|
Instant messaging should be treated like email, with
similar constraints.
The use of instant messaging in business has grown rapidly, and
many businesses are now installing enterprise versions of instant
messaging tools for use by employees, or opening up gateways to
their networks to enable their employees to communicate more easily
with business associates on public networks.
However, many companies are not taking into account the legal
implications of instant messaging use and are taking unnecessary
risks with outdated policies and unmonitored usage. And some
companies may think that instant messaging is not being used within
their organisation when, in fact, it is, but under the radar of the
organisation's existing security measures. Instant messaging tools
are sophisticated and may enter networks, notwithstanding the fact
that firewalls are in place, or obvious ports locked down. It does
not matter if instant messaging accounts that are used for work
purposes were not provided by the employer; it is still likely that
these activities will be found to be in the course of employment,
and therefore the employer may be vicariously liable for any legal
liabilities incurred by the employees' actions.
Other organisations have amended their acceptable use policies
(AUP) to state that instant messaging is forbidden. However, an
employer can still be liable for the acts of its employees
committed in the course of their employment, even if the act was
forbidden, and all the legal liabilities that can arise from email
misuse can arise in relation to instant messaging.
Many organisations consider that instant messaging is transient,
and therefore even if its use could incur legal liabilities, it is
not worth monitoring - there will, after all, be no evidence. That
too, is simply not the case. Instant messaging tools have history
folders that record exchanges. Even if the history file is deleted
or switched off within the organisation that originates it, the
recipient may well have a copy. These history files are admissible
as evidence in court, and a court can order them to be disclosed in
relation to court proceedings. Instant messaging documents created
as part of an organisation's business must also be disclosed
pursuant to request made by an individual under the Data Protection
Act to see personal data held about them, and will be disclosable
under the Freedom of Information Act when held by a public body,
whether sent or received by that public body.
Even if instant messaging is permitted only for internal use,
this does not mean that organisations will escape liability. For
example, an organisation will be liable for the defamatory
statements of its employees published in the course of their
employment, irrespective of whether the statement is ever published
externally. Harassment and the circulation of offensive pornography
can be undertaken by instant messaging, both of which can lead to a
damages claim for constructive dismissal.
So what practical steps can be taken to minimise the risks?
1. Have a clear policy in relation to instant messaging, even if
you think no one in your organisation is using it. If you forbid
it, make that clear in your AUP and take technical measures to
prevent employees from installing it.
2. Other areas of the business will need to be involved in
policy making and educated as to the risks arising from instant
messaging.
3. Your AUP should make it clear that instant messaging is
covered by the same rules as email.
4. You should apply the same monitoring and security measures as
you apply to email. For example, instant messages should bear the
same disclaimers and statements as emails and be subject to the
same content-management measures.
5. Make users aware of changes to your AUP. The best position,
in terms of enforceability, is to have confirmation from each user
that they have read and understood the amendment. At least you
should be able to show that the employee was given notice of the
change and asked to read it.
|