Is IM on your watch list for compliance? Maybe it should be. In the face of recent scandals, state and federal lawmakers have been drafting a plethora of policies to enforce stricter record keeping practices among publicly held companies and greater accountability from corporate officers. But many analysts predict this flurry of regulatory activity will soon trickle down to the private sector as well.
In a May 2003 research report, Milford, MA-based Enterprise Storage Group identified over 10,000 state and federal regulations governing information creation, storage, access, maintenance, and retention. One of the more hard-hitting is the Sarbanes-Oxley Act (SOX). Passed by Congress in early 2002 and scheduled to go into effect starting with fiscal year ending on or after June 15, 2004, SOX zeros in on how companies manage internal controls to comply with financial reporting disclosure. And while the legislation doesn’t specifically cite instant messages as documents needing to be retained in case of an audit, organizations like the NASD, which monitors trading on the NASDAQ, are taking a proactive stance and requiring their members to treat instant messages just like their e-mail.
Getting IM under the compliance umbrella
If, like NASD, you want to stay ahead of the curve, there’s a logical progression to bringing IM under your corporate compliance initiatives.
Step one: Tactical discovery
Matt Kivlin, Product Manager for Digital Archives Service at Boston-based Iron Mountain, noted, “A lot of companies don’t even know who’s using instant message. Unlike e-mail, which is a sanctioned large investment within a company, employees can go online and download an instant message client off the Web without their IT group even knowing they’re using it.” He cautions that companies really need to do that initial tactical discovery, find out who is even using IM, and determine how big a problem or opportunity it is within their company. He cites numerous instant message security products—from companies like FaceTime Communications, IMlogic and Akonix Systems—that can help you determine not only who’s using instant message but give you the control to curtail access, too.
Step two: IM policy
Your instant message policy is probably going to be very similar to your e-mail policy. It will cover things such as ownership rights to information: If you’re conducting communication using company equipment during company time, your communications are company property. It should include helpful reminders to employees that instant messages are subject to discovery and investigation like all company communication. This may consist of a message inserted into the beginning of every IM conversation alerting users that the conversation is being monitored and archived.
Step three: Monitoring technology
At a bare minimum, the monitoring technology that you deploy should scan Web traffic for instant message conversations and apply overriding policies against them. Those policies could cover anything from simple monitoring for key words and phrases to outright blocking or prohibiting conversations from occurring due to risk management factors. According to Francis Costello, Chief Marketing Officer for San Diego-based Akonix Systems, typically 70 to 80 percent of all IM use in corporations today is actually over one of the free public network clients (like AOL or Yahoo)—unregulated, unofficial communications channels. So any technology you deploy needs to force that public network IM activity through a corporate managed gateway that will subject that traffic to the same logging and retention policies you’ve put in place for internally deployed IM systems (like Lotus SameTime or Microsoft Office Live Communications Server).
Components of an IM monitoring and archiving system
Francis deSouza, CEO and founder of Waltham, MA-based IMlogic, stated that there are several basic components to an IM management solution.
Your policy management/compliance/reporting interface is where you set the policies around who has access to instant messaging. This is where you view the IM logs and archives and then create workflows around what happens if something goes out of compliance. For example, what workflow do you want to trigger if you find an IM containing the phrase “guaranteed return?”
If you’re supporting internal enterprise messaging systems like Lotus SameTime or Microsoft Office Live Communications Server, there’s a third component that you’ll need: the capture agent. This sits on your Lotus or Microsoft server and monitors the IM traffic flowing through there.
The fourth component is the database associated with the archiving of the instant messages. This will also require some searchable index system to facilitate easy message retrieval in case of an investigation.
Calculating how much you’ll need
According to David Greene, Director of Marketing Solutions for compliance technology vendor Zantaz, in an August 15, 2003 interview in CIO Magazine, saving IM as well as e-mail could end up costing companies about $3 million annually for every 10,000 employees. He attributes most of that price tag to the cost of storing electronic communications at a rate of more than three terabytes per year.
Brian Babineau, Research Analyst for Enterprise Storage Group suggests that since IM records are typically between 15 KB and 30 KB, IM could easily account for multiple petabytes of compliant records in the coming years. Babineau attributes this growth to the fact that IM will soon be used to transfer files as well as terse conversations. “The biggest problem IM causes in the storage world from a compliant standpoint is the amount of files,” explained Babineau. “Most systems are built to handle a small quantity of large files. IM presents the challenge of thousands of small files that need to be indexed and then stored. This is compounded by the fact that the metadata, which is really descriptive information about the file, needs to be kept as well. This usually adds 30% more capacity to the file. So you can see the compounding effect of millions of small files.”
Francis deSouza from IMlogic suggests the following rule of thumb when calculating the cost of IM archiving (these estimates are based on experience with IMlogic’s own customer base):
IM management combats spam and viruses, too
While the threat of potential audits may be spurring the drive to archive IM, there are more reasons to implement IM management than retaining messages to satisfy financial regulations. People make business decisions over IM. People give you prices and delivery dates, phone numbers and contact information over IM, just like they do over e-mail. Imagine having e-mail without an inbox. Saving instant messages is like having an inbox for your IM. That’s a real selling point for many employees.
According to deSouza, another upside to managing IM traffic is that it can actually protect employees from getting viruses over instant messaging. “Employees are waking up to the fact that all their virus scanning infrastructure doesn’t actually apply to IM traffic,” said deSouza. “They may be well-protected from the Web and e-mail traffic getting viruses, but those same viruses could actually come in as a file transferred from IM.” With a policy management interface, IM attachments can be scanned for viruses and debugged before they corrupt an employee’s computer.
Another plus to IM management is spam control. “Spam over e-mail is annoying,” deSouza pointed out. “But spam over IM actually disrupts your work because it pops up on your screen or flashes in your tray. It’s actually much more of a productivity hit than getting spam over e-mail.” He noted that when companies review their archives, they’re often surprised at the high levels of IM spam they’re experiencing. The solution? Make sure your IM solution vendor partners with your e-mail spam security provider to extend spam filtering into your IM as well.
Compliance isn’t just a technology issue
Matt Kivlin from Iron Mountain cautions that archiving IM is as much a legal and compliance issue as it is a technology issue. “You need to have some good synergies between your legal and compliance group and your technology group,” he warned. “If you tend to treat this as just an IT-focused issue, you may discover down the road that you’re not implementing all the legal controls that you need.”
TechRepublic originally published this article on 7 January 2004.