The Policy Hole: CEO Apathy and ESI

According to a new survey published by Kroll Ontrack, there is a serious hole in the plethora of policies relating to corporate risk. The Kroll Ontrack survey of in-house lawyers finds that less than half of organisations (48% in the UK, 43% US) have a strategy or policy in place on how to deal with electronically stored information (ESI). In the UK, a quarter of organisations (25%) said that their legal department has primary responsibility for developing policy, yet 39% said that their CEOs would face the consequences resulting from a breach of that policy. The research shows that, despite the increased importance of data handling, CEOs are leaving ESI policy to junior members of the IT or legal team despite the fact that they face the consequences if things go wrong.
The report finds that less than half of organisations (48% in the UK, 43% US) have a strategy or policy in place on how to deal with electronically stored information (ESI). In the UK, a quarter of organisations (25%) said that their legal department has primary responsibility for developing policy, yet 39% said that their CEOs would face the consequences resulting from a breach of that policy. In the US, 41% of respondents said that their organisations give responsibility for developing that policy to the in-house legal department.   However a fifth of organisations (19%) said that the CEO would be held accountable if that policy resulted in government fines, court-imposed sanctions or damage to reputation.
“These statistics are frightening yet not surprising. The explosion of electronic information and the onslaught of new rules, regulations and laws have made it incredibly difficult for companies and counsel to stay on top of everything,” said Kristin Nimsger, president, Kroll Ontrack. “The fact that there is no clear definition of who should be developing or enforcing the policies shows there is a lack of ownership. With the size of fines and severity of sanctions that can be imposed, this has moved from being a concern for IT or the legal team to a core business issue in which today’s executives and Boards of Directors must now be involved.”
Statistics show that UK business alone lose £72 billion per year due to corporate fraud, which equates to approximately 6% of companies’ annual turnover, and yet only half of the UK’s 350 largest companies have put any additional measures in place to protect themselves.   European Commission fines can reach as high as 10% of the company’s turnover in their recent business year for cartel and fraud practices, much of which is executed and uncovered in electronic communications.
Incorrect handling of ESI has already led to a number of serious consequences for organisations, with several falling foul of the US Federal Rules of Civil Procedure and the UK Civil Procedure Rules.   Since 2001, there have been 50,000 changes to the UK FSA rule book, including 4,000 pages of amendments in legal instruments between October 2006 and January 2007. The NASD, the US provider of financial regulatory services, had 135 rule filings in 2006, 1,099 changes to the Manual since 2004 and the AMEX Rule 903 has changed six times since 2005.
Martin Carey, Managing Director of Kroll Ontrack in London said, “Clearly in the UK, in-house counsel and their external counsel are lacking significantly in their training and understanding of rules and regulations regarding their electronic information. They do not yet seem to be grasping the fact that all this data is no longer just information; rather it can now all be considered as evidence. This fact alone shows a severe lack of ownership and understanding.”
Despite the growing pressure to comply with regulation, only 17% of UK in-house legal counsels believe that they are fully up to speed with all case law, developments and regulations relating to ESI. Less than half (42%) think they have a good understanding but could benefit from more knowledge. More than a quarter (26%) say that they have a low level of understanding, while 14% say that they know little, if anything about ESI or have never heard of it.
US counsel outshines their UK counterparts yet still only 25% say that they are fully up to speed with all case law, developments and regulations relating to ESI. Less than half (43%) believe that they have a fairly good understanding but could benefit from more knowledge. Almost a quarter (24%) have a low level of understanding while a further 9% either know little or have never heard of it.
US legal teams are far more concerned than UK counterparts about the reality of growing volumes of ESI. The biggest challenge faced by legal departments in the US will be unmanageable volumes of ESI (cited by 21% of respondents in the US compared to 11% in the UK).    By contrast, the UK’s primary concern was lack of training in legal trends (16%).
You can read the full report here.

Upcoming events

Controlling Liability in IT Contracts – Clause and Effect

SCL Summer Networking Event – Organised by the Trainee Group

SCL Event: Procurement of Government IT Projects

Generative AI and Deepfakes: Understanding the Illusion

Annual AI Conference