Chapter 8: Protecting Privacy in the Instant Messaging World: Prying Eyes May Be Reading Over Your Electronic Shoulder
U.S. federal law allows organizations to monitor employee IM and e-mail. Use the organization’s written IM policy to inform employees that IM is intended primarily for business use, that it may be monitored, and employees have no reasonable expectation of privacy when it comes to sending and receiving instant messages— regardless of whether they are using the organization’s own IM system or personal IM software downloaded from the Internet.
One court has ruled, ‘‘Employers can diminish an individual employee’s expectation of privacy by clearly stating in the policy that electronic communications are to be used solely for company business, and the company reserves the right to monitor or access all employee Internet or e-mail usage.’’ 
Follow the court’s lead, and extend your organization’s privacy statement to cover IM, as well.
IM Rule # 18: Notify employees that they have no reasonable expectation of privacy—even when using personal instant messaging software.
No Expectation of Privacy on Work Computer
An undercover investigation of the Yahoo! ‘‘Candyman’’ e-group led the FBI to suspect that an employee of American Family Insurance was using the company’s e-mail system to receive child pornography. When the employee tried to suppress evidence found during the FBI’s search of his work computer, the court ruled that he had no expectation of privacy, given his employer’s computer-related rules, policies, and procedures.
American Family Insurance had a log-in notice that warned of possible monitoring or searching, and required users to click ‘‘OK’’ to proceed. Every time the defendant accessed his work computer, he consented to his employer searching his computer. The company also posted e-policies on its Intranet site and sent e-mail notices to employees reminding them of the policies.
The court stated: ‘‘An employee cannot claim a justified expectation of privacy in computer files where the employer owns the computer; the employee uses that computer to obtain access to the Internet and e-mail through the employer’s network; the employee was explicitly cautioned that information flowing through or stored on computers within the network cannot be considered confidential; and where computer users were notified that network administrators and others were free to view data downloaded from the Internet.’’ 
Your organization’s written IM rules, policies, and procedures might help protect you from an invasion of privacy claim, as well as vicarious liability. Manage your IM assets today, or risk costly litigation tomorrow. The choice is yours.
TBG Ins. Serv. Corp. v. Superior Court of Los Angeles County, 96 Cal. App. 4th 443 (Cal. Ct. App. 2002).
United States v. Bailey, 2003 WL 21705226 (D. Neb. July 23, 2003). Source: ‘‘Kroll Ontrack Cyber Crime and Computer Forensics News’’ Vol. 1, Issue 8 (September 2003), www.kroll.ontrack.com.
Caution Employees to Guard Their Own Privacy, Too
In the age of IM, gossip and rumors that once were quietly discussed around the watercooler can be sent around the globe in an instant. As part of your employee education efforts, suggest that workers protect themselves, their families, and friends by strictly separating their business and personal lives. When it comes to IM, it’s best to keep your secrets secret and your personal business personal.
The E-Love Note Read Around the World
A twenty-something woman in England sent her boyfriend an e-love note complimenting his romantic performance (and recounting her own) the night before. The woman’s message was so graphic and flattering that her lawyer-boyfriend decided to forward it to a halfdozen male friends employed by London-based law firms and banks. His friends—all employed by international firms—in turn forwarded the saucy e-mail message to their friends and colleagues around the globe.
That very personal e-mail message ended up traveling to ten million computer screens in London, Australia, Hong Kong, and the United States. An international media sensation followed, with the New York Times, NBC’s Today show, and other media outlets around the world covering the story. The relentless London tabloids, intent on pursuing the embarrassed e-mail writer, eventually drove the mortified woman into hiding. 
A cautionary tale for anyone who uses IM or e-mail to communicate. Keep your personal life offline, or risk reading about yourself in tomorrow’s news.
Instant messages, e-mail, and other electronic records created, stored, transmitted, or received using Company resources (including but not limited to IM software, e-mail servers, and computers) are primarily for business purposes.
The Company reserves the right to monitor the content of any record, nonrecord, document, instant message, or e-mail message created, stored, transmitted, or received using Company computers.
Employees should not expect any right to privacy when it comes to instant messages, e-mail messages, records, or nonrecords.
Employees are prohibited from using Company computers, information systems, instant messaging software and systems (including but not limited to personal IM software downloaded from the Internet), e-mail systems, land-based or wireless networks, Internet connections, or other Company-owned or provided systems or devices for downloading information from or sending information to IM buddies, e-mail accounts, text-messaging services, or other communication services other than those provided by the Company. 
T. Shawn Taylor, ‘‘E-Lessons,’’ Chicago Tribune (February 14, 2001).
Adapted from Nancy Flynn and Randolph Kahn, Esq., E-Mail Rules, New York, AMACOM, 2003.