Instant messaging and compliance issues: What you need to know

By Dmitry Shapiro, CTO, Akonix Systems, Inc. 27 May 2004 | SearchCIO.com

Digg This!     StumbleUpon     Del.icio.us

Dmitry Shapiro

There are distinct differences between the types of IM clients that are in use on corporate networks. Readers of SearchNetworking.com may, for instance, use or manage a proprietary system such as IBM's Lotus Messaging (formerly known as Sametime). This internal IM system provides enterprise management and security, but not necessarily compliance to government and industry rules and regulations.

Where we see further red flags appearing in terms of IM and compliance is from the widespread use of consumer IM clients, such as AOL Instant Messenger, Microsoft MSN Messenger and Yahoo Instant Messenger. Most use of consumer IM clients is not formally managed, authorized or recorded. The concern for the IT manager is lack of management and control. Major IM compliance issues include record retention, as well as supervision and the protection of consumer information. Critical business issues such as confidential information theft and copyright violations are of equal concern.

Rapid adoption of IM

Osterman Research states that in 2003, 90% of enterprises were using IM to some extent. A survey conducted by Osterman in 2003 revealed that more than 60% of participants cited AOL Instant Messenger as an IM tool workers use; more than 50% cited MSN Messenger. The reason why these public IM tools are used in such overwhelming numbers is simply because it gives users the ability to communicate externally with customers and partners. After all, consumer IM clients are already used by over 100 million users, so this is a logical and efficient means of messaging.

The challenge for network managers is how to achieve a unified view of all IM activity on the network, for both corporate IM and public IM usage. The manager needs control over both systems to monitor a variety of compliance issues. Logging and archiving, monitoring, reporting and supervision must meet current and upcoming records retention, privacy and security regulations.

Using Lotus addresses the control and security aspects of compliance for internal messaging, but does not offer the archiving and supervision required. If this seems like a challenge to address, consider the potential compliance nightmare when you have no idea who or how many people are using consumer IM clients.

The Radicati Group predicts there will be up to 349 million corporate IM users by 2008, many of these using consumer IM clients. This presents serious compliance risks which need to be addressed soon.

IM and compliance

Recent corporate financial scandals have greatly increased the scrutiny and regulation that public companies and businesses handling public debt are now facing. Today, a lack of user management, security and records retention controls for employee use of real-time communications technologies, including consumer IM, means increased legal risk and personal accountability for corporate officers. When organizations implement information management solutions, they must ensure adequate management controls.

Below is an overview of some of the key compliance requirements by which an organization is bound and how they relate to IM usage. These regulations affect a number of industries from healthcare to financial services.

Records management
To comply with the basic requirements of Sarbanes-Oxley, companies need a records management system, and IM must be integrated as part of this.

Compliance supervision
Sarbanes-Oxley section 404 requires an annual evaluation of internal controls and procedures for financial reporting, as well an assessment for the effectiveness of these controls. When electronic communications like IM are involved in that process, these communications need to be logged, archived and available upon request.

The National Association of Securities Dealers (NASD) demands communications over IM must be either managed and maintained according to its 3010 and 3110 rules, or disallowed entirely. Rule 3010 states that companies must supervise the communications between staff and the public and ensure compliance with company-defined policies. Organizations must sample IM and have the ability to quarantine incoming and outgoing messages, recording and logging the samples. The New York Stock Exchange issued its own memo which cited IM as a medium that must be monitored for compliance.

Records retention and preservation
NASD members are required to treat IM as e-mail or written records for retention purposes. Both NASD and Sarbanes-Oxley section 802 require tamper-proof records for electronic communications including IM. Electronic storage media must preserve the records in non-rewritable, non-erasable format.

Efficient search and retrieval
The U.S. Securities and Exchange Commission (SEC) requires companies to ensure specific retention periods and to be able to quickly search and retrieve selected archived information, including instant messages. Messages must be stored for a minimum of three years, with the first two in an easily accessible place.

Deleting records
Enterprises need to retain records for the SEC's legally specified time or for the time outlined by their industry-specific regulations. Retention beyond that period could increase enterprise risk during a legal discovery.

Duplicate storage
A duplicate copy of the records must be stored separately from the original in tamper-proof format. Historically, data has been transported off-site, but more and more data is transmitted electronically to a remote location.

Privacy and consumer information protection
The Financial Modernization Act of 1999, or Gramm-Leach-Bliley Act, includes provisions to protect consumers' personal financial information held by financial institutions. This includes assuring the security of information communicated by IM and e-mail.

In healthcare, HIPAA regulations apply to all organizations that have access to patient information. HIPAA requires protection of patient confidential information and suggests that any oral, written or electronic communications be captured and stored, including IM.

Unauthorized disclosure
For any company that does business with a California resident, CA SB-1386 demands that organizations must report any breach of security resulting in the disclosure to an unauthorized person of personal information in electronic form, including both e-mail and IM.

Now is the time to act

IM is a powerful tool. Implementing a proprietary system such as Lotus Messaging is a step in the right direction for a fully managed and secure internal messaging solution. The gap that still exists is taking care of compliance issues.

The risks with consumer IM are much greater. Its use throughout most corporate networks is pervasive and, for the most part, unsanctioned. Most executives agree that blocking IM entirely is not an option. The question is how to bring out the benefits of consumer IM while ensuring it is properly managed, secure and compliant.

The use of IM is growing exponentially faster than the use of e-mail, and IM is predicted to be as common as e-mail within two to three years. Companies need to act now to assess the state of consumer IM use within their organizations and put into place the necessary measures to make sure their IM use does not run afoul the compliance requirements set by Sarbanes-Oxley, financial, healthcare and state regulations.

Tags: Compliance strategies and best practices,  Mobile technology and management,  Information technology laws,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance strategies and best practices Information security and risk management guides for CIOs Email archiving solutions and strategies for enterprise CIOs Miscues abounded in Boston email retention policy, practices Health care security, HIPAA compliance on deck for CIOs in Obama era Enterprise risk management solutions for CIOs Addressing compliance requirements in cloud computing contracts Avoiding gotchas of security tools and global data privacy laws CIO turns to identity and access management to solve business problem Log management tool, SIM boxes combine to form security architecture Data protection quiz for enterprise CIOs Mobile technology and management Data centers and virtualization management guides for CIOs Sidekick data and 'balloon boy' Mobile data protection options for enterprise CIOs E-waste: A blight on the environment and a company's good name Videoconferencing equipment, software can help firms cut costs Mobile device management guide: Keeping IT on the run HD videoconferencing a way of life for some VIPs VoIP security and converged networks: A Special Report for CIOs VoIP savings seen in productivity and long-distance charges Wireless investments key to future success Information technology laws Information security and risk management guides for CIOs Health care security, HIPAA compliance on deck for CIOs in Obama era Avoiding gotchas of security tools and global data privacy laws E-discovery and litigation guide for CIOs Document retention and disposal strategy Top 10 reasons to give thanks you're in IT PCI compliance deadlines have retailers scrambling Customized e-discovery tool lightens law firm's litigation load Firms bridging the gap between IT and the law Avoid lawsuit nightmares: New rules of engagement for e-discovery

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary GRC (governance, risk management and compliance) software  (SearchCIO.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary