USA: Employee monitoring and regulatory frameworks for keylogging technology
In response to the COVID-19 pandemic, many employers transitioned their workforces to remote work. A report from McKinsey Global Institute observes that that this trend could continue, noting that up to 25% of workers in advanced economies may continue to work from home three to five days a week, well above pre-pandemic levels1. As this hybrid work model becomes increasingly permanent, employers may seek to leverage remote monitoring technology for the twofold purpose of increasing their remote employees' productivity and securing their remote workforce's access to the organisation's information systems.
In this article, Brian G. Cesaratto and Christopher Taylor, from Epstein Becker & Green, P.C., discuss keystroke logging as one of the technologies employers may decide to implement as part of a broader remote employee monitoring/data protection strategy and what employers should consider when utilising the technology.
An overview of keystroke logging technology
As the name suggests, keyloggers monitor and store every keystroke made on a user's keyboard. While such technology can be deployed by malicious actors to exfiltrate sensitive data, keyloggers can also be purposefully installed by employers on an employer's computer with or without their employees' knowledge for legitimate business purposes (e.g. cybersecurity or productivity). While the technology can be deployed in a number of ways, two common host-based keyloggers include API-based keyloggers and hardware keyloggers.
Keylogging technology is content-neutral, in that it collects the data resulting from the user's keystrokes, irrespective of whether that data is work-related or non-work related, including potentially sensitive personal data (such as an employee's personal medical, financial information, or personal log-in information). Thus, as with any employer monitoring of its systems (e.g. email), the content captured may be both work-related and non-work related. Nevertheless, keylogging is generally regarded as more intrusive than certain other types of systems monitoring that may be used because every character that is typed by the employee is captured.
One common keylogging solution is an API-based keylogger, wherein the software uses the keyboard application programming interface ('API') to record an employee's keystrokes. With every press of a key, a keyboard sends a notification to an application (i.e. Microsoft Word or Slack) so that the typed character appears on the user's screen. API-based keyloggers record these notifications, and the logs are then stored.
Hardware keyloggers can also be built into the keyboard or deployed using a USB or physical device that is connected to the keyboard or computer. Rather than relying on software to store captured key logs, data is captured by the physical keylogging device for stored on the device.
Federal and State statutes that could implicate keystroke logging
The federal perspective
At the federal level, while not expressly covering keylogging, a primary restriction on an employer's ability to monitor the communications of its workforce stems from the Electronic Communications Privacy Act of 1986 ('ECPA')2. The ECPA, which was enacted as an amendment to the Federal Wiretap Act of 1968, is the only federal statute that directly addresses the monitoring of electronic communications in the workplace. Yet, while the ECPA may appear to restrict an employer from intercepting its employees' electronic communications (including potentially through the use of keylogging technology), the statute contains some notable exceptions to this prohibition. An ordinary course of business purpose exception may permit employers to monitor certain electronic communications as long as the employer can establish a legitimate business purpose for doing so. A consent exception allows employers to monitor employee electronic communications, provided that the employer has secured an employee's consent to do so.
While keylogging is not expressly covered in federal statutes or through regulations, courts have generally considered whether the ECPA applies to prohibit the logging (e.g. whether an 'interception' has occurred within the meaning of the statute given the particular technology used)3. Claims of violation of the ECPA or the Federal Wiretap Act require that an intercepted communication occur in the course of interstate commerce, yet certain keylogging intercepts may occur wholly within the local computer, thus presenting a challenge to employees who seek to bring such claims in the absence of notice and consent. As noted below, however, State law prohibitions may differ and reach keylogging interceptions, even where the employer's system does not affect interstate commerce4.
The State perspective
The ECPA, moreover, establishes the minimum restrictions with respect to an employer's obligation when monitoring employee communications. It does not pre-empt individual states that seek to impose greater restrictions in furtherance of employee privacy interests. For example, Connecticut and Delaware prohibit employers from monitoring or intercepting electronic communications absent providing notice to affected workers and failure to provide such notice may subject the employer to civil penalties. However, both states have created notable exceptions to the notice requirement, including under Connecticut law when the employer is monitoring employees for the purpose of protecting the employer or other employees from worker misconduct5.
Notice to the employee of the collection of personal information may be required under other laws. The California Consumer Privacy Act of 2018 ('CCPA') and the California Privacy Rights Act of 2020 ('CPRA') require that employers subject to the statute provide their employees with a 'notice at collection' at or before collecting personal information and has placed 'browsing history, search history, and information regarding a [worker's] interaction with an internet website, application, or advertisement' within the scope of the required disclosure to the employee6.
One of the more recent State-level developments that could potentially implicate an employer's reliance on keystroke logging is New York's electronic monitoring law. On 8 November 2021, New York Governor Kathy Hochul signed into law an act ('the Act') that amends the Civil Rights Law and requires employers in New York State to provide notice to an employee upon hire where the employer 'monitors or otherwise intercepts' telephone calls, emails, or internet usage or access using 'any electronic device or system'7. The notice must be in writing or sent electronically, and the employee must acknowledge receipt in writing or electronically. In addition, the employer must post the notice 'in a conspicuous place'8. The Act went into effect on 7 May 2022. As of that date, new hires should be provided the notice, and the notice should be posted conspicuously in either a physical location, or company intranet, for example9. Employers that violate the Act, which the Attorney General ('AG') is authorised to enforce, may be subject to civil penalties up to a maximum of $500 for the first offence, $1,000 for the second offence, and $3,000 for the third and each subsequent offence10.
In addition to such statutorily-enacted measures, several State constitutions expressly guarantee their citizens a right to privacy, including for example California, Florida, Louisiana, and South Carolina11. When a State constitution makes such an explicit declaration of privacy, employees may hold an increased expectation of privacy, and, as such, employers in these states should be mindful in communicating to employees their privacy expectations with respect to monitoring of electronic communication in the workplace.
It is significant that courts have been inconsistent with their interpretations of the different state wiretap laws. Some State courts have interpreted those laws narrowly, permitting keylogging activities without worker notification and consent12. Other State courts have more broadly interpreted the legislation to prohibit keylogging as the activity constitutes an interception of electronic communication without the consent regardless of its transmission across state lines13.
Employer best practices
It should be clear that each of these statutes, whether it be a federal or State statute, are technology-neutral. That is, none of them regulate keystroke logging explicitly, leaving the potential application of those statutes to keylogging to a given court's interpretation. This presents risk to the employer in implementing keylogging technology, particularly where the employer's workforce is located in multiple states.
One of the foremost mechanisms an employer can take advantage of to ensure its use of keylogging does not run afoul of a law is to provide express written notice to its employees before monitoring. Courts have generally held that employees have no expectation of privacy in the workplace, more so when notice is provided of an employer's monitoring policies. Beyond the legal considerations, however, employees may view such monitoring as overly intrusive and as evidence of distrust. Thus, employers who wish to utilise keylogging should only do so only after thoughtfully considering the technology's impact on the work culture. It would be prudent for employers to consider whether there are other less intrusive monitoring solutions that can achieve the same productivity and or security ends.
If an employer determines that a keylogging solution is indeed a good fit for the organisation, the employer will need to consider the use of the technology in light of the statutory restrictions and exceptions. Assuming this analysis permits lawful use, management should draft a policy that addresses the use of keylogging on employer systems. Employers should then publish the policy, making it available to all current employees and new employees upon on-boarding and ensuring that all employees acknowledge, in writing or electronically, that it will utilise keylogging. Finally, employers should seek to obtain written consent before monitoring through the use of keyloggers.
Finally, employers who utilise keylogging solutions should be mindful that in doing so they may gain access to an employee's personal information that is not work-related (such as unrelated financial or medical data) and have in place procedures to handle such data and minimise risks around its collection.
1. Available at: https://www.mckinsey.com/featured-insights/future-of-work/the-future-of-work-after-covid-19
2. 18 U.S.C. §§2510 et seq.
3. See, e.g., Rene v. G.F. Fishers, Inc., 817 F. Supp. 2d 1090 (S.D. Ind. 2011); United States v. Barrington, 648 F.3d 1178 (11th Cir. 2011).
4. See, e.g., Rene, 817 F. Supp. 2d at 1095 - holding that the plaintiff stated a claim under State law, where, unlike the ECPA, there was no requirement that the communication be transmitted by a system 'affecting interstate or foreign commerce'.
5. See Conn. Gen. Stat. §31-48d (Employers engaged in electronic monitoring required to give prior notice to employees, exceptions, civil penalty) and Del. Code Title 19 §705 (notice of monitoring of telephone transmissions, electronic mail, and Internet usage).
6. Cal. Civ. Code §§1798.100-1798.199.100.
7. A.430/S.2628, N.Y. Civ. Rights Law §52-c.2.(a) - note that 'employer' includes 'any individual, corporation, partnership, firm, or association with a place of business in the state' (N.Y. Civ. Rights Law §52-c.1.).
9. The Act's stated purpose is '[t]o require employers who engage in employee e-mail monitoring to provide notice to their employees about such monitoring' (Section 2628) - as noted above, the statutory provisions cover monitoring of electronic systems in addition to email.
10. N.Y. Civ. Rights Law § 52-c.3.
11. See California Constitution, Article 1, Section 1; Florida Constitution, Article 1, Section 23; Louisiana Constitution, Article 1, Section 5; and South Carolina Constitution, Article 1, Section 10.
12. See Lane v. CBS Broadcasting, Inc., et al., 2008 WL 8475407 - holding that if a keylogger does not intercept electronic communications under the federal act, it cannot be deemed to do so under the terms of the parallel state statutes.
13. Rich v. Rich, No. BRCV200701538, 2011 WL 3672059 (Mass. Super. July 8, 2011).