New US electronic data retention laws have come into force, also affecting those with US subsidiaries.

The law forces companies to keep much better records of all their electronic information, following US Supreme Court amendments to federal rules in April that began on 1 December.

They require any company involved in a federal lawsuit to produce any relevant electronically stored information in the discovery process. This is the method by which parties involved in a legal dispute share evidence before a trial.

Any UK business with activities in the US could be affected by the legislation and will need to collate all its relevant electronically stored information, from employee photos through PowerPoint decks to emails and instant messages. Companies are expected to be responsible for being able to respond to legal electronic archive investigation as part of the discovery process in a reasonable time.

Another window into UK business affairs is also due to opened soon. Part III of the Regulation of Investigatory Powers Act 2000 (RIPA), due to take effect in the next few months, will allow law enforcement officers to gain access to the encryption keys needed to decrypt data which, in their view, could be vital for a conviction.

Many UK banks and other companies are concerned about data security and conflicts with data privacy rights as a result of RIPA part III. Since companies can be held liable for the accidental or negligent disclosure of customer information, the keys used to protect customer data are just as valuable as those used for banking transactions.

That means key management has to be done properly. Dr Nicko van Someren, chief technology officer at nCipher, said: "Company executives will have to disclose encryption keys without opening up security holes or face up to five years in prison; while law enforcement officers face legal action if they fail to adequately secure evidentiary keys leading to loss or consequential damage.

"RIPA part III places a heavy duty of disclosure on companies and organisations; but it also places a burden of care and security on the law enforcement authorities. Using anything short of industrial-grade cryptographic key management for protecting keys under RIPA would be a very rash move indeed."

The penalties for not behaving reasonably in the face of legal requests for data and storing key information responsibly can be severe.