Tips for Protecting Confidential Information in an Instant Messaging - Friendly Office

Tips for Protecting Confidential Information in an Instant Messaging–Friendly Office

1. Establish and enforce an IM security policy, and be sure to train your employees on the dos and don’ts of protecting confidential information. According to a survery conducted for Vontu by Harris Interactive, 32 percent of managers and employees with access to sensitive customer data are unaware of internal company policies to protect customer data. Twenty eight percent of managers report that they don’t have a written security policy, nor do they know if their employers have written security policies in place. ^[4]

   Don’t leave your employees in the dark. Instant messaging rules and policies serve no purpose unless your staff is aware of them, and understands the role they as individuals play in keeping the organization, confidential data, and the IM system safe and secure.

2. Instruct employees to avoid IM when communicating with lawyers or seeking advice about legal issues. Instead use IM to schedule a phone call or a face-to-face meeting with legal counsel.

   In order to preserve attorney-client privilege, e-mail may not be the best way to communicate with lawyers or ask litigation related questions either. Nonetheless, e-mail does offer encryption capabilities, which personal IM tools do not have.

   E-mail also gives writers space to add a legal legend, notifying the recipient(s) that the message is a confidential for-your-eye-sonly document.

3. When debating the merits of installing an enterprise-grade IM system versus allowing employees the freedom of downloading personal IM tools, bear in mind the fact that messages transmitted via consumer-grade IM products travel across the public Internet. They may open up your organization to security breaches, including identity theft, eavesdropping, and the loss of confidential information.

4. Prohibit employees from using public IM networks to communicate confidential, personal, or proprietary information about the organization, employees, clients, vendors, business associates, and other third parties.

5. Consider allowing employees to use the organization’s internal IM system to communicate confidential information, but only within the guidelines of your written IM policy or with permission of management.

6. Remind employees that IM creates a business record that must be retained by the organization for legal and regulatory purposes. Use your written IM policy to instruct employees not to use IM to communicate sensitive personal information about medical concerns, family finances, romances, or other topics that could one day prove embarrassing if discovered along with legitimate business records in the course of litigation.

7. Use your written IM policy and employee-training program to define for employees exactly what information the organization considers confidential. Don’t expect all employees to be able to distinguish proprietary information from public news.

   Real-Life E-Disaster Story:
   Instant Messaging Leaks Sink Corporate Ships

   Although to its users IM gives the illusion of being as fleeting as a phone call, it is not. Confidential IM may not be as private as the sender (and the sender’s clients and employer) might hope.

   In 2001, a San Francisco–based hedge fund manager sent several associates an instant message about the software company People-Soft. In his message, the fund manager suggested that regulators were looking into accounting irregularities at a publicly traded People-Soft subsidiary, and that the company might be sued by a customer for breaking a contract.

   When news of the instant message leaked out, People-Soft’s stock tumbled 27 percent, from $42 to $30. The hedge fund manager later retracted his statement. ^[5]

   IM, like e-mail, is a form of written communication. Although your instant message may be intended solely for one reader’s eyes, you never know where it will end up, or who will ultimately read it. Don’t let thoughtless messages, inappropriate content, or irresponsible leaks sink your corporate ship.

   Institute written rules and policies that clearly spell out what material-may, and may not, be communicated via IM. Educate all employees, from interns to the CEO, about confidentiality concerns in the age of IM. And take advantage of technology to filter content and block messages that violate policy.

8. Inform employees that they are prohibited from sending, receiving, copying, printing, or distributing messages that could embarrass or otherwise harm the organization, its executives, or employees. Stop employees from using IM to share embarrassing executive chat with the media or to post corporate rumors on the Internet.

   Real-Life E-Disaster Story:
   The CFO Seeks Revenge via Instant Messaging

   The disgruntled CFO of a publicly traded retailer sensed that he was about to lose his job. Angry at management and unwilling to disappear quietly, the CFO spent his final days stirring dissent among employees.

   He used IM, e-mail, and whispered conversations to inform the staff that the company was in trouble, and everyone’s job would be history in a matter of days.

   Once the CFO was terminated, the rumors he had been spreading were revealed as lies. But not before he had accomplished his goal of unsettling employees and investors—thanks in part to IM.

   A cautionary tale for all employers, this story illustrates why every organization should impose rules to ban staff from using IM (or any other communications tool) to transmit information that could in any way embarrass the organization or jeopardize its assets, reputation, and future.

9. Explain copyright law. Notify employees that they are prohibited from using personal IM software and the organization’s own IM system to send, receive, download, print, or distribute copyright-protected material without permission of the copyright holder.

10. Spell out the penalties that await employees who violate the organization’s prohibitions against transmitting confidential, proprietary, personal, embarrassing, or defamatory information via IM. Let employees know that violations may lead to disciplinary action or termination.

    According to the ‘‘2003 E-Mail Rules, Policies, and Practices Survey,’’ 22 percent of employers have terminated employees for e-mail infractions. ^[6] That’s a 5 percent increase over 2001.^[7]

    Employers are advised to take an equally tough stance when it comes to IM enforcement. The termination of one IM policy violator today may set an example that prevents the mass firing of an entire department for IM misuse next week. In addition, the time may come when it will be important for you to demonstrate to the courts that your organization does indeed take IM policy, education, and enforcement seriously—so seriously that you consistently discipline employees for misuse and abuse of the technology.

11. If, in spite of the warnings and disaster stories contained in Instant Messaging Rules, you choose not to monitor, retain, and archive employees’ instant messages, then you must prohibit them from using IM to discuss policy issues or to ask questions about policy (confidential or not). Otherwise, an employee may someday claim that the electronic conversation was never held.

    If an employee violates this prohibition and uses IM to ask a question about salary, health care benefits, or employment policies, protect the organization’s future by following with an e-mail message or hard-copy memo that creates a record of the conversation.

Employees may have access to confidential or proprietary information about the Company, its executives, associates, suppliers, and clients. Instant messaging makes it very easy for employees to send and receive confidential information, proprietary information, and trade secrets. Instant messaging also makes it very easy for employees to send confidential Company information to unauthorized or unintended readers.

If you have a business need to communicate confidential Company information internally within the Company, you must receive permission from management. If permission is granted, you must mark the information CONFIDENTIAL, and distribute it via instant messaging only to associates with a legitimate need to know the information.

When in doubt, do not use instant messaging. It simply is not 100 percent secure.

Never use instant messaging to communicate confidential information to external audiences. Never use instant messaging to transmit information that is personal, highly confidential, or potentially damaging to the Company, our associates, or our clients were it to fall into the wrong hands.

Using instant messaging to discredit the Company in any way or to compromise Company confidential or proprietary information is prohibited.

^[4]Press Release, ‘‘62% of Employees Report Incidents at Work That Put Customer Data at Risk for Identity Theft’’ (June 2, 2003). Survey conducted by Harris Interactive for Vontu. Survey summary online at www.vontu.com.

^[5]Jane Black, ‘‘Why Offices Are Now Open Secrets,’’ Business-Week Online (September 16, 2003), www.businessweek.com/print/technology/content/sep2003/tc20030916_1563_tc129 .

^[6]‘‘2003 E-Mail Rules, Policies, and Practices Survey,’’ conducted by American Management Association, The ePolicy Institute, and Clearswift. Survey findings available online at www.epolicyinstitute.com.

^[7]‘‘2001 AMA, US News, ePolicy Institute Survey: Electronic Policies and Practices,’’ conducted by the American Management Association, US News & World Report, and The ePolicy Institute. Survey findings available online at www.epolicyinstitute.com.