Virtual worlds pose compliance risks

The very aspects of virtual world that make them appealing to some enterprise users, such as the collaboration tools, also make them risky from a compliance perspective.

These risks include the communication risks of the wrong information getting to the wrong people, inappropriate workplace behavior, and lack of archiving tools.

COMMUNICATION RISKS

Many industries have legal or regulatory limits about communications. In brokerage firms, for example, certain traders are not supposed to talk to certain analysts. Lawyers and doctors face constraints about what kind of advertising they are allowed to engage in in some jurisdictions.

In the past, courts and regulators have been consistent in viewing electronic communications as subject to oversight, and have fined companies millions for mishandling emails or instant messages. Recently, the Financial Industry Regulatory Authority released guidelines on the use of social networking technologies.

FINRA Regulatory Notice
FINRA Regulatory Notice

It is likely that communications in virtual world would be subject to the same regulatory requirements – if they aren’t already. The use of virtual worlds for business is relatively new, so these guidelines haven’t yet been tested in this context.

But it’s very reasonable to assume that the trend will continue. Namely, static communications from a company to the general public will be considered advertisement. Interactive communication between visitors to a location is not considered to be a company communication – but companies are advised to follow best practices in this regard. They include establishing usage guidelines for customers and third parties, establish screening policies, and public disclosure of company responsibility for third-party content.

So, for example, if a bank sponsors an island in Second Life and allows visitors to create content in the form of messages on an interactive bulletin board, or the creation of objects, the bank should monitor this, and explain that any opinions expressed are not those of the bank. Similarly, if a bank allows its customers to help one another on its virtual land – or to conduct protests against the bank – this could be a potential liability issue.

Irwin Lazar
Irwin Lazar, Nemertes

“We’ve talked to some companies who are trying to figure out how they can set up their own private virtual worlds for their own use — they can maintain control over it, and archive it,” said Irwin Lazar, vice president of communications and collaboration research at The Nemertes Research Group Inc. “The federal rules loosely say that any electronic communication needs to be preserved for compliance purposes. Most people think about email today but I expect you’ll as virtual world technologies evolve, there will be requirements to preserve or produce transcripts of virtual events and conversations.”

Most of the compliance rules are basic common sense. Visitors should be aware of whether a person helping them actually works for a company, or is a volunteer, for example.

The risk of communication against corporate firewalls, however, is a bit more difficult to address. Outside of virtual worlds, vendors like Facetime track instant messaging and social networks, monitor employee usage, and ensure that messages aren’t sent between departments which aren’t supposed to be communicating. Emails can go through compliance channels as well, and large corporations set guidelines about appropriate use, and either bounce inappropriate messages, or flag them for special review.

Most virtual environments, including Second Life and OpenSim, don’t offer this kind of control and the major compliance vendors haven’t yet moved into this space.

Part of the reason is that enterprise uses of virtual worlds is currently limited to point solutions. A department may use a virtual environment to conduct a training session, for example. Another department may use a virtual world to on-board international employees. A third may use a virtual department for the collaborative design of a new office layout – or an entire new office building.

The avatars are created specifically for each separate project, and the different virtual environments aren’t normally interconnected.

In addition, employees don’t normally stay in a virtual environment after the project is over.

But as virtual worlds improve and begin to offer more functionality (as with Second Life’s support of collaborative media in its new viewer release), virtual worlds will become an “always on” environment – similar to the way that employees would always be connected to their email and instant messaging – or Facebook.

Once a virtual world achieves ubiquitous status, it becomes possible for employees of one department to meet up with employees of another for corporate-sponsored networking events, to share information – and, of course, to trade insider information.

In practice, it is impossible to keep two people from communicating. If they can’t email or instant message, they can always use their personal cell phones, or pass notes, or meet up in the building lobby or at the supermarket.

The difference is that while it’s impossible for a company to know what its employees are doing with their private cell phones or at the store, it is possible for a company to know which employee is present in which virtual location it controls and who else is there. Companies can also track the locations of company-owned avatars. Since this information is available, it becomes necessary for the company to archive it, and to monitor it for potential compliance violations.

This is particularly true for enterprise worlds like OpenSim or Second Life Enterprise, which are run behind a company firewall and under full corporate control.

However, if companies expect employees to use personal avatars for corporate functions, then this kind of monitoring becomes extremely difficult. In the public version of Second Life, for example, which many companies do use for meetings, marketing, or training, the avatar belongs to the individual.  This is similar to having employees use personal email accounts for company business.  There are two potential liability issues here. One is that the company can’t tell where the employee is or what they are doing – but they may still be wearing a company name tag while, say, giving advice in another location. Or the employee may be engaging in game activities that may cast a bad light on the company — the virtual world equivalent of wearing your company’s branded uniform to an illegal gambling den, say. While an employee has to right to do whatever they want on their own time, if they’re doing it as a representative of the company, it can cause problems.

In addition, once an employee leaves a company, does the avatar — and all its assets — leave with the employee? Say, for example, the employee receives sensitive materials in the virtual world, and stores them in their inventory. Once they walk out, the information walks out with them. This is why corporations prefer to issue corporate email accounts for employees to use, and then shut down the accounts when an employee leaves. Sensitive information isn’t just limited to financial documents. Even something as minor as the friends list can be used for malicious purposes after an employee leaves. For example, it can be used to get access to other staff members who don’t know that the employee has left the company. Or it can be used to recruit former colleagues over to the new employer.

The former employee might also be walking off with licensed property. For example, a company may buy furniture suites with the rights to use them throughout a company’s virtual location. An employee could leave and take his furniture with him — there are no limits to how much stuff an avatar could carry. Then if he uses the furniture again in a non-licensed location the company would be liable for violating its license and may face fines.

Large corporations often flag suspicious email activity, especially if it occurs shortly before termination. If an about-to-quit employee suddenly starts emailing massive files to a private email account, there might be reason to think he’s stealing company property. Or if he shows up at work with an empty briefcase, and leaves at night lugging suitcases full of staplers and reams of paper. Similarly if an avatar suddenly starts making visits to a residential world, or a competitor’s grid, and transferring assets to it, that could be a sign that something is going on. With teleports between private worlds already possible in OpenSim, companies building their own grids should consider laying the groundwork for the monitoring infrastructure that will catch this behavior.

BEHAVIORAL RISKS

There are other kinds of bad behavior as well. The really bad stuff, that ends with jail time or harassment laawsuits. Inappropriate behavior, in any medium, is a legal liability for a company. Sexual harassment, for example, can take place via email or social networks, or in person at the office.

Employers have obligations to create and enforce guidelines for appropriate behavior, and to take immediate measures when a complaint is made. This applies to virtual worlds as well.

Michael Osterman
Michael Osterman

Companies doing business in virtual environments should be concerned about this, said Michael Osterman, founder of messaging and collaboration technology research firm Osterman Research.

“But I don’t think they are, at this point,” he told Hypergrid Business. “People are not proactive. Even on the most basic level, like archiving – it’s a real issue, one that companies need to address.”

In the past, hostile environment lawsuits have been filed on the basis of emailed sexist jokes, for example, he said.

Employers may even be liable for communications that take place over third-party platforms.

“If the communication originated at work, and the employer did not take appropriate steps to enforce policies, then you could make the case that the employer was at least partially responsible for this,” he said.

Virtual environments offer much of the same pitfalls as do public social networks, he said.

“You have to have technologies in place to at least monitor things after the fact,” he said. “If an employer doesn’t, I could see how they can be on the hook, especially if you can demonstrate that the employee was working on company time.”

One possible scenario – which has already been played out in public worlds like Second Life in non-business settings – is when users unfamiliar with the controls of a virtual environment may find themselves trapped and assaulted by other participants in the environment.

After the fact, it’s easy to say that they could have simply turned off their computers, but users can identify strongly with their virtual avatars, and a virtual assault can carry a significant emotional wallop. In addition, even if the user did turn off the computer, the harassment was felt – even as a nasty email leaves a mark even after it’s been erased.

Virtual rape is, of course, nowhere near as serious or as damaging as actual physical rape. But it is substantially more disturbing than, say, an email describing a similar scenario. In addition, the email itself would be tangible proof that the harassment occurred, that the victim could take to supervisors. In the case of a physical attack, there would be physical traces, surveillance camera videos, or other evidence.

Companies setting up virtual worlds often don’t realize that these virtual platform could be potential crime scenes. But as they start building their virtual environments, it would be good habit to get into to build with an eye towards monitoring and surveillance. Passive video archives could play the role of surveillance cameras, while archived chat transcripts and audio recordings could preserve the conversations themselves.

Companies that don’t do this may find themselves with virtual platforms that cannot easily be adapted for monitoring.

And just because a company isn’t monitoring, doesn’t mean that nobody else is.

For example, disgruntled employee could use their own records of conversations or events, or stills from inside a virtual world, to support a lawsuit against their employers – or former employers. Without a full record of an event, it’s harder to argue that the employee took a particular event or statement out of context.

Did the boss really tell the employee, “I’m going to kill you!” or did he say, “If you’re my competitor, and try to screw us with our customers, I will kill you! And your inferior product! We will beat our sales quotes this year no matter what!” The first remark is grounds for immediate dismissal – and possibly criminal action. The second remark is perhaps a little strong, but not a criminal case.

“In California, when a harassment complaint is filed, the companies have to maintain 10 years of communications between the individuals,” Nemertes’ Lazar told Hypergrid Business.

ARCHIVES RULE

In court, the lack of evidence is usually a good thing for the defendant. As a result, some companies may feel that if they don’t keep any records, then those records can’t come back to bite them.

That’s no longer always the case. There have been cases in which the very lack of records was considered by a court to be evidence of guilt.

In 2005, Morgan Stanley was hit with a $1.58 billion judgment – yes, that’s billion, not million –  because it was not able to produce e-mails with possible evidence of fraud, in what the court perceived as stonewalling. This particular decision was later reversed because the other side wasn’t able to show any damage as a result of the alleged fraud – not because the first court was overzealous in wanting to see the emails. In fact, Morgan Stanley agreed to pay a $15 million SEC fine in 2007, because it still wasn’t archiving its emails properly.

In many industries, companies are legally mandated to keep electronic records for a certain minimum number of years.

In addition, records may still be kept by individual participants. Virtual world visitors, for example, can record anything happening on their desktops, or simply cut-and-paste chat transcripts and save them or email them to third parties.

The fact that it is possible to keep records has usually caused regulators to rule that records should be kept, usually for a certain minimum number of years. In particular, records having to do with finance, legal issues, or customer relationships normally need to be well stored.

It’s not something that companies are thinking about yet, said Lazar. When it comes to anything newer than email, there’s a “pushback” from compliance officers, a tendency to just not allow the technology into the company.

“I just see compliance offers being so resistant to change,” he said. “This will be a big struggle for organizations trying to be aggressive in the ir use of these tools.”

Maria Korolov