Knowledge may be power, but it can also be a serious liability if not handled correctly. And when that knowledge is stored in electronic form – as almost all data now is – the problems it can create for companies can increase exponentially.

If anybody was sceptical about the potential ramifications of failing to manage electronic data carefully, the outcry that followed the loss of child benefit claimant details by HM Revenue & Customs (HMRC) should disabuse them of any notion that data management is not a business-critical issue.

Yet despite this and numerous examples of companies suffering severe economic and reputational damage due to deliberate or inadvertent lapses in their data management, the Legal Week Intelligence Benchmarker survey on information risk management, published in October in association with Deloitte, found that many businesses still tend to underestimate the risks of not managing their electronic data well.

The survey of general counsel found that only 41% thought that their boards had a 'reasonable appreciation of the risks' of failing to manage their electronic data robustly. Moreover, while the vast majority of respondents said their employers had disaster recovery and document strategies, little more than half said they had document management technology in place, making the structuring and recovery of archived information much more difficult.

With this in mind, Deloitte hosted a roundtable meeting of general counsel to examine the issues around the management of electronic data – where the main risks lie, where companies are most exposed and what can be done to mitigate the risks.

When an inspector calls

The dangers of failing to adequately manage electronic data come from a number of sources, including ever-strict data protection laws, the reputational risk involved in customer data being used for identity fraud and the risk of discovered documents undermining a company's case in litigation proceedings.

However, the biggest emerging risk comes from the increasing powers, and changing attitudes of regulators – and nothing is likely to heighten a regulator's suspicions more than a company's inability to produce the right documentation on time.

"Until quite recently, these issues were still considered to be mostly concerned with prevention and investigation of fraud," Mark Tantam, head of global investigations and partner in the forensic and dispute services practice at Deloitte, told the meeting. "In the last two to three years, however, they have become more widespread. For example, they now often arise in relation to regulatory investigations. Regulators have extensive powers to require disclosure of documents. Furthermore, the laws provide them with an increasing degree of extra-territoriality, both from European regulators and from those in the US, for example through the Foreign Corrupt Practices Act (FCPA)."

A number of delegates spoke of the need to start a dialogue with regulators, to help them focus their investigations rather than setting off on fishing expeditions. The success of this approach, it was agreed, would depend on who the regulator was and which jurisdiction they were from (certainly not the US). But one factor certain to lose a regulator's good faith is the inability to quickly provide relevant information in the course of an investigation.

"It is important to have all the data in order to mount a defence," Tantum added. "Regulators will want to see all the documents and, in the absence of data, they will assume guilt. It is only when you have your data properly managed and structured that you can give the regulator confidence to work with you on an investigation. But it is not uncommon for boards to say they do not know where all their data is."

In the UK, it is far from clear that many companies are prepared for the impact of a visit from a regulator. Philip Bramwell, group legal director of BAE Systems and former secretary and general counsel at mobile phone operator O2, told the meeting that in his experience, major operators in heavily regulated sectors frequently had written guidelines available for staff to use in the event of an unannounced regulatory visit and frequently ran their own document searches in connection with compliance activities.

The experience of Deloitte, however, is that this approach is the exception rather than the rule. Despite the Benchmarker survey's finding that 47% of respondents had commercial interests in the US, potentially leaving them open to US regulatory scrutiny, there remains a marked difference in the preparedness of companies on different sides of the Atlantic.

More than half (57%) of organisations in the Benchmarker survey take a specific risk-led approach to information risk management, meaning there are some processes or systems in place to cover specific information. Sixteen percent of organisations adopt an ad hoc risk-led approach, whereby some processes are in place but have not been recently reviewed, while 13% take a litigation-led approach, whereby potentially relevant documents are treated as part of a disclosure process.

"Most people here have not been exposed to a regulatory enquiry and they do not understand the depth of regulators' power, especially those from the US," said Kelvin McGregor-Alcorn, director in the forensic and dispute services team at Deloitte. "You ignore regulators at your peril."

Getting it right

So what are the essential elements of a robust data management policy?

Firstly, delegates agreed, it is essential to know where your company's data is actually located. Only 29% of respondents to the survey said they were fully aware of where their data was held, yet this is important not only to make data easier to find again when required, but also so that the wider legal implications of where it is stored can be considered. Many companies hold their data in various parts of the world, but this can leave companies dangerously exposed if the implications are not thought through. Data protection laws vary markedly between jurisdictions and what could be privileged information in one country may be fully available to regulators, litigants and even the general public in another.

Secondly, companies not only need to develop a data retention policy, but they must also ensure that it is implemented. Moreover, not only should data and documents be kept in accordance with legal requirements, but they must also be destroyed when these requirements have expired. Investigators will often go back as far as the data is available even if this is before the period in which documents should be retained.

"Having a document destruction policy is as important as having a document retention policy," Bramwell told delegates. "You should retain everything you are obliged to retain and everything else should be destroyed. Data storage is often handled by an outsourced data centre and there can be failures to meet service level agreements when outsourced data centres do not dispose of back-up tapes when they are no longer required."

At the other end of the process, the roundtable also agreed that many companies need to do more about the uncontrolled creation of electronic documents, particularly email: an issue that can grow in importance as the Facebook generation becomes an increasingly large proportion of the workforce. "Until recently, people did not really grasp that emails are records," said one delegate. "Emails are an amorphous mass of unstructured data, but they are usually the first place that investigators will look."

Shout to the top

Clearly, managing and structuring data is something that needs to be dealt with proactively before the event, rather than when all hell has broken loose. The delegates agreed that information management needs to be taken more seriously at a senior level. Delegates generally expressed surprise at the survey finding that 56% of company boards do not have a member responsible for these issues. "The potential for fines and reputational damage from data storage problems should be a core part of companies' risk assessment," said Lara Oyesanya, head of legal services at car leasing company Lex.

However, this is often easier said than done, and attitudes among board members are frequently less than helpful. "Their eyes glaze over when you raise these issues," one delegate told the session. "I would be happier if the board took more notice, but they just say 'speak to IT'. When people talk about records management, they think it is an IT issue, but it is not – it is about how people behave and getting policies right, rather than just a technical issue. This work is done, but it is done at a lower level and there is real danger there."

One of the reasons for this is a general lack of understanding among board members of either the scale and complexity of electronic information or how important these issues can be. Data storage is a black art for many people and many have not kept up with the pace of change in this area, including many respondents to the survey, only 26% of whom correctly identified that more than 90% of their companies' data is in electronic form.

General counsel clearly have a key role to play in driving these issues forward, yet the Benchmarker survey found that only 54% of companies involve their heads of legal in the risk management of information.

Bramwell suggested that raising awareness of the risks associated with company data should be a core duty of general counsel, whether they are specifically tasked with information risk management or not. "General counsel should be looking for the weakest links in compliance within the business and it is part of the general counsel's role to make the board aware that there are consequences for not getting these things right," he said.

They may, nevertheless, have their work cut out.

"It is not yet intuitive that electronic documents are as valuable and important as hard copies and need to be protected in the same way," Humphry Hatton, head of forensic and dispute services at Deloitte said. "Companies often act as if unaware that information is one of their biggest assets – but information has an intrinsic value and it needs to be looked after."

What may seem to a company director as just a few names and addresses can have staggering financial value, whether legal or illegal. As an example, the value of the lost HMRC discs to fraudsters has been estimated to be as high as £1.5bn.

"All companies have great customer care systems, but far fewer seem to think as hard about data protection, not least because the law is arcane and inconsistent," concluded Deloitte's Tantam, "It requires a lot of work, but if it is not done, the consequences can be very serious."