Company sued over common employee monitoring tool

keyboard

Many companies use “keylogging” software or hardware to monitor employees’ computer use. But they might be in trouble, according to this recent court case.

Keystroke logging (often called “keylogging”) is a process in which everything someone types on a keyboard is recorded, by either a piece of software or a hardware device installed between the keyboard and CPU.

Hackers often spread viruses that install keyloggers on victims’ computers to steal bank passwords, credit card numbers and other sensitive information. But they’re also regularly used by businesses to monitor what employees do on their office computers.

And that might violate the law, according to a recent court decision:

After Metteyya Brahmana was laid off, he had a dispute with his former boss about back wages he claimed he was owed. During the conversation, the supervisor allegedly made reference to an e-mail Brahmana had sent to an attorney with his personal e-mail account.

Brahmana concluded that the boss had accessed his e-mail. He also learned from a former co-worker that the company monitored all employees’ activities with keylogging devices.

He sued his former employer. His claim: The keylogging violated the federal Wiretap Act, which makes it illegal to “intentionally intercept … any wire, oral or electronic communication.”

The company tried to have the case dismissed. But the judge didn’t buy it.

The court ruled that accessing the e-mail didn’t break the law (because the law covers “intercepting” communication, not accessed stored messages), but that the keylogging itself may have been against the law.

The judge let the case move forward to trial, saying more information was needed to decide if the ex-employee has a case. We’ll keep you posted.

Either way, employers should be warned about the potential for keylogging and other monitoring tools to violate laws on privacy and electronic communication.

Cite: Brahmana v. Lembo

Comments

11 Comments on Company sued over common employee monitoring tool

  1. 2kmaro on Tue, 16th Jun 2009 1:55 pm
  2. It will be interesting to follow this one – after all, isn’t the company allowed to monitor/’tap’ its own equipment, just as I believe we are allowed to record/intercept calls made to our own telephone lines? Would I be guilty of wiretapping if I put a keylogger on my own computer – irregardless of the fact that I’m the only user?

    Or are we who may have recorded our phone calls/computer activities now guilty of wiretapping, and probably some anti-terrorist activity under the PATRIOT (Hah!) Act?

    Does this mean that parents can’t use such tools to monitor the activities of their minor, dependent children also?

  3. tim on Tue, 16th Jun 2009 2:13 pm
  4. keylogging at a private place of business has to be legal. If Brahmana wins under the current law, the law then has to be changed. If I’m using company property to do anything, the company has a right to know exactly what I’m doing. There can be no argument to that in a society that aims to be free of government restriction over private matters.

  5. Sean Smith on Tue, 16th Jun 2009 3:28 pm
  6. We hand out corporate compliance policies and information security policies to all new employees.

    Corporate compliance is the interesting one, as it’s mandated by the government and the first part of the government’s own boilerplate policy states “no expectation of privacy.” This means that anything you do using the company’s equipment can be monitored for use as needed.

    The Information Security policy we hand out states that in order to be sure we are keeping things secure, it means that we will need to monitor communications. It also states that all work equipment is for work purposes and not personal purposes.

    It would seem that the “wiretap act” is in conflict with the corporate compliance policies we’re required to have. Typical government hypocrisy.

  7. mike R on Tue, 16th Jun 2009 4:14 pm
  8. Another article I read yesterday concluded that “keylogging” was probably okay, but using information gleaned from personal emails to access other sites was not.

    http://www.hrmorning.com/internet-usage-the-legality-of-keylogging/

  9. Redcell on Wed, 17th Jun 2009 8:54 am
  10. A couple of things to consider…
    Correspondance means that there are at least two entities involved. So the potential is that the sender and/or the receiver’s rights may have been violated.
    You refer to the recording of your phone calls. Even though it is your phone equipment it is violating the rights of the other person on the call unless they have been notified and agreed to the recording of the conversation. You are not recording the phone, you are recording the transmssion of data/coversation/information. So to answer your question Yes, you are guilty of wiretapping (or rather illegally retaining a conversation) if you recorded a phone conversation with someone if they were not aware of that recording. This is why a court order has to be obtained before law enforcement can legally do a wiretap. This is why in many cases when wiretapping has been done outside of the legal bounderies the evidence gathered in the investgation cannot be used in court, and the person being prosecuted sometimes will gain more protection from the court because of that violation of their rights. These laws were in place in principle long before the PATRIOT ACT.

    As far as the parent/minor monitoring? This is a different scenario. You are the guardian of the minor. It is your responsibility for that minor. Juvinile laws are handled differently. But even those are being challenged.

  11. Redcell on Wed, 17th Jun 2009 9:35 am
  12. It will be interesting to see how this comes out. Keylogging on a blanket corporate level could be very dangerous for the companies practicing it. Any and all user names, passwords and other personal information that is collected could become a huge burden for securely protecting that information. If there was a breach in their network security or just a accidental exposure of personal information they may find themselves very liable. If they collect sensitive information then they may find themselves being required to protect that data in accordance to HIPAA and other laws regarding the retention of personal data. Even if this data is not business or work related. Typically data collected in this fashion is raw data and not protected as well as say the employee records are kept.

  13. Jamie on Wed, 17th Jun 2009 9:44 am
  14. As of a year or two ago, in Indiana wire tapping is legal if one (1) party knows they are being recorded. Private citizens do not need a court order to tape their own conversations even if the other party has no knowledge of being recorded. I don’t understand this law completely but I am guessing that only the government has to get a court order to record/tap conversations. So many people think that their email is private – I had to show our IT person that he was not breaking any laws by allow me into an employees email account – and I was getting into because she was in an accident and we needed some time sensitive information – nothing “bad”!! The keylogging case will be interesting to watch.

  15. Debi on Wed, 17th Jun 2009 2:06 pm
  16. If a company is going to “keylog,” my thought would be that the employer tape a piece of paper to the computer “ALL WORK ON THIS COMPUTER IS BEING MONITORED” … or someting like that. Not only will the employee NOT conduct personal business during work hours, but the employer will no doubt get more work done through its worker. Just a thought.

  17. Joe in PA on Mon, 22nd Jun 2009 2:22 pm
  18. Since the court ruled accessing e-mail was ok (which makes my wonder about crossing the line with attorney / client privilege), I think the employee is going to lose, as this was done on company equipment. The employee’s argument may be a) does the company prohibit personal use of computers, and b) if other employee’s have had similar issues, how were they treated ?

  19. What a moron on Thu, 9th Jul 2009 7:09 pm
  20. Sorry to sound so harsh, but this guy is really stupid! He was using private equipment, and on company time. I really hope he loses. People like this need to get a life.

  21. Anca on Fri, 17th Jul 2009 2:13 am
  22. Honestly, I do agree that employee monitoring software need to be used; but, there are non-invasive solutions available that do not invade the employee’s privacy, like the keylogging software does. As for the legality of using this kind of solutions, here is a great article about this http://blog.cyclope-series.com/2009/04/when-employee-monitoring-is-illegal/