Instant messaging (IM) is widely recognized as a superb tool for business communications. Its immediacy, combined with presence information, is something neither the phone nor email can offer.
There are distinct differences between the types of IM clients that are in use on corporate networks. Readers of SearchNetworking.com may, for instance, use or manage a proprietary system such as IBM's Lotus Messaging (formerly known as Sametime). This internal IM system provides enterprise management and security, but not necessarily compliance to government and industry rules and regulations.
Where we see further red flags appearing in terms of IM and compliance is from the widespread use of consumer IM clients, such as AOL Instant Messenger, Microsoft MSN Messenger and Yahoo Instant Messenger. Most use of consumer IM clients is not formally managed, authorized or recorded. The concern for the IT manager is lack of management and control. Major IM compliance issues include record retention, as well as supervision and the protection of consumer information. Critical business issues such as confidential information theft and copyright violations are of equal concern.
Rapid adoption of IM
Osterman Research states that in 2003, 90% of enterprises were using IM to some extent. A survey conducted by Osterman in 2003 revealed that more than 60% of participants cited AOL Instant Messenger as an IM tool workers use; more than 50% cited MSN Messenger. The reason why these public IM tools are used in such overwhelming numbers is simply because it gives users the ability to communicate externally with customers and partners. After all, consumer IM clients are already used by over 100 million users, so this is a logical and efficient means of messaging.
The challenge for network managers is how to achieve a unified view of all IM activity on the network, for both corporate IM and public IM usage. The manager needs control over both systems to monitor a variety of compliance issues. Logging and archiving, monitoring, reporting and supervision must meet current and upcoming records retention, privacy and security regulations.
Using Lotus addresses the control and security aspects of compliance for internal messaging, but does not offer the archiving and supervision required. If this seems like a challenge to address, consider the potential compliance nightmare when you have no idea who or how many people are using consumer IM clients.
The Radicati Group predicts there will be up to 349 million corporate IM users by 2008, many of these using consumer IM clients. This presents serious compliance risks which need to be addressed soon.
IM and compliance
Recent corporate financial scandals have greatly increased the scrutiny and regulation that public companies and businesses handling public debt are now facing. Today, a lack of user management, security and records retention controls for employee use of real-time communications technologies, including consumer IM, means increased legal risk and personal accountability for corporate officers. When organizations implement information management solutions, they must ensure adequate management controls.
Below is an overview of some of the key compliance requirements by which an organization is bound and how they relate to IM usage. These regulations affect a number of industries from health care to financial services.
Records management: To comply with the basic requirements of Sarbanes-Oxley, companies need a records management system, and IM must be integrated as part of this.
Compliance supervision: Sarbanes-Oxley section 404 requires an annual evaluation of internal controls and procedures for financial reporting, as well an assessment for the effectiveness of these controls. When electronic communications like IM are involved in that process, these communications need to be logged, archived and available upon request.
The National Association of Securities Dealers (NASD) demands communications over IM must be either managed and maintained according to its 3010 and 3110 rules, or disallowed entirely. Rule 3010 states that companies must supervise the communications between staff and the public and ensure compliance with company-defined policies. Organizations must sample IM and have the ability to quarantine incoming and outgoing messages, recording and logging the samples. The New York Stock Exchange issued its own memo which cited IM as a medium that must be monitored for compliance.
Records retention and preservation: NASD members are required to treat IM as email or written records for retention purposes. Both NASD and Sarbanes-Oxley section 802 require tamper-proof records for electronic communications including IM. Electronic storage media must preserve the records in nonrewritable, nonerasable format.
Efficient search and retrieval: The U.S. Securities and Exchange Commission (SEC) requires companies to ensure specific retention periods and to be able to quickly search and retrieve selected archived information, including instant messages. Messages must be stored for a minimum of three years, with the first two in an easily accessible place.
Deleting records: Enterprises need to retain records for the SEC's legally specified time or for the time outlined by their industry-specific regulations. Retention beyond that period could increase enterprise risk during a legal discovery.
Duplicate storage: A duplicate copy of the records must be stored separately from the original in tamper-proof format. Historically, data has been transported off-site, but more and more data is transmitted electronically to a remote location.
Privacy and consumer information protection: The Financial Modernization Act of 1999, or Gramm-Leach-Bliley Act, includes provisions to protect consumers' personal financial information held by financial institutions. This includes assuring the security of information communicated by IM and email.
In health care, HIPAA regulations apply to all organizations that have access to patient information. HIPAA requires protection of patient confidential information and suggests that any oral, written or electronic communications be captured and stored, including IM.
Unauthorized disclosure: For any company that does business with a California resident, CA SB-1386 demands that organizations must report any breach of security resulting in the disclosure to an unauthorized person of personal information in electronic form, including both email and IM.
Now is the time to act
IM is a powerful tool. Implementing a proprietary system such as Lotus Messaging is a step in the right direction for a fully managed and secure internal messaging solution. The gap that still exists is taking care of compliance issues.
The risks with consumer IM are much greater. Its use throughout most corporate networks is pervasive and, for the most part, unsanctioned. Most executives agree that blocking IM entirely is not an option. The question is how to bring out the benefits of consumer IM while ensuring it is properly managed, secure and compliant.
The use of IM is growing exponentially faster than the use of email, and IM is predicted to be as common as email within two to three years. Companies need to act now to assess the state of consumer IM use within their organizations and put into place the necessary measures to make sure their IM use does not run afoul the compliance requirements set by Sarbanes-Oxley, financial, health care and state regulations.