Preparing for IM Compliance
by Melisa LaBancz-Bleasdale
In many organizations, instant messaging (IM) serves the urgency and efficiency of the business process-whether in a meeting, at a customer site, or working on a deadline. Along with its benefits, IM also introduces serious IT and security challenges. Internally regulating IM use has become an increasingly difficult and time-consuming task. In its report, IM: The Sleeping Giant, Gartner predicted that by 2005 IM would surpass email as the primary online communications tool. Although email still reigns supreme, over 150 million people use IM worldwide.
"IM is more than just the big three clients of AOL, MSN and Yahoo!. There are more than 40 IM applications available today-a large number of which tunnel over open ports (such as HTTP) to gain access even when traditional IM is blocked. Many organizations don't have the complete visibility necessary to understand the extent of how much IM is being used internally," says Frank Cabri, VP of marketing for Foster Citybased FaceTime Communications.
"Similarly, many organizations that think they are blocking its use, may be surprised to understand how much IM traffic actually exists on their network-despite the fact that their firewalls and other devices are specifically configured to block it."
Instant Messaging: To Comply or Not to Comply
San Diego-based Akonix Systems says that IM for business communications (whether authorized or not) is widely considered a form of electronic communication-making it subject to all rules and standards applicable to email. Both public IM (such as AOL, MSN, ICQ and Yahoo!) and enterprise IM (such as Microsoft Live Communications Server and IBM Lotus Instant Messaging) are subject to regulations that include SEC 17a- 4, NASD 3010, NASD 2711, NYSE Rules 440 and 342, as well as Sarbanes-Oxley (SOX). "Failing to comply with these regulations is no longer an inconsequential slap on the wrist," warns Peter Shaw, Akonix CEO, "it can result in significant financial and legal liabilities."
Adding to the complexity of IM compliance, regulations such as the Health Insurance Portability and Accountability Act (HIPAA), California SB 1386 and the Gramm-Leach-Bliley (GLB) Act require that companies protect sensitive information when using IM. While many organizations are hesitant to adopt internal controls, certain verticals are the first in line to implement solutions.
"Financial and healthcare organizations were the first to implement the controls and features for IM compliance that meet their specific industry regulations," notes Cabri. "Nine of the top ten US banks have chosen FaceTime for both IM security and compliance, and many healthcare organizations have adopted some controls, but not necessarily to the extent of financial organizations. Some in healthcare are taking a 'wait and see' approach relative to HIPAA regulations (given that the number of prosecutions have been relatively low), yet others are rolling out projects to encrypt email so that patient information is not sent in clear text format. Beyond email encryption, these organizations are looking to disk drive encryption as well as IM security and compliance as important safeguards for their customers and staff."
The American Management Association (AMA) and The ePolicy Institute reported in their July publication, The 2006 Workplace E-mail, Instant Messaging & Blog Survey, that despite widespread use of IM in the workplace, only 13 percent of respondent organizations actually retain IM business records. "For all intents and purposes, there's no legal distinction between email and IM. Yet many organizations that archive email continue to neglect IM," says Bill Lyons, CEO of Rutherford, New Jersey-based AXS-One. "They do so at their own peril." The threat of legal sanctions is a powerful motivator when it comes to compliance. Current case law points to many instances in which IM logs were subpoenaed during litigation and companies that failed to produce them incurred severe legal fines.
IM Readiness
According to Thomas Bookwalter, president of compliance consulting firm FMDC and an advisor to AXS-One, "As employee use of IM increases, companies need to consider the potential risk to the enterprise. There are many issues to navigate-including access control, IM usage, and strategies around archiving and integration with records from other sources. The best approach is not to think of IM as a separate requirement, but as a key component of an overall archiving solution." This will help ensure the highest level of readiness (as well as the lowest cost) for a compliance investigation or legal discovery order.
In June 2006, FaceTime Communications partnered with AXSOne to address the specific challenges of IM security, compliance, archiving, and legal discovery. "AXS-One and FaceTime share a common goal; empowering users to take advantage of communication tools, while enabling IT to ensure that all electronic records are able to comply with a broad range of complex regulatory and legal requirements," explains Kailash Ambwani, president and CEO of FaceTime.
The AXS-One Compliance Platform (featuring patentpending Rapid-AXS technology) provides a highly flexible, scalable and extensible architecture for mailbox management, compliance and legal discovery across various email platforms and record types. Under the terms of their partnership, AXS-One is distributing FaceTime's Enterprise Edition-which includes IMAuditor, RTGuardian and Greynet Enterprise Manager (GEM)-providing an end-to-end security and compliance solution for greynets including IM, peer-to-peer (P2P) and Web conferencing applications.
"A key challenge for today's organizations is understanding the many laws and regulations governing electronic messaging and finding products that help meet those requirements," states Don Montgomery, VP of marketing at Akonix.
The latest release of Akonix L7 Enterprise includes ethical boundary support and persistent chat rooms, allowing IT staff to set rules (such as 'user A is not allowed to chat with user B' in a specified IM chat environment). To further assist in meeting regulations, L7 Enterprise v5.3 introduces enhanced inline disclaimer support for Jabber XCP, a popular enterprise IM system. L7 Compliance Manager, another part of Akonix L7 Enterprise, also includes a Smart Tagging feature that enables system administrators to annotate conversations. Finally, the new release provides additional support for archiving and reporting file transfers conducted over most IM networks.
New Rules
In a May 2006 blog entry, Ferris Research discussed the upcoming Federal Rules of Civil Procedure (FRCP) set to take effect December 1, 2006. The entry explains that, under these new rules, parties may argue what electronically stored information is relevant and how it is produced. However, electronically stored information can no longer be excluded from litigation. In the short term, companies will continue to respond to electronic discovery requests on a case-bycase basis. Longer term, a more economical approach to electronic discovery of all electronically stored information is needed-and Ferris points to vendor products as a way to fill this demand.
"Even in the absence of regulatory pressure," concludes Shaw, "most companies understand the enormous cost and effort necessary to produce electronic records-including IM conversations-in the event of an audit or legal action, and are voluntarily adding IM archiving to their electronic messaging infrastructures." MB/MNP