LONDON - A surge in e-disclosure requests means UK businesses are facing a time bomb of legal, reputational and compliance risks, according to a survey by Boston-based information risk management software vendor Recommind.
The study says almost half (41%) of UK firms have experienced a rise in requests for e-disclosure - the identification, preservation and collection of electronically stored data for legal actions, and regulatory and internal investigations.
Fraud and other financial crime is seen as the primary driver behind the rise in requests, followed by growth in electronic communication, the global recession and the influence of US rules on the UK legal and regulatory system.
"The problem is that e-disclosure is still seen as a US problem, and for many UK companies, that is all the excuse they need to sweep it under the table," says Simon Price, European director at Recommind. "However, the reality is that this is a problem facing UK businesses, and, if the upwards trend continues, before long we'll see firms over here subject to the same level of scrutiny as their US counterparts."
Two-thirds of the 150 UK firms surveyed said they dedicate less than 5% of their IT budgets towards provisioning for e-disclosure requirements, whereas data security risks are seen as paramount in response to a series high-profile information breaches.
However those two risks are intertwined. Disclosing the wrong data or too much data sacrifices data privacy controls, as well as potentially laying the firm open to further regulatory investigation by highlighting internal governance failings.
For banks and other firms outsourcing data management there could be a need to re-evaluate contracts and assess legal risks, as regulators or investigators will expect the same disclosure standards from the outsourced data.
UK firms are subject to the increased online security requirements of the European Union's Data Retention Directive. The first phase of the directive came into force in October 2007.
Initial requirements focused on retaining fixed and mobile telephone data, but the second phase, coming into force on April 6 this year, has extended requirements to include internet communications, including email event data, increasing disclosure demands.