Application security

Unmanaged instant messaging creates headaches for companies attempting to comply with New Federal Rules of Civil Procedure

In April 2006, after a five-year review, the Supreme Court approved changes to the Federal Rules of Civil Procedure (FRCP) that went into effect on Dec. 1, 2006.

One of the more significant changes to the FRCP is the requirement that corporations and other parties involved in federal litigation must make available certain electronic messages and records as part of the discovery process. While many companies will not have a problem producing email archives for discovery, very few will likely have the ability to produce conversations that took place over instant messaging (IM) networks. With IM having attained the same level of adoption as email and telephone in the workplace, the lack of control, management and archival of these communications will present problems and liabilities to corporations who do not take action now.

The changes to the FRCP are intended to ensure that electronic records, which are becoming increasingly important as business records, agreements and memoranda, are readily available for discovery to be used as evidence during trials. Use of email and IM in the workplace has become the de facto standard for intra and inter-company communications, and creates enormous amounts of digital storage of conversations and more formal communications. People's personal and corporate email and IM accounts are all subject to discovery, as those records may help prove intent, reveal facts or support arguments during civil proceedings.

The new rules require parties involved in federal litigation to address electronic discovery during initial pre-trial meetings. Topics must include how records are stored, how they may be retrieved and privilege issues.

The new rules, however, create yet another burden for companies. The changes to the FRCP are the culmination of a period of debate and review that started in March 2000, when then Vice President Al Gore's fundraising activities were being probed by the Department of Justice. After White House Counsel Beth Norton reported that it would take up to six months to search through 625 storage tapes, efforts began in order to mandate timelier discovery of electronic records.

As of December 1, 2006, companies:

  • Must address early in the litigation process their system for storing electronic information, identifying privileged information, securing and preserving their electronic records and the forms in which they are stored;
  • Need to know what electronic information is being stored and where;
  • Must be prepared to deal with the broader definition of electronically stored information and a more specific definition of the form in which it must be produced;
  • May not rely on the undue burden argument to avoid discovery and the turning over of electronic information; and
  • Should be prepared to incur significant costs if their systems are not organized to provide the information requested in discovery.

Most companies have archived emails for years as part of their knowledge management and Sarbanes-Oxley compliance efforts. However, they have not been so diligent with their employees' use of IM.

IM continues to gain favor as a legitimate and valuable business communications medium. Its use in the workplace creates new risks and liabilities for companies, including the need to have an archival and retention plan for business IM conversations. The ability to archive IM conversations is easier said than done, however. Few corporations have implemented corporate IM systems, choosing instead to grudgingly allow the use of the free public IM networks available from AOL, Microsoft MSN and Yahoo. As a result, firms have employees making deals, agreeing to terms, soliciting bids and closing business over these insecure, unmanaged networks. Products that archive instant messaging have been available for nearly five years, yet only 15- to 20-percent of companies have deployed them, leaving thousands of companies without the ability to comply with message retention rules and regulations. There is clearly a large and growing risk that firms may find themselves in court, but not be able to produce archives of relevant, discoverable IM conversations in a timely manner – if at all.

To ensure compliance with the new rules, companies must establish clear and consistent policies for the use of both email and IM in the workplace. As most firms have an existing acceptable use policy (AUP) in place for email and internet use, these are a great starting point for putting an IM policy in place.

After setting and communicating policies for IM, companies need to put technology in place to identify IM traffic and archive it as business records. Although this may sound like a simple firewall or network device effort for a savvy IT department, those who have tried have discovered that all of the public IM networks change their protocols and firewall ports on a regular, yet random, basis, explicitly to outmaneuver the IT departments that seek to block them altogether.

The ability to intercept IM traffic, inspect for destination and source, review for content, and archive for compliance is something best left to technology vendors with a focus on IM. Another consideration is that the license agreements governing the use of AOL, MSN and Yahoo explicitly prohibit the redirecting of their traffic. Only a certified provider of IM management can legally reroute IM network traffic for inspection, archival and security.

Analysts advise corporations to deploy purpose-specific, certified products for archiving and managing instant message traffic. The public IM networks in turn have done their part, creating certification programs for vendors of IM management products. Potential buyers should make sure that the vendors they evaluate are certified by AOL, MSN and Yahoo.

With changes in the FRCP now added to the many regulations governing electronic communications in the workplace, companies are advised to act quickly to gain control of both email and IM.

- Don Montgomery, vice president of marketing, Akonix Systems

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.