Many companies use “keylogging” software or hardware to monitor employees’ computer use. But they might be in trouble, according to this recent court case.

Keystroke logging (often called “keylogging”) is a process in which everything someone types on a keyboard is recorded, by either a piece of software or a hardware device installed between the keyboard and CPU.

Hackers often spread viruses that install keyloggers on victims’ computers to steal bank passwords, credit card numbers and other sensitive information. But they’re also regularly used by businesses to monitor what employees do on their office computers.

And that might violate the law, according to a recent court decision:

After Metteyya Brahmana was laid off, he had a dispute with his former boss about back wages he claimed he was owed. During the conversation, the supervisor allegedly made reference to an e-mail Brahmana had sent to an attorney with his personal e-mail account.

Brahmana concluded that the boss had accessed his e-mail. He also learned from a former co-worker that the company monitored all employees’ activities with keylogging devices.

He sued his former employer. His claim: The keylogging violated the federal Wiretap Act, which makes it illegal to “intentionally intercept … any wire, oral or electronic communication.”

The company tried to have the case dismissed. But the judge didn’t buy it.

The court ruled that accessing the e-mail didn’t break the law (because the law covers “intercepting” communication, not accessed stored messages), but that the keylogging itself may have been against the law.

The judge let the case move forward to trial, saying more information was needed to decide if the ex-employee has a case. We’ll keep you posted.

Either way, employers should be warned about the potential for keylogging and other monitoring tools to violate laws on privacy and electronic communication.

Cite: Brahmana v. Lembo

When employees complain of harassment, they often ask managers to ‘keep it between you and me’ and not take any action. But a recent court ruling shows why supervisors should always notify HR about possible harassment issues.

An administrative assistant sued for sexual harassment after being exposed to pornography via her boss’s computer.

The man regularly viewed the offensive material in his office, roughly 20 feet from the woman’s desk. She could often see or hear what he was watching.

She brought his conduct to the attention of her department’s manager. According to the company’s harassment policy, the manager should’ve immediately forwarded the accusation to HR.

But he didn’t — because the employee asked him not to file a formal complaint. Still, when the conduct continued, she took the company to court.

‘Keep it between you and me’

Who won the case?

Answer: The employee.

It didn’t matter to the court that the employee asked the manager not to take the complaint to HR — he should have done so regardless. After being notified, the company had a duty to put a stop to the harassment.

The company failed to get the case thrown out, and ended up settling out of court for $100,000.

The bottom line: Managers need to be trained on handling harassment complaints. Even when managers are asked to “keep it between you and me,” they should notify HR immediately so some action can be taken.

As this case shows, granting an employee that request can get companies in big trouble.

Cite: Beem v. County of Madison

It’s no secret: Employees often use their workplace computers for non-work purposes. But when an employee does something illegal, is the company liable because it owns the equipment?

It depends on the company’s knowledge of the illegal acts.

In one court case, a New Jersey man was arrested on child pornography charges after sending pictures of his step-daughter to several Web sites.

The man used his office computer to upload the photos. His wife sued his employer for negligence, claiming the company should’ve known what was going on and notified law enforcement. If it had, the crime could’ve stopped earlier.

According to the court, the company would be liable if it knew about the illegal conduct and didn’t stop it. So the key question was: What did the company know?

For roughly two years, the man’s supervisor and members of the IT department had been checking his Web browsing history and saw the porn sites listed. Yet nothing was reported, the employee wasn’t fired or even disciplined, and no further investigation was conducted.

The court decided in the woman’s favor, ruling that the company had a duty to report the conduct and was liable for negligence (Cite: Doe v. XYC Corp.).

Liable when they don’t know?

In other cases, companies have avoided liability because they weren’t aware of an employee’s illegal activity.

In a recent case, an employee was severely harassing his neighbor. When police investigated, they found he had used his work telephone and computer to make nasty phone calls and post disparaging comments online about the neighbor.

The neighbor sued the employer for not stopping the harassment. But the judge didn’t buy it.

There was no evidence his manager or anyone else at the company knew what was happening. Therefore, there was no reasonable way to expect the company to do anything about it. The case was thrown out (Cite: Sigler v. Kobinsky).

The bottom line: If managers or IT staff are aware of illegal computer activity, the company may be liable if it isn’t reported. But employers likely won’t be on the hook for conduct they couldn’t have foreseen.

One quarter of all employees with Web access at work have visited porn sites during office hours, according to data from Nielsen Online, Newsweek reports. That’s up from 23% one year ago.

Also, pornographic sites typically get the most hits between 9:00 a.m. and 5:00 p.m. (i.e., office hours), according to M.L McMahon, publisher of AVN Magazine.

Why are so many employees doing something they know is inappropriate and could get them in trouble? One answer may be the economy. Increased pressures on many managers may mean they could be too busy to keep a close watch on their employees.

Given all the threats posed by inappropriate Web content — sexual harassment suits, lost productivity, tech security issues, etc. — companies may be wise to step up their monitoring efforts.

It doesn’t work that way, according to researchers at software firm Ascentive.

The two main problems: Blocking sites causes frustration and resentment among employees and can restrict access to stuff they need for work.

What do the researchers recommend instead?

Monitoring software. When Web use is monitored but not blocked, employees will be able to use the Internet how they wish — but their bosses can find out what’s going on once performance and production problems arise.

One objection some employees have against their employer’s computer policies: It’s an invasion of privacy. But do workers really have a right to privacy when they’re on company computers?

One recent court case addressed that question.

An employee who’d worked in the company’s accounts payable department for five years started stealing from his employer.

He transferred money out of the company’s bank accounts into his own. Also, he hacked into the payroll system and gave himself a big pay raise — changing his yearly salary from $40,000 to $125,000.

The company’s owner quickly found out about the salary increase and the missing money. He confronted the employee, who admitted to stealing $8,000 and offered to cut the company a check for that amount. The owner fired him and called the police.

With the company’s consent, the police searched the man’s office and his work computer. It turned out the total amount he’d taken was more than $600,000.

Was the search legit?

After he was arrested, the employee tried to have the case against him thrown out. Why? He claimed the police had no right to search the computer. The inspection violated his right to privacy, he said, because the computer was located in his office and password-protected so he was the only one who could use it.

The judge didn’t buy the argument. As several other courts have ruled in similar cases, the employee had no “reasonable expectation of privacy” — so his rights weren’t violated, the court said.

The fact that the computer was inside an office — and password-protected so only one employee could use it — didn’t change the fact that it was the company’s computer. And, in general, companies have a right to search their own property.

Have a good policy

One way for companies to avoid problems related to computer searches and monitoring: Have all employees sign your policy and acknowledge that the company has the right to monitor how its computers are used.

Two states (Delaware and Connecticut) require companies to get consent before they do any monitoring. But for all employers, it can be a good way to remind employees not to expect any privacy when they’re using the company’s equipment.

Cite: State v. M.A.

It’s been the legal standard for awhile: Employers have the right to monitor employees’ e-mail and other electronic communication. But a recent court ruling sheds some doubt on that standard.

Here’s what happened:

An employer gave cell phones to a group of employees so they could communicate via text messages. The contract with the wireless provider said the company would be charged an overage fee if any phone sent more than a certain number of words in a given month. Employees had to reimburse the company for those charges.

After one employee went over his limit four times, the company obtained copies of his text messages from the wireless provider. The transcripts revealed the employee was sending a lot of personal messages — in fact, many of them were sexually explicit.

The employee sued, claiming his privacy was violated when the vendor provided — and the company read — his personal messages.

Stored Communications Act

The court’s decision: By releasing the messages, the wireless vendor violated the Stored Communications Act (SCA). The SCA makes it illegal for “electronic communications service providers” to release data without the sender’s consent.

The judge ruled that even though the company owned the phones, it didn’t have the right to access the messages, because they were handled and owned by a third-party provider.

What HR needs to know

What’s it mean for employers that monitor employee e-mail and technology use? That depends on how a company handles its electronic communications.

Companies often handle e-mail and other communication in-house and store the data on company-owned servers. But many employers outsource those operations to service providers. For those companies, rulings like this might limit their ability to monitor employees.

The court’s decision points out what companies may be able to do to maintain that ability. Here are some ways to keep an eye on employees while avoiding liability:

• Get consent. The lawsuit may have been avoided if the company had gotten written consent from all employees allowing their text messages to be monitored.
• Have a policy. The company had a policy saying e-mail and Internet use would be monitored, but never mentioned the cell phones. Therefore, the court ruled, employees had a “reasonable expectation of privacy” when it came to text messages.
• Enforce it. Even if the general computer policy covered text messaging, the employee paid the overage fee four times before the company looked at his messages — that fact alone could have been enough to establish an expectation of privacy.

Cite: Quon v. Arch Wireless Operating Co.

Tell the what you’re doing and why you’re doing it.

When employees’ computer use is being snooped, they sometimes feel like their privacy and trust are being violated — especially if they don’t know what’s happening until someone gets disciplined or fired because of something a manager found.

Full disclosure about the methods and motivations can go a long way toward making sure employees perceive the system as being fair.