Printed from BusinessInsurance.com

Online chat tools create exposures

Posted On: Aug. 19, 2007 12:00 AM CST

Online chat tools create exposures

Exposures arising from workplace instant messaging are nothing to LOL at, experts say.

As more employees use the real-time "chatting" applications at work, both for personal and business purposes—such as talking to colleagues and customers—observers warn that it's imperative for employers to take steps to limit their risks and maintain control over the practice.

Many companies are aware of liabilities associated with workplace e-mail, including exposing systems to computer viruses, providing a medium for harassing or defamatory communications, and opening up sensitive information or trade secrets to theft.

And while many of the same risks are involved in instant messaging, observers say messaging in the workplace has been overlooked by many employers as it seeps from home use and into the office. And instant message conversations, like e-mails, are subject to discovery in litigation.

"Instant messaging is where the conversations that used to occur around the water cooler are now occurring," said Michele Lange, a staff attorney at Eden Prairie, Minn.-based Kroll Ontrack Inc., a computer forensics and electronic and paper discovery firm. "Even though you might think it's protected or seems fleeting or somewhat secretive, should something ensue in which the court system needs to get involved, (the IMs) are not sacrosanct."

Changes to the Federal Rules of Civil Procedure in December 2006 made all electronically stored information discoverable (BI, Dec. 18, 2006). Employers are liable for subpoenaed workplace IM chats, even if the employer is not aware that chatting goes on, said Nancy Flynn, director of the ePolicy Institute, a consulting firm in Columbus, Ohio. Many instant messaging programs create archives of messages sent and received, with users often able to turn that feature on or off.

Many managers are still uninformed about what these legal changes mean and they are unaware of IM exposures in general, Ms. Flynn said, describing some senior managers who have told her they don't have to worry about IM risks since they don't provide the software. "Just because you're not providing it doesn't mean employees haven't brought it in through the back door" through free programs, such as Yahoo! Messenger and Google Talk, that can easily be downloaded, she said.

Employers can confront IM-related exposures with several risk management strategies, experts say.

The first step for employers is to figure out whether IM programs are being used in the workplace by scanning the company computer systems, Ms. Flynn said.

Secondly, employers should work with legal, records management, auditing and financial departments to create a policy governing use, said Kevin Kalinich, co-national managing director of professional risk solutions for Aon Financial Services Group in Chicago.

Mr. Kalinich recommended that instead of an explicit IM policy, managers create a flexible "electronic communications policy," applicable to e-mail; IM; so-called "wikis," which are group-edited Web sites; and blogs. "An electronic communications policy can generally address each of the issues inherent in each of the different types of communication," he said.

Ms. Flynn echoed the necessity of written guidelines, but advised creating one that singled out IM from other e-communication. "Make life easy for employees. Make it a separate policy that's easy for them to read and understand and comply with," she said.

Mr. Kalinich said employers needs to consider the following: what IM program should be authorized for use, if one is to be authorized at all; the program's accompanying filters or controls; who will be allowed to use it; proper practice policy; what IM chats constitute a business record to be saved, and the manner and duration of chat archives.

Software is available to automate the process of monitoring, filtering, purging, retaining and archiving IM chats, Ms. Flynn said.

Then comes education, from the intern to the CEO, Ms. Flynn said. Ideally, employees should be certified once trained so employers can demonstrate to a court or regulatory body that training took place, she added.

Ms. Lange of Kroll Ontrack advised managers to tell their employees to treat instant messaging like e-mail. "Assume that your instant message conversations are going to be fully recoverable," she said.

Impose boundaries

Mr. Kalinich encourages employers to embrace instant messaging, but be very clear with workers about its boundaries. Younger workers, especially, who have grown up with instant messaging, should be taught that the practice has a place, but within professional parameters.

Technological controls, such as blocking objectionable language or attachments, and disciplinary action can help enforce the policy, Ms. Flynn said.

The downside is that once employers take on the obligation to educate, monitor or regulate IM use, they have a duty to enforce the policy, Mr. Kalinich said. "They just can't throw up their hands and use ignorance as a defense," should a lawsuit ensure, he said.

Experts agree that workplace IM isn't going anywhere for now.

"I don't recommend companies getting rid of it," said Ms. Lange. "It's almost like technology is one of those necessary evils that is here to stay. It improves productivity in the workplace. I'm all for making our workers more efficient." But management policies and practices have to catch up with that technology, she added.