legislation potentially affects any UK organisation that regularly sends/receives information from a US parent or partner." Nexsan specialises in providing just the sort of storage technology needed to do this archiving.
Any UK business with activities in the US could be affected by the legislation and will need to collate all its relevant electronically-stored information, from employee photos through PowerPoint decks to emails and instant messages. Companies are expected to be responsible for being able to respond to legalised electronic archive invasions as part of the discovery process in a reasonable time.
Suppliers like Zantaz sell products and services to build such archives and also sell litigation support products to lawyers and prosecutors who can issue discovery orders. Business is booming. The company's revenues grew over 3,500 percent from 2001 and 2005, UK and Europe sales director, Glenn Perachio, said. "The biggest growth in the UK is on the archiving side. One of the main drivers for archiving is disclosure readiness."
In an interview he described some of the problems that UK business faced as a result of this increasing disclosure readiness need.
The general thrust is that business will have to spend money and staff time in being able to respond to recovery requests. It is not all bad news though, as the new laws do not allow for general fishing expeditions. They can only request data in amounts proportionate to their case. A well-constructed archive system could say that one million documents meet initial discovery criteria, which is disproportionate to the topic of the MD's share sales, for example. The archive system could reduce potential costs in such situations by reducing the number of documents expensive lawyers have to read.
Police access to electronic keys
Another window into UK business affairs is also due to opened soon however. Part III of the Regulation of Investigatory Powers Act 2000 (RIPA), due to take effect in the next few months, will allow law enforcement officers to gain access to the encryption keys needed to decrypt data which, in their view, could be vital for a conviction.
Many UK banks and other companies are concerned about data security and conflicts with data privacy rights as a result of RIPA part III. Since companies can be held liable for the accidental or negligent disclosure of customer information, the keys used to protect customer data are just as valuable as those used for banking transactions.
That means key management has to be done properly. Dr Nicko van Someren, chief technology officer at nCipher, said: "Company executives will have to disclose encryption keys without opening up security holes or face up to five years in prison; while law enforcement officers face legal action if they fail to adequately secure evidentiary keys leading to loss or consequential damage."
Someren thinks it is obvious that costs are going to rise: "Businesses and authorities need to adopt best practice already used by many banks and security conscious companies. This includes protecting keys in specialist Hardware Security Modules (HSMs) and using 'multi-party controls' to access and use a protected key, so that compromising a single individual is not sufficient to put a key at risk.
"RIPA part III places a heavy duty of disclosure on companies and organisations; but it also places a burden of care and security on the law enforcement authorities. Using anything short of industrial-grade cryptographic key management for protecting keys under RIPA would be a very rash move indeed." That's good news for nCipher which sells such products.
The penalties for not behaving reasonably in the face of legal requests for data and storing key information responsibly can be severe.