Recap and IM Action Plan
IM and e-mail create business records that can be used as legal evidence.
Employers may be held legally responsible for employees’ wrongs.
Policy and training may create a defense against vicarious liability.
Put updated, comprehensive, written IM and e-mail policies in place now to reduce risks in anticipation of litigation and as part of the ordinary course of business.
Install systems and software to ensure you can retain, archive, locate, and retrieve old e-mail and instant messages when you need them (or when the court or regulators subpoena them).
Have your legal and compliance professionals educate your executive team, IT department, and employees about electronic business records. Teach all employees to distinguish electronic business records (IM or e-mail) from insignificant business or personal messages. Educate employees about the individual roles they play in the organization’s IM and e-mail retention and deletion strategy.
Inform employees about the risks and costs the organization can face when electronic business records are not retained, and IM and e-mail evidence is not preserved properly.
Chapter 7: Instant Messaging Compounds Confidentiality Concerns
Even more than e-mail, IM increases the risk of confidentiality breaches that may be triggered when employees chat (accidentally or intentionally) about confidential, proprietary, or personal matters that would be better (and more safely) discussed on the phone or in a face-to-face meeting.
Compounding the problem is that employees who use personal IM software—as most employees do—transmit messages via the public Internet. Once a message leaves your system, the likelihood of interception by a malicious hacker or cyberthief increases. If a malicious third party were on the prowl for your organization’s intellectual property, a good place to start might be the Web.
If your organization allows IM, particularly the use of consumer-grade IM, be sure to address confidentiality concerns, copyright law, and privacy rules in your IM policy.
Remember also to incorporate a discussion about confidentiality in your IM training program. Don’t expect employees to understand what type of content the organization views as too confidential, proprietary, or personal to be discussed via IM. Use your written policy and employee education program to clearly spell out how employees can best avoid a breach of confidentiality.
IM Rule # 16: Protect your organization’s assets, secrets, and future by monitoring instant messaging.
Instant Messaging Belongs to the Employer, Not the Employee
Savvy employers are catching on to the wisdom of monitoring external e-communications. According to the ‘‘2003 E-Mail Rules, Policies, and Practices Survey,’’ 51 percent of employers monitor incoming e-mail, and 39 percent keep an eye on outgoing e-mail. Where employers drop the ball, however, is with the internal e-mail communications that take place among employees. Only 19 percent of U.S. organizations monitor internal e-mail. 
Employers who fail to monitor internal e-mail are playing with fire. Like IM, e-mail communications that take place internally among employees are exactly the type of conversations that are likely to be casual, informal, and contain language and content that could trigger disaster.
Organizations are advised to exercise their legal right to monitor-the IM and e-mail transmissions of their employees. According to the federal Electronic Communications Privacy Act (ECPA), an employer-provided computer system is the property of the employer. The ECPA gives employers the right to monitor IM transmissions, as well as e-mail traffic and Internet surfing on the organization’s system.
Employers should use written policies to notify employees that instant messages, e-mail, electronic documents, passwords, user IDs, and the computer system as a whole belong to the organization, not the individual. Clarify the fact that the organization has the right to access and review the content of any message that is created, stored, transmitted, or received using the organization’s computers and other resources provided by the organization or located in your facilities or on your property.
If you allow the use of personal IM tools downloaded from the Internet, it is particularly important that you let employees know that messages transmitted via this software on public networks are subject to monitoring, too. Inform employees that the theft of company data may result in civil or criminal penalties. If you monitor IM to prevent theft and reduce overall risks, use your IM policy to let your staff know.
Customer Data at Risk of Identity Theft
According to a survey done for Vontu by Harris Interactive, 46 percent of managers and employees with access to sensitive customer information say it would be ‘‘easy’’ to ‘‘extremely easy’’ for workers to remove sensitive data from the corporate database.
Fully 66 percent of those surveyed say their coworkers, not hackers, pose the greatest risk to consumer privacy. Forty percent classify the security level of their corporate database as somewhere between ‘‘not at all secure’’ and ‘‘secure.’’ 
Instant messaging makes the potential for data theft—already a major headache for business—even greater. Your organization can’t afford to lose sensitive client, employee, or company information. Use technology tools, training, and policy to help guard against the accidental and intentional instant messaging of intellectual property and other confidential material.
All records, including instant messages and e-mail, that are created, received, or used in the course of business belong to the company. This includes instant messages created, received, or transmitted via the organization’s own IM system or on any personal IM software you may have downloaded from the Internet.
Employees must make available to management company-owned instant messages, e-mail messages, and other business records at any time, for any reason.
When employees are terminated or leave the company for any reason, you must turn over to management originals (if available) and all copies (paper or electronic) of instant messages, e-mail messages, and other business records. Freelancers, subcontractors, and other third parties working on behalf of the company must return the original and all copies of company records upon request or at the termination of their contract with the company.
All records located in a company facility or facilities managed by third parties for the company are considered company property. All records created or stored on the company computer, IM system, email servers, imaging system, communications system, telecommunications system, storage device, storage medium, or any other company system, medium, or device are company property. All records that in any way pertain to the company or our business, no matter where they are located, are considered company property. 
IM Rule # 17: Watch your language! Confidential information and intellectual property can leave your system—instantly.
‘‘2003 E-Mail Rules, Policies, and Practices Survey,’’ conducted by American Management Association, The ePolicy Institute, and Clearswift. Survey findings available online at www.epolicyinstitute.com.
Press Release, ‘‘62% of Employees Report Incidents at Work That Put Customer Data at Risk for Identity Theft’’ (June 2, 2003). Survey conducted by Harris Interactive for Vontu. Survey summary online at www.vontu.com.
Adapted from Nancy Flynn and Randolph Kahn, Esq., E-Mail Rules, New York, AMACOM, 2003.