Instant messaging should be treated like email, with similar constraints.
The use of instant messaging in business has grown rapidly, and many businesses are now installing enterprise versions of instant messaging tools for use by employees, or opening up gateways to their networks to enable their employees to communicate more easily with business associates on public networks. However, many companies are not taking into account the legal implications of instant messaging use and are taking unnecessary risks with outdated policies and unmonitored usage.
And some companies may think that instant messaging is not being used within their organisation when, in fact, it is, but under the radar of the organisation's existing security measures. Instant messaging tools are sophisticated and may enter networks, notwithstanding the fact that firewalls are in place, or obvious ports locked down. It does not matter if instant messaging accounts that are used for work purposes were not provided by the employer; it is still likely that these activities will be found to be in the course of employment, and therefore the employer may be vicariously liable for any legal liabilities incurred by the employees' actions.
Other organisations have amended their acceptable use policies (AUP) to state that instant messaging is forbidden. However, an employer can still be liable for the acts of its employees committed in the course of their employment, even if the act was forbidden, and all the legal liabilities that can arise from email misuse can arise in relation to instant messaging.
Many organisations consider that instant messaging is transient, and therefore even if its use could incur legal liabilities, it is not worth monitoring - there will, after all, be no evidence. That too, is simply not the case. Instant messaging tools have history folders that record exchanges. Even if the history file is deleted or switched off within the organisation that originates it, the recipient may well have a copy. These history files are admissible as evidence in court, and a court can order them to be disclosed in relation to court proceedings. Instant messaging documents created as part of an organisation's business must also be disclosed pursuant to request made by an individual under the Data Protection Act to see personal data held about them, and will be disclosable under the Freedom of Information Act when held by a public body, whether sent or received by that public body.
Even if instant messaging is permitted only for internal use, this does not mean that organisations will escape liability. For example, an organisation will be liable for the defamatory statements of its employees published in the course of their employment, irrespective of whether the statement is ever published externally. Harassment and the circulation of offensive pornography can be undertaken by instant messaging, both of which can lead to a damages claim for constructive dismissal.
So what practical steps can be taken to minimise the risks?
1. Have a clear policy in relation to instant messaging, even if you think no one in your organisation is using it. If you forbid it, make that clear in your AUP and take technical measures to prevent employees from installing it.
2. Other areas of the business will need to be involved in policy making and educated as to the risks arising from instant messaging.
3. Your AUP should make it clear that instant messaging is covered by the same rules as email.
4. You should apply the same monitoring and security measures as you apply to email. For example, instant messages should bear the same disclaimers and statements as emails and be subject to the same content-management measures.
5. Make users aware of changes to your AUP. The best position, in terms of enforceability, is to have confirmation from each user that they have read and understood the amendment. At least you should be able to show that the employee was given notice of the change and asked to read it.
- Tamzin Matthew is a partner in law firm Blake Lapthorn Tarlo Lyons, and specialises in IT law. She can be contacted at Tamzin.Matthew@bllaw.co.uk or on 01865 254262.