UK companies are fretting that employees using IM applications could be breaking compliance laws.
Lawyers said this week that more companies are consulting them over the use of IM because they are unsure of its legal implications.
"People are coming to us worried about it," said Mark Smith, a solicitor for Olswang. "There are two problems -- unauthorised use of IM, and from a legal perspective all the [compliance] issues that apply to email apply to IM too."
Many companies use IM in the belief that it is exempt from compliance laws, such as Sarbanes-Oxley and Basel II. These regulations demand that companies store all their data for at least seven years. If companies fail to deliver on the regulations, chief executive officers and chief financial officers could be liable to go to jail.
"A lot of employees use it [IM] as a way of communicating without using the content filters," said Smith. "Because IM is more informal than email, people say things on it they sometimes shouldn't. Where corporations use it, if they don't have the correct system implemented, there are loads of issues with monitoring and retention of data."
Smith added that security testers have discovered hundreds of unauthorised IM clients running on some corporate networks.
IM runs over port 80, the default channel for Web traffic. This often regarded as a trusted port and left open to allow users to surf.
"People use IM as a way of getting stuff in and out of the business, bypassing the security infrastructure," said Jason Hart, security director for Whitehat UK. "It's easy to run it without anyone knowing about it and people often use it as a way of getting around compliance laws."
Hart said that 40 percent of firms have banned the use of IM. "But that doesn't guarantee that people won't use it. It causes time-wasting viruses, possible use of spyware and cannot be detected by most firewalls."