The big corporate scandals at Enron and WorldCom have left a legacy that affects virtually every business in the developed world.

In the wake of the two cases, the US Government rushed through new legislation in the shape of the Sarbanes-Oxley Act (otherwise known as the Public Company Accounting Reform and Investor Protection Act 2002), which placed strict rules on companies to manage their information in a much more accountable way. And, for the first time, it made senior board members personally responsible for the accuracy and integrity of the figures they reported.

The law had huge implications for IT departments too, as they now had a more visible role in managing and protecting their corporate data, and vast amounts have been ploughed into shoring up systems to ensure they would comply with the new rules.

The thing that all these new rules have in common is that they place a heavy focus on information: how you acquire it, store it, access it, who you share it with, how you protect it and even how you destroy it. And, in the digital world, this increasingly means how you manage your IT systems.

One man who takes a close interest in these developments is Stewart Room, a partner in the technology law group at Field Fisher Waterhouse. He is one of a new breed of information lawyers who have mastered both the language of the computer room while staying abreast of the legislation as it emerges.

Room says that while electronic documents have long been recognised in UK law, they pose particular challenges in terms of proving their authenticity and accuracy.

"If you look at a paper record, a quick glance might indicate that it has been forged or changed, for instance. With electronic data, it is not as simple to see whether data has been altered. It is the entire environment that needs to be understood," he says.

The environment needs to cover everything in the system and extends to the electronic network, the archiving tools and the storage systems. The law also expects all stages of the information life-cycle to be covered, and its usage monitored and audited.

Once data is in storage, there are some key elements that the law will be looking at – how a record is classified and identified when it goes into storage and how its integrity is assured. There will also need to be demonstrable protection against unauthorised use or modification, deliberate or accidental. And when a record reaches the end of its life-cycle, there will need to be clear deletion policies, Room says.

The technical challenges are one thing but the sheer volume of new legislation is another, and that is keeping Room extremely busy.

"Legislation has been heaviest in the banking and investment services sectors," he says, going on to reel off a long list of new directives aimed at tightening up the way banks and investment firms manage risk.

For banks, the really big one is Basel II which aims to make sure they trade with adequate capital behind them. Investment services companies have to contend with the Markets in Financial Instruments Directive (MIFID), which sets out, among other things, to ensure companies offer best advice to their customers. One of its other provisions is that companies should store (and be able to retrieve, when the regulator requests) all relevant records going back over three years.

New laws to prevent money laundering will be introduced in December, and they will affect anyone dealing with payments, not just investment firms, but others such as estate agents and lawyers and will require companies to retain all documentary identification of customers.

To help law enforcement and anti-terrorist agencies, communications companies will be forced to keep records for long-term under a recent directive that comes into full force in 2009.

Then there is the Companies Act in the UK, with staggered implementation demands up to 2009, which will require companies to keep a whole new range of records about corporate shareholders and business transactions. In addition, new laws on corporate manslaughter oblige companies to maintain accurate records to prove a duty of care.

And so the list will continue to grow. Room predicts that in the light of recent events, most notably at Northern Rock, it is clear there will be more regulation around market risk and credit risk and greater disclosure to the Financial Services Authority (FSA), which has been criticised for its light-touch approach to regulation.

He also reports that the FSA is currently consulting on the obligatory retention of electronic communications data by financial service companies including emails, phone calls, instant messages and SMS texts. That consultation paper, if implemented, would give rise to an even further need for storage in those industries affected.

But, as Room points out, the real issue within storage is the movement to 'intelligent storage'. It is not just a question of putting in IT storage, but putting in storage that preserves data, makes data trails auditable, makes its use auditable, prevents access in the event of theft and prevents loss of data in storage. Storage will need to be a 'digital safe', which is what the law is looking for, he adds.

But while the law is making increasing demands, IT budgets are staying static and, more importantly, IT departments are struggling to get their voices heard.

Unfortunately, Room says, IT often does not carry the weight of authority and the powers to implement things at its own discretion. And IT has to defer to the rest of the organisation, so it can be a nightmare job for them.

There is a failure of communication between the legal and IT parts of the business because they both speak different languages. They do not understand each other and end up talking at one another, rather than to one another.

Part of the problem, according to Room, is that the laws are very dense; even compliance officers, whose job it is to know these things, have trouble understanding the rules and keeping up with new regulations. "I was recently working on MIFID and Basel II for a company and I spent days in the FSA handbook," he says.

Ultimately, he says, the key is to understand the objectives and drivers behind the law. "You need to understand what it is aimed at. If you can get your head around European law and what it is trying to do, you can frame advice and implementation strategies sensibly and in an understandable manner," he says.

"You need an information lawyer to pull it all together. There is no point in calling someone in to work on MIFID if you ignore the implications of the Data Protection Act, for instance. You have to take the broader view."

Ivan Fernandez is senior manager, global industries, financial services, at EMC.