Do not allow instant messaging to undermine compliance efforts

Messaging is not exempt from governance regulations

Messaging is not exempt from governance regulations

The use of instant messaging by employees is proving to be yet another headache for employers.

Much has been written on the need to comply with new legislation, such as Sarbanes-Oxley or the Basel 2 code on risk management, but many organisations are struggling to find a balance between corporate governance and data retention, and the complexities of employee rights and the legislation protecting these rights, such as the Human Rights Act and the Data Protection Act.

Instant messaging is not exempt from compliance laws. Sarbanes-Oxley and Basel2 demand that companies falling within the scope of these pieces of legislation store certain data for several years. The sanctions for non-compliance with these pieces of legislation are severe and can result in criminal liability for chief executives and chief financial officers.

With an increase in the number of businesses using instant messaging, it makes sense to create an audit trail for all instant messaging conversations. If it is uncontrolled, instant messaging use presents a gaping hole in an organisation's security and compliance policy. It can, for example, offer employees an opportune method for sending sensitive information from the business undetected.

In addition, it is only a matter of time before a high-profile case for this unlicensed use of software comes to light, bringing with it serious financial consequences and significant brand damage. It is also likely that many more of these cases will be settled behind closed doors, depriving organisations of the "early warning" they desperately need.

So how can IT directors combat these problems and use instant messaging productively and securely?

Implementing software to monitor, control and archive all instant messaging communications and prevent such issues arising is one option, but this in itself may not be a simple process.

Take "presence awareness". Instant messaging offers considerable benefits in terms of knowing when a contact is online and organisations need to consider carefully the implications of broadcasting this information to a large user community.

Managers need to be wary of abusing this situation by using presence information to micro-manage employees. If an employer has not informed staff that their communications will be monitored, not only could employees feel violated once they realise this, but it may also prove difficult for employers to use any monitoring evidence in disciplinary proceedings.

In Europe, in particular, privacy is a big issue and organisations need to tread carefully around employee rights.

The most sensible approach is to create a policy for instant messaging use alongside implementing software to control and archive communications. The policy should also meet the requirements of different business departments.

For instance, human resources will want an instant messaging usage policy to educate and protect employees by making them aware that communications will be monitored and providing guidelines for clean and compliant instant messaging use.

The IT department may want a content filtering strategy to reduce security threats and the compliance team might request a data retention policy enforced to ensure that they are meeting relevant regulatory requirements.

lMark Smith is an ITlawyer specialising in large IT projects and information security with law firm Olswang

Read more on IT risk management