Messaging is not exempt from governance regulations
The use of instant messaging by employees is proving to be yet
another headache for employers.
Much has been written on the need to comply with new legislation,
such as Sarbanes-Oxley or the Basel 2 code on risk management, but
many organisations are struggling to find a balance between
corporate governance and data retention, and the complexities of
employee rights and the legislation protecting these rights, such
as the Human Rights Act and the Data Protection Act.
Instant messaging is not exempt from compliance laws.
Sarbanes-Oxley and Basel2 demand that companies falling within the
scope of these pieces of legislation store certain data for several
years. The sanctions for non-compliance with these pieces of
legislation are severe and can result in criminal liability for
chief executives and chief financial officers.
With an increase in the number of businesses using instant
messaging, it makes sense to create an audit trail for all instant
messaging conversations. If it is uncontrolled, instant messaging
use presents a gaping hole in an organisation's security and
compliance policy. It can, for example, offer employees an
opportune method for sending sensitive information from the
business undetected.
In addition, it is only a matter of time before a high-profile case
for this unlicensed use of software comes to light, bringing with
it serious financial consequences and significant brand damage. It
is also likely that many more of these cases will be settled behind
closed doors, depriving organisations of the "early warning" they
desperately need.
So how can IT directors combat these problems and use instant
messaging productively and securely?
Implementing software to monitor, control and archive all instant
messaging communications and prevent such issues arising is one
option, but this in itself may not be a simple process.
Take "presence awareness". Instant messaging offers considerable
benefits in terms of knowing when a contact is online and
organisations need to consider carefully the implications of
broadcasting this information to a large user community.
Managers need to be wary of abusing this situation by using
presence information to micro-manage employees. If an employer has
not informed staff that their communications will be monitored, not
only could employees feel violated once they realise this, but it
may also prove difficult for employers to use any monitoring
evidence in disciplinary proceedings.
In Europe, in particular, privacy is a big issue and organisations
need to tread carefully around employee rights.
The most sensible approach is to create a policy for instant
messaging use alongside implementing software to control and
archive communications. The policy should also meet the
requirements of different business departments.
For instance, human resources will want an instant messaging usage
policy to educate and protect employees by making them aware that
communications will be monitored and providing guidelines for clean
and compliant instant messaging use.
The IT department may want a content filtering strategy to reduce
security threats and the compliance team might request a data
retention policy enforced to ensure that they are meeting relevant
regulatory requirements.
lMark Smith is an ITlawyer specialising in large IT projects and
information security with law firm Olswang