The Pandora's box of SMS monitoring

New regulations and technology aimed at monitoring employee text messages and IMs might just describe a road to hell paved with good intentions

As of last December, the Financial Industry Regulatory Authority ruled that securities firms are to treat all electronic communication as they do e-mail when it comes to compliance. That's right: According to FINRA, the largest nongovernmental regulator for securities firms doing business in the United States, text messages and IMs are subject to the same scrutiny as e-mail for a wide array of compliance regulations (see End Note 1, page 15 of FINRA rules).

I spoke with Onset Technology about the company's Advanced Compliance Tool (ACT), server- and client-side software that promises to help organizations comply with FINRA's latest ruling.

For the record, ACT's client side currently works with BlackBerry units, including Verizon's BlackBerry Curve. Versions for Windows Mobile devices will follow.

What ACT does is allow administrators to build a rules engine that recognizes keywords, as well as number strings and patterns, to prevent employees from sending prohibited information over a wireless device. Those rules might be government regulations, quasi-government regs like FINRA's, or they might be company policy. The technology works the same.

Zack Silbinger, vice president of development and marketing at Onset, says the company is the first to market with this kind of technology, but I am sure many will follow.

The upside of communications monitoring On the plus side, technology such as ACT can be used to good ends. For example, Onset's technology can monitor any attempt by a broker to send a message to an analyst. This practice is not condoned, and it is illegal. ACT can help ensure that the "ethical wall" between those two entities in financial services is not breached.

Or consider the nurse who alerted friends that George Clooney was admitted to her hospital. She probably sent the text message as a harmless piece of gossip. Harmless or not, with ACT, the HIPAA compliance administrator could have prevented this faux pas by adding "George Clooney" to ACT's keyword-monitoring system and blasting it out to employees' handheld devices.

By the way, in that seemingly harmless incident, 27 hospital employees, including doctors and nurses, were eventually suspended.

How ACT monitoring works Here's how ACT works. First, the compliance administrator adds rules to the server. Using the employee list from, say, Exchange, the admin can then relate rules to specific groups and create whitelists and blacklists to determine which employees can communicate with whom.