Just over a month ago, we provided a high-level checklist to help organizations think about critical issues as employees begin working from home to reduce the spread of COVID19. Consistent with “shelter-in-place”/”stay at home” orders, millions of workers that can are now working from home. However, out of sight is not out mind as many organizations want to be sure these workers remain productive. Periodic office visits to chat are not an option right now, but spyware and keylogging technologies are. Some employers are considering these technologies as they balance employee privacy with the need to manage their team and monitor productivity.
Distractions are easy to come by these days – the daily Gov. Cuomo briefing, kids also “working” from home, the latest firetruck birthday party, and the status of toilet paper deliveries. For many workers, the idea of telecommuting itself is a distraction as they simply are not used to it on a regular basis. These and other distractions raise employers’ suspicion that workers are not being productive or as productive as they could be. But, productivity may not be the employer’s only goal. Protecting trade secrets, avoiding data breaches, finding ways to make remote work easier, and generally dissuading improper behavior are just some of the other drivers for increasing surveillance on remote workers.
Excessive, clumsy, or improper employee monitoring, however, can cause significant morale problems and, worse, create potential legal liability for privacy-related violations of statutory and common law protections. Advancements in technology have made it easier to monitor remote employees, and by extension easier to violate the law for employers that are not careful.
Spyware and keylogging are technologies that have been around for some time and can be attractive options for employers. In general, spyware is software that enables a user to obtain covert information about another’s computer activities by transmitting data covertly from their hard drive. This information could include screenshots from the other user’s computer. Screenshots could include, for example, text of “private” messages the employee believes she is sending to a social media friend. “Keyloggers” can be devices but are most often software designed to monitor and log all keystrokes. Like spyware, keylogging can covertly track a user’s keystrokes and obtain in the process private account credentials or confidential communications, and transfer that information to another computer.
This level of surveillance raises a number of legal and employee relations risks. Here are just a few.
- California Consumer Protection Act (CCPA). Effective January 1, 2020, the CCPA currently applies to personal information of employees, at least until December 31, 2020. It requires that employees be provided a “notice at collection” – this is, a notice describing the categories of personal information (including network activity) that the company collects and the purposes that information is used. Businesses subject to the CCPA will need to be sure that this surveillance activity is appropriately covered in notices of collection for employees who reside in California.
- State Social Media Password Protection Laws. Over 25 states have laws that prohibit employers from requesting or requiring employees to provide credentials to their online personal accounts. Deploying spyware or keylogging technologies arguably are not requests or requirements in the general sense. However, employers should consider how these laws may be interpreted and shape their approach accordingly.
- Stored Communications Act. Accessing personal social media communications or other personal online account communications may run up against protections under the Stored Communications Act.
- Taking action based on information obtained though the surveillance
- Credit protection laws. Several states, such as California, Maryland, Nevada, have laws prohibiting employment discrimination on the basis of poor credit or payment histories. These laws were passed in reaction to the great recession and likely have increased relevance again today as more than 20 million workers have filed for unemployment.
- Genetic Information Nondiscrimination Act (GINA). Learning about an employee’s family member suffering from a debilitating health condition or a contagious disease through spyware could raise issues under GINA. EEOC regulations except obtaining this genetic information through inadvertence, but if it was reasonably likely that such data would be collected or if the recipient continues to examine it or look for related information there is risk of a violation. Thus, just the collection of such information could be problematic under GINA, as well as using it for a discriminatory purpose.
- ADA/State Protections for Medical Information. A similar analysis applies for medical information obtained through monitoring. However, the regulations are less specific under the ADA compared to GINA.
- Safeguarding the Information Collected. A growing number of states have stringent requirements to maintain reasonable safeguards to protect personal information. The definition of personal information is not limited to SSNs. Medical information, online account credentials, credit card numbers, dates of birth all can be captured and stored using spyware, keylogging, and other surveillance tools.
What can organizations do?
- Understand the technology. Organizations should avoid having their IT departments deploy these technologies without a careful review, one that involves appropriate persons outside the IT department. Input from HR and the Legal Department can be invaluable for minimizing legal risk and maintaining good employee relations and trust.
- Acceptable Use and Electronic Communications Policy. When organizations decide to engage in any level of surveillance or search of employees, they should consider what their employees’ expectations are concerning privacy. In general, it is best practice to communicate to employees a well-drafted acceptable use and electronic communication policy that informs employees on what they can expect when using the organization’s systems, whether in the workplace or when working remotely. This includes addressing employees’ expectation of privacy, as well as making clear the information systems and activity that are subject to the policy.
- Monitoring the monitors. Employees asked to perform monitoring using these technologies can sometimes feel empowered and, believing they are helping the organization, make it easier for them to go too far in their surveillance, creating legal risk. For this reason and others, it is recommended that organizations maintain guidelines for these employees to help make clear boundaries that the organization has determined with counsel to be appropriate, and review compliance with those guidelines from time to time.
- Be prepared to investigate. Surveillance may uncover nonperformance, irregular activity, malicious insiders, and other problematic activity that the organization needs to address. The time to lay out that process and how to further investigate is not when evidence of the activity is discovered. Organizations should be prepared to react to findings with a comprehensive investigation plan that involves the appropriate persons at the earliest time.
It may be that this high level of remote work will continue for a while, or considering this forced experiment, certain organizations will realize that they can remain very productive in some or all parts of their business while deriving enormous savings from utilizing this new “workplace.” Either way, managing that work will raise new challenges for management. When more advanced monitoring and surveillance tools are deployed, organizations need to plan carefully, have the right team in place, review policies and applicable state and federal law, and be prepared to address problems when they arise.