Expanding legal discovery forces IM, blog rethink

Seven Network's David Watts knows instant messaging needs to be better managed - as do the growing number of companies finding IM and blogs joining email as targets of subpoenas for electronic records.

E-discovery isn't all about email. The list of electronic records that must be retained for regulatory compliance and litigation continues to expand, and information technology executives must create and enforce policies that take this into consideration.

Email is still the prime target for legal discovery in ligitation, Priscilla Emery, president of enterprise content management consultancy e-Nterprise Advisors, told attendees at the recent IT Compliance Institute Conference in the US. However, other forms of electronic records are also becoming applicable.

Emery cited an ePolicy Institute survey that revealed 24% of responding organisations said they had received a subpoena requesting employee email in 2005. Fifteen percent reported that a lawsuit had been triggered by an employee email. She said these numbers will continue to rise.

That same ePolicy Institute survey found that 58% of employees send personal instant messages at work. These numbers underscore the importance of having an effective records retention policy and an acceptable use policy for a wide variety of electronic media, not just email.

"Most organisations do not allow instant messages," Emery said. "But a lot of financial services companies and broker dealers use instant messages to communicate internally and with customers. You need to keep those records. If you don't save your instant messages, someone else might do so without you knowing it."

Tony DePalma, CIO of Mineral Technologies Inc., a US$1 billion manufacturer of mineral whiteners and other products, said his company has an email retention technology in place, but it has yet to start archiving instant messages. "We do have an email archiving process," DePalma said. "Other areas are to be planned."

DePalma said his company allows employees to use AOL Instant Messenger for business communication. He considers other instant messaging platforms to be less secure, so their use within the business is restricted. However, the company has not yet started to archive instant messages. He hopes to have a strategy team in place soon to develop an archiving plan.

Standardising the management of IM and other informal forms of communication requires control over which platforms are being used. At Seven Network, this issue was front of mind after the developing Yahoo!7 media partnership recently provided impetus for a change in the way instant messaging was being managed.

After a mandate that would see around 2100 employees standardise on Yahoo! Instant Messenger, the IT team began looking for a way to tighten control over IM interactions. It soon became clear that a new approach was necessary; Seven eventually decided to move away from its standalone Windows proxy server and implement a purpose-built filtering appliance from Blue Coat.

"The problem we find is that instant messaging is not an enterprise type of application," says David Watts, network telecommunications and IT infrastructure manager with Seven Network. "Previously, you had to open up everything in your proxies and firewalls to allow IM. Now, we can manage it more and reduce the risks. We're looking at [IM] and logging it, and [employees] are more aware that people are aware of what they're doing."

Blogs are also subject to record retention requirements. These include blogs on corporate Web sites, but also personal blogs might become subject to legal action if an employee posts corporate information on it. Emery said companies need to create policies around what can and cannot be posted on a blog. They also need to scan personal blogs to ensure that employees are complying with policy.

Companies must also capture information on their Web sites in their original formats as a record of communication. If sales or pricing information appear on a company's Web site, that information needs to be retained since Web sites can change on a daily basis. A company needs to be able to prove what information was on its Web site in case it has to defend itself in court.

Emery said personal digital assistants (PDAs) are also becoming "problematic." She said very few companies have policies in place that make sure all PDAs synchronise to one server. Without such a policy, email retention polices can be undermined.

Even text messages on mobile phones and PDAs can be used in legal proceedings. Few companies retain text messages sent and received by its employees, but all US mobile phone service providers retain them. "A service provider retains those records, and if they are subpoenaed, they will turn them over," she said.

Emery said companies should set standards for formats and usage for each of these media. She said employee training is critical.

"People are your biggest challenge" to installing a records retention policy, Emery said. Training should be done routinely, not just once. And CIOs should take steps to make sure compliance to a records retention policy is easy.

"Do not create more interfaces," she said. "If it takes more than five seconds for employees to figure out where to put something, you aren't getting anywhere."

Read more on IT risk management