Instant Messaging: Smooth Operator Or Legal Burden?

If you still view instant messaging (IM) as a novel technology geared toward the kid next door or that nerdy intern down the hall, you may want to consider the following:

Sky Capital Holdings Ltd., a 150-employee Wall Street brokerage and retail trading company, has essentially locked down its IT system to prevent all but a dozen or so securities traders from using IM. Like other financial institutions using IM, the company must comply with strict regulatory measures instituted by the National Association of Securities Dealers, as well as the SEC, NYSE and the Nasdaq.

Altria Group, the parent company of food and tobacco giants Kraft Foods, Philip Morris International and Philip Morris USA, has banned the use of IM altogether. According to company spokeswoman Lisa Gonzalez, Altria employs an enterprise software system that blocks employee access to all commercial IM portals, corporatewide.

To the uninitiated, the measures may seem extreme. But with experts predicting IM will soon overtake e-mail as the preferred means of electronic communication, in-house attorneys and IT specialists alike are increasingly concerned that IM use in the workplace is an e-discovery nightmare waiting to happen.

"Instant messaging is an enormous time bomb waiting to go off in corporate America," says Nancy Flynn, executive director of the Columbus, Ohio-based ePolicy Institute, a corporate training firm that specializes in e-mail management and policy matters. "Employees are using free software and many companies still aren't using readily available software to control it. Most general counsel view IM as an emerging technology, but our recent survey (conducted with the American Management Association) reveals 31 percent of employees use it at the office, and 78 percent of them use it without management's knowledge or the IT department's control."

That lack of oversight, Flynn and other experts say, puts a company at risk from legal, regulatory and security standpoints. Many fear that employees, believing their IMs aren't being monitored or stored, will let their guards down and provide tech savvy litigators with the next electronic "smoking gun."

There is an ongoing debate percolating throughout corporate America over whether to allow or ban IM in the workplace.

"I'm in the middle of that battle right now," says a Fortune 100 corporate counsel who requested anonymity. "From a legal risk perspective, IM is a dangerous technology. Our business people want to use it, but the IT department doesn't want to pay what it will cost to log the IMs. And I'm telling the business people you're not going to use it unless you pay to monitor and log it."

Under The Hood

A group of Israeli entrepreneurs created instant messaging in the mid-1990s. It allows users to maintain a list--often called a buddy list--of people with whom they can communicate with instantly via the Internet. Messages can be sent to anyone on the list, as long as the recipient is online.

Both parties can see the messages as they are entered, with the conversation proceeding back and forth in real time. Further, a chat function facilitates conversations among three or more persons. Instant messaging software is free and readily available from a variety of sources, including AOL Instant Messenger, Yahoo! Messenger and MSN Messenger Service.

Potential problems arise when employees send messages--with attachments--without a company's oversight and control. Further, without company supervision, it's up to the individual user to activate the software's optional archive function.

Recent surveys only add to the concern. For example, the 2004 ePolicy/American Management Association poll of 840 U.S. businesses found that only 11 percent use software to monitor IMs even though 58 percent of their workers use IM at the office. Under regulations adopted by the NASD in 2003, financial companies that allow IM use must monitor and retain all electronic communications--including e-mails and IMs--for three years. As a result, companies such as Sky Capital severely restrict its use in the workplace.

Clamping Down

"Of our 150 employees, only the traders are allowed to use IM," explains Neil Sherak, Sky Capital's director of network services. "They only can use AOL Instant Messenger and they're not allowed to install it (on their computer) themselves. Somebody from the IT department has to do it for them."

The company employs a combination of software solutions that not only controls employee access to the AOL IM portal, but also archives and sorts the instant messages, making them easy to retrieve and search through for compliance and discovery purposes.

"Every time the employee logs on, a disclaimer pops up and reminds them that all IMs are monitored and archived and that they have no privacy whatsoever," Sherak says.

For companies that aren't regulated, such as Altria, the issue is less cut and dry. For many, the simplest way to avoid the IM risk is to ban its use altogether.

"If I were a corporate counsel, at this point I would simply advise my company not to log the IMs, provided there's no legal requirement," says Adam Rubinger, a client executive of Fios Inc., a Portland, Ore.-based provider of electronic discovery services. "But longer term, companies have to decide whether to put a policy in place and begin logging IMs, or ban its use. Many organizations already prohibit it"

While Gonzalez declined to explain the reasoning behind Altria's ban, one can't help but think that last year's $2.75 million sanction against Philip Morris USA had something to do with. A judge levied the heavy fine when 11 employees of the subsidiary failed to preserve e-mails as required by the company's retention policy and a court preservation order.

Litigation Risks

While companies in unregulated industries aren't required to retain IMs, James Daley, partner and chairman of the technology law and e-discovery group at Shook, Hardy & Bacon, says they may ultimately be required to do so if litigation ensues.

"From the civil litigation and e-discovery standpoint there are a number of layers to this onion," Daley says. "First, is the company expressly or tacitly aware that IM is being used for business communications or business purposes? Second, is the switch set for IM to be stored or logged? And finally, is the IM distinguished from e-mail? Is it part of the regular records-retention policy, or review policy?"

While unregulated companies still can argue IMs are transient or ephemeral, Daley points out that the Federal Civil Rules Advisory Committee's proposed change to Rule 34 expands the definition of "document" to include all "electronically stored information."

"The trend is that there is less and less distinction between e-mail and IM when it comes to a company's record-retention policy and litigation-hold notices," Daley says. "If employees are using IM for business purposes, the first time litigation ensues and IM is part of the investigation or subpoena, the event will trump the company's normal retention policy (and the IMs will have to be logged)."

Further, Flynn asks, what happens if another party--a customer or an employee charging the company with sexual harassment--does retain its IMs.

"If you end up in court, you may only have part of an IM conversation and it could be taken out of context," Flynn says. "From a legal perspective, wouldn't it be better to have a corporatewide use and retention policy in place and have full access to all your IMs?"

Clearly, corporate law departments that haven't already done so will have to establish some sort of IM policy sooner rather than later.

"As the legal department, our job is not to prevent employees from using instant messaging or any other technology," says the Fortune 100 in-house attorney. "Our job is to thoroughly explain the risks associated with using it.

"There's a movement toward using IM for day-to-day business communication and it's going to be huge," the attorney adds. " I predict that by the end of the year, a lot of companies, including ours, will decide to either lock it out, or implement a formal logging system to capture the IMs. But nobody wants to take that first step, because if they implement the logging system, it will be like yelling, 'Hey plaintiffs, come get my IMs!'"

Staff Writer

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.