Soon after I began using Twitter, I thought - this is exactly what my company needs. But, you know, "inside the firewall." That's the way we boomers think, in terms of these ancient concepts like "firewalls." Something like feeling protected against invasion in New York City because there's a natural moat around the city walls. Yes, there are bridges, tunnels, ships, but that's ok. The moat has rules, we'll be safe. Anyway, what if the only people on Twitter were people who worked at my company? What a great way to keep track of ideas, needs, questions - all in a searchable archive. All knowledge is fragmented, so intuitively the ability to survey information fragments promises great value.
Along comes Yammer, a service that provides exactly this. The only way to get an account for your company on Yammer is to provide an email address from your domain. Presto, the only voices on your Yammer, um - I'll call it subnet - are fellow employees. I embraced the idea, encouraged others to do so.
But something nagged at me. In order to "appoint an administrator," the company had to buy the service. "Own" your Yammer capability, else the community is adrift and unregulated. This is completely fair, in my view. Some companies, however, apparently use Yammer without going to the bother of administering the list. After all, you have all the functionality of Twitter for no cost, why pay Yammer's rates?
Because if you do not, you have no promise of security for the conversations you are having on Yammer's servers. Put aside for a moment the idea that you are having potentially proprietary conversations on a server outside that pesky firewall - that happens all the time. But it happens under service-level agreements, with a contract to preserve data in case the company is party to litigation requiring legal discovery - to name one contingency.
Brief sidebar on discovery, which can be extremely costly (disclaimer: my father is the lawyer, I have a different yet higher degree than he does). The Federal Rules of Civil Procedure (link is pdf) were revised in December of 2007. Here is a relevant snippet:
(B) Specific Limitations on Electronically Stored Information. A party need not provide discovery of electronically stored information from sources that the party identifies as not reasonably accessible because of undue burden or cost. On motion to compel discovery or for a protective order, the party from whom discovery is sought must show that the information is not reasonably accessible because of undue burden or cost. If that showing is made, the court may nonetheless order discovery from such sources if the requesting party shows good cause, considering the limitations of Rule 26(b)(2)(C). The court may specify conditions for the discovery. [emphasis added]
So if you are a party to a lawsuit, even if not the target, you may be required to furnish conversations from Yammer servers. Companies keep this in mind when they sign agreements with Salesforce and other hosted solutions, but that unpaid Yammer party line poses a problem.
In the world of risk management; this is a low probability, high impact event. You probably won't be a party to a lawsuit (yes, I'm being tongue-in-cheek), but if you are, it will cost you in discovery costs that do nothing to advance your business interests.
However, we also have a high probability, high impact event. I posed this question on Twitter - through the magic of the cloud, I received a helpful response from Yammer. Here's what I asked:
How do people on Yammer know they're not talking with ex-employees?
The reasonable response from Yammer pointed me to a FAQ, where administrators can manage the Yammer list for their company. This, by the way, means there is an administrative burden - assign this to HR or IT - adding a step to the outprocessing paperwork when someone leaves your firm. If you have a paid Yammer account, add a step where someone goes in and removes their access from the list.
My conclusion: If you have an unpaid Yammer account, at some point, you likely have ex-employees listening to proprietary chatter. This is not Yammer's fault - they have no way to manage the employment status of your people. If you value corporate proprietary information and do not want to pay Yammer, you may want to issue a policy telling employees not to use Yammer for sensitive conversations. In which case, of course, they may as well use Twitter.
If I am mistaken, I welcome a correction - but I think the risk far outweighs the benefits. Your employees have no good reason using an unpaid Yammer account to discuss business plans, project needs, client data, code, etc.
Final disclaimer: I have no business affiliation with, or financial interest in, Yammer or any of its partners or competitors. Wrote this without looking, Dad.