Firms should tightly control the way their staff use internet-based instant messaging (IM) systems, to ensure they comply with UK rules on privacy and corporate governance, and to guard themselves against IM's inherent security risks, according to legal experts.

Even at companies where IM is not yet widely used, IT managers should consider how and when usage might be permitted. Research firm the Radicati Group estimates that 582 billion instant messages were transmitted in 2003, and says a tenth of those came from business users. Analyst firm Gartner predicts that by 2006 IM will overtake email as the preferred means of communication for businesses.

Although the security of IM systems presents problems - IM is particularly susceptible to virus attacks - it is their lack of auditing and logging tools that most concerns IT lawyers. James Mullock, partner at Osborne Clarke, said, "IM is a useful business tool, but there are scenarios where it gets in the way of really good data retention practices. Businesses need to have an IT policy that provides guidance on when it is appropriate to use IM and when it is not."

Mullock said whenever an employee makes any sort of business arrangement using IM it should be recorded and tracked to reduce the possibility of problems in future. "There are laws that dictate how long you have to keep certain kinds of information," he explained. "Where people are using IM to correspond this is incredibly difficult unless it is tracked and recorded." Mullock added that records could be used as evidence in cases of dispute. "Say you have an instance of libel through IM. If [a legal] action results through that and you need to track it back, you are going to find that a lot harder than you would with email."

Garry Mackay a partner at law firm Bevan Ashford Solicitors, agreed with Mullock. "We have very strict privacy laws in this country and very clear rules on what you can and cannot do," he said. "However, when it comes to IM we do not have clear guidance on all of the issues involved. If you are going to use IM you have to take into account both corporate governance and data protection rules. You simply cannot treat it flippantly."

Stephen Mason, barrister at St Paul's Chambers and member of the Society for Computers and the Law, said, "Although there may not be any specific rules relating to the retention of IM correspondence under current FSA [Financial Services Authority] regulations, it is probable that it would be one of the types of documents that should be retained." He advised firms to consider the guidance in the FSA handbook, and suggested its definition of a "document" would include IM.

Mason added that to reduce the risks IM should be restricted and it should be treated in the same way as email and retained in accordance with firms' document retention policies.

IM conversations can be captured and stored using tools from data archiving specialists such as KVS and IMlogic.