The next time you decide to instant message (IM) a colleague, consider this: IM content is neither secure nor private, according to technology and legal experts.
While IM is generally a safe tool for personal communication, its content can be captured and used as evidence in lawsuits, according to Illinois-based IT Governance Institute international president Marios Damianides.
IM is an Internet service that allows someone to communicate in real time with other users who have the same IM application. According to Ferris Research, corporate IM usage is expected to account for about 60 per cent of online traffic this year.To date, courts have been very harsh on employees’ privacy expectations saying that if an employee is using corporate resources, the corporation has the right to monitor the use of those resources.David Fewer>Text According to Damianides, companies are warning employees to be more careful of what they say in instant messages, as the content of those messages could be captured and used against them in legal proceedings.
In the virtual battle between employee privacy and corporate security, the courts seem to be siding with the latter.
IM, similar to corporate e-mails, tend to be viewed as a company resource that can be used in litigation, if the need arises, said David Fewer, legal counsel for the Canadian Internet Policy and Public Interest Clinic.
He said while employees may have a general expectation of privacy when it comes to e-mail correspondence or instant messaging, the courts have a different perception. “To date, courts have been very harsh on employees’ privacy expectations saying that if an employee is using corporate resources, the corporation has the right to monitor the use of those resources.”
A case in point is the on-going legal battle between the Canadian Imperial Bank of Commerce (CIBC) and Genuity Capital Markets Inc. CIBC claimed that some former employees, who moved to Genuity, divulged confidential information to recruit CIBC personnel. The evidence – messages sent and received through the employees’ BlackBerry devices.
Fighting back, Genuity accused CIBC of invasion of privacy.
Fewer said while there are federal laws in place for personal privacy protection, there is currently no law in Ontario safeguarding the privacy of employees’ personal online communications.
“The (Ontario) law simply has not caught up with technology, it’s a gaping hole in the Ontarians’ privacy rights,” Fewer said.
Infringement of one’s privacy is not the only risk involved with the uncontrolled use of IM, according to Damianides. The vulnerability can also affect the security of corporate systems.
“The concept of opening up one computer to multiple instant messaging systems poses a threat and provides gateways for people to (break into) the corporate system,” said Damianides.
While the risk is higher in public IMs such as Yahoo Messenger or AOL Instant Messaging, enterprise-class IMs are also susceptible to attacks, said Damianides.
He said because of the IM system’s capability to receive and open files, this could be used as an avenue for worms and viruses to get into the computer system.
There are ways companies can minimize IM security risks, according to Damianides. Companies must proactively enforce policies that govern the use of IM in the workplace.
Using the proper technology that protects the system from hackers and viruses is also a good practice, Damianides said.
The IT Governance Institute also suggests that companies simply prevent employees from downloading a public IM service by putting a block feature in the system.
IT Governance Institute is the research arm of the Information Systems Audit & Control Association (ISACA), an IT organization of more than 35,000 members from over 100 countries worldwide.
Related links:
Bringing security to instant messaging