SAN JOSE, CALIFORNIA-- Most people think of instant messaging as a good tool for fleeting conversations, but as the technology is used more in business, the potential cost of misuse is becoming a concern to companies. Firms that allow IM would do well to protect themselves from privacy and security breeches, experts say.

The topic was raised at a panel of IM vendors, consultants, and electronic-rights activists here at the Fall 2003 Instant Messaging Planet Conference and Expo this week.

Particular Concerns

The financial industry faces particular concerns, noted Henry Wolfgang Carter, a consultant and member of the Bipartisan California Commission on Internet Political Practices, as well as E-Trade counsel. Carter was one of the panelists at a discussion entitled "IM and the Law: Compliance, Privacy, and Security."

Institutions that fail to turn over records of electronic communications as demanded under the Sarbanes-Oxley Act of 2002 could face stiff penalties. But whether IM is subject to Sarbanes-Oxley is not clear, Carter noted. In 1997 the Securities and Exchange Commission (news - web sites) issued guidelines for the use of e-mail, but IM has not yet been written into any SEC regulations, he said.

Self-regulatory organizations--most notably, the New York Stock Exchange--explicitly ask that members archive IM conversations, however.

Digital communications are already part of legal proceedings. For example, prosecutors are invoking e-mail evidence presented in California's high-profile criminal trial of banker Frank Quattrone. Such developments may send financial workers "running to IM, thinking they will be safe," Carter said.

But under Sarbanes-Oxley, anyone who conceals, tampers with, or destroys a document trying to keep it from being used in an official proceeding can be sentenced to up to 20 years in prison. That's quite a gamble to take under legislation that's less than crystal-clear, the panelists noted.

"With e-mail, it took five years between SEC regulations and charges," Carter said. "I anticipate less than half of that time before we see actions based on IM."

A new public company oversight board is currently examining Sarbanes-Oxley, said Carter. "A huge education process has to go on with financial industry regulators" if the law is to directly address the use of IM in the financial industry, he said.

Solutions or Problems?

For security, some companies may turn to monitoring products. For example, panelists cited Akonix L7 Enterprise 2, a gateway that monitors and regulates consumer AOL Instant Messenger, AOL ICQ, MSN Messenger, and Yahoo Messenger usage.

"What you need depends on the company," said Peter Shaw, Akonix chief executive officer, and a panel member. Some companies may archive and retrieve IM conversations to comply with Sarbanes-Oxley. Others need to protect medical patient privacy as outlined by the Health Insurance Portability Act of 1996. Some may wish to archive IMs to record--or, better, discourage--sexual harassment and other unacceptable workplace behavior.

But overzealous record-keeping could open some companies to legal difficulty, warned Brad Templeton, chair of the nonprofit digital rights group Electronic Frontier Foundation. Companies not affected by Sarbanes-Oxley and HIPAA could find that IM archiving could backfire.

Archiving those messages could show that your company believes it has a duty to stop the behavior that's occurring. But if your company attempts to take control, and those controls fail, your business could be held liable, he noted.

Privacy Concerns

Templeton also expressed concern about the presence-tracking element of IM, which lets companies monitor the time employees spend with their IM client set to "Available," "Busy," or "Away."

"It's a promotion [for an employee] to get past a time card. This reintroduces the time card to the white-collar worker," he said. "People are never aware of their need for privacy until it's violated."

Workers who believe presence tracking is a violation of their privacy may choose to sue their employers, Templeton added.

To protect personal instant messages from corporate scrutiny, users need to employ some common sense. Templeton suggested keeping business and personal IM identities separate; as he pointed out, "It's easy to open a second IM account."

While some companies may allow employees to freely use IM for personal purposes, even those businesses that do may frown upon its use during scheduled work hours, he noted.

The panelists agreed that it's best to check an employer's policy on personal IM and follow it.

Other panel members of the panel included Ross Bagully, consultant and former CEO of TribalVoice; and Marguerite G. Gear, vice president and sourcing manager for Bank of America. Todd Tweedy, president of TTG, served as moderator.

Source: Yahoo