Instant messaging (IM) started out as a time waster for teenagers. Now it's a serious business tool -- with serious legal and security risks as well.

For starters, IM may seem as fleeting as a face-to-face chat at the watercooler. But someone else may be eavesdropping. While the text often seems to vanish as soon as it's sent, someone on either end -- or in between -- may capture and store it.

And, finally, still-developing IM technology may leave your computer networks open to new viruses and hacker attacks. Earlier this year, Microsoft warned users that its IM service, MSN Messenger, could leave users' computers vulnerable to intruders -- a rude shock for companies that might not have even realized that employees were using the free product. (Microsoft immediately issued a downloadable patch to fix the flaw. The other top free IM services, AOL Instant Messenger and Yahoo Messenger, have closed potential security loopholes as well.)

For all of those reasons, it's a good idea to create acceptable-use policies that cover electronic communications, says Michael K. Reagan, senior vice president of Vericept Corp., in Englewood, Colo., which creates content-monitoring software.

Policies might spell out that it's fine to use IM to quickly touch base with spouses or kids, but that it's not OK to engage in lengthy personal discussions or hang out in chat rooms.

And those rules should ban messages that could publicly embarrass your company or open it up to a lawsuit, including those that:

  • Discuss confidential personnel or specific financial matters
  • Conduct negotiations
  • Ridicule or spread rumors about colleagues or competitors
  • Include sexually explicit comments or material
  • Make or forward racist, sexist, or tasteless jokes
  • Threaten anyone, even vaguely or in jest
  • Contain political material of any kind

Make sure employees know that attorneys increasingly request logs or copies of all corporate communications, even casual E-mails or archived IM correspondence, that might relate to lawsuits.

Reagan recommends revisiting the acceptable-use policy a few times annually in light of the latest technology developments. Unless you've updated your policy in the past six months, it probably doesn't yet address IM.

Finally, ask your tech team whether your network is adequately protected for IM use. If not, consider investing in stronger security, log-monitoring software, or commercial-grade IM products that encrypt messages.


Vericept's acceptable-use-policy templates and samples.

Microsoft's MSN Messenger security bulletin.