U.S. federal law allows organizations to monitor employee IM and e-mail. Use the organization’s written IM policy to inform employees that IM is intended primarily for business use, that it may be monitored, and employees have no reasonable expectation of privacy when it comes to sending and receiving instant messages— regardless of whether they are using the organization’s own IM system or personal IM software downloaded from the Internet.
One court has ruled, ‘‘Employers can diminish an individual employee’s expectation of privacy by clearly stating in the policy that electronic communications are to be used solely for company business, and the company reserves the right to monitor or access all employee Internet or e-mail usage.’’ 
Follow the court’s lead, and extend your organization’s privacy statement to cover IM, as well.
IM Rule # 18: Notify employees that they have no reasonable expectation of privacy—even when using personal instant messaging software.
An undercover investigation of the Yahoo! ‘‘Candyman’’ e-group led the FBI to suspect that an employee of American Family Insurance was using the company’s e-mail system to receive child pornography. When the employee tried to suppress evidence found during the FBI’s search of his work computer, the court ruled that he had no expectation of privacy, given his employer’s computer-related rules, policies, and procedures.
American Family Insurance had a log-in notice that warned of possible monitoring or searching, and required users to click ‘‘OK’’ to proceed. Every time the defendant accessed his work computer, he consented to his employer searching his computer. The company also posted e-policies on its Intranet site and sent e-mail notices to employees reminding them of the policies.
The court stated: ‘‘An employee cannot claim a justified expectation of privacy in computer files where the employer owns the computer; the employee uses that computer to obtain access to the Internet and e-mail through the employer’s network; the employee was explicitly cautioned that information flowing through or stored on computers within the network cannot be considered confidential; and where computer users were notified that network administrators and others were free to view data downloaded from the Internet.’’ 
Your organization’s written IM rules, policies, and procedures might help protect you from an invasion of privacy claim, as well as vicarious liability. Manage your IM assets today, or risk costly litigation tomorrow. The choice is yours.
TBG Ins. Serv. Corp. v. Superior Court of Los Angeles County, 96 Cal. App. 4th 443 (Cal. Ct. App. 2002).
United States v. Bailey, 2003 WL 21705226 (D. Neb. July 23, 2003). Source: ‘‘Kroll Ontrack Cyber Crime and Computer Forensics News’’ Vol. 1, Issue 8 (September 2003), www.kroll.ontrack.com.