Bloomberg Law
March 24, 2020, 10:00 AM

Keeping Electronic Eye on Workers Gets Dicey During Work at Home

Chris Opfer
Chris Opfer
Daniel R. Stoller
Daniel R. Stoller
Senior Legal Editor

The novel coronavirus is creating a potential legal minefield for bosses who want to use technology to keep tabs on teleworking employees, especially those who use personal devices to accomplish job tasks.

While employees have little expectation of privacy on company-owned computers and devices, whether in the office or at home, companies run the risk of lawsuits and reputational damage if they collect sensitive information such as geolocation data from visits to personal banking or communication services without a valid purpose.

“When I’m notifying people about how we will be conducting business to take seriously this global crisis, I’m also reminding them that they’re still subject to the company’s policies,” said Adam Forman, a business attorney with Epstein Becker Green. “That includes that they are subject to monitoring.”

But he added, “If your employer is remoting into your machine and you’re taking a break and looking at your bank account or Gmail, the company is potentially going to have a problem. They can know you navigated to Google; I don’t think they can know what you read on Gmail’s server.”

There’s no shortage of surveillance tools available for employers who want to ensure they are getting a return on their human capital investment, from tracking login times and website visits to monitoring keystrokes and using algorithms to look for changes in patterns of speech. As more workers are ordered to stay home, the same vendors are pitching their tech as a way make sure employees are actually working.

“We’ve seen an influx of inquiries from both customers and prospects,” says Larry Thompson, chief executive officer of Veriato. The company’s clients have included Sony Corp., Amway Corp., and Bridgewater Associates LP, according to its website.

Where Did My Day Go?

Veriato and similar firms such as Proofpoint, Inc. and Teramind help businesses protect against cyberattacks, as well as “insider threats” from employees sharing trade secrets and confidential information.

“Employers are looking to make sure they are working from home and making sure the right tools” are being used now that employees are outside the secured workplace, said Eli Sutton, vice president of global operations at Teramind.

Productivity software, which tracks how much time employees spend in various applications, is often marketed as a way to ensure efficiency and provide feedback on how much time various tasks take up on any given day. That includes monitoring keystrokes and scrolls to measure “active engagement” with email, word processing and other applications, as well as following web searches, social media use, and other online activity.

“The employer gets a roll-up dashboard of here’s how my team is using its time,” said Tony Wright, chief executive officer of Seattle-based software firm RescueTime. “And when workers can see how they spend their time, they’re not getting home at the end of the day and saying, ‘Where the hell did my day go?’”

The company, whose clients include Microsoft Corp., Google, and Adobe Inc., has seen a “huge spike” in sales inquiries over the last week, Wright said. He said the tech should be used to help newly remote workers stay on track and monitor their productivity, rather than to play Big Brother.

“The user has the control over what they do with the data,” Wright said. “But, we’re pretty evangelical about the notion that the wrong way to approach this is to spy on your people.”

‘Digital Fingerprint’

Veriato’s tracking tool collects digital communications, app usage, and data transfers. It also takes periodic screen shots of users’ computers and devices. Proofpoint offers some of the same functions, as well as the ability to take rolling videos of computer screens.

Veriato uses the information to create a profile—or what CEO Thompson calls a “digital fingerprint"—of each user. The information is fed into an algorithm to alert any changes in users’ behavior that could be a sign of “risk.”

Thompson said the company can build a user profile after 21 days of tracking, and less time is needed for workers who spend their days doing a few of the same tasks. It then uses a rolling 30-day snapshot of activities to update the algorithm.

The tracking often continues after an employee logs out of an employer’s virtual private network but continues using an employer-provided device. The tool continues to pull usage data and stores it in an encrypted file on the computer or device that is then transferred to the cloud once the employee logs back in.

“Most employees never really know it’s there,” Thompson said.

With Teramind’s workplace productivity tools, employees can disable tracking when they take breaks and after-work, so the company doesn’t see or collect more information than necessary, Sutton said.

Getting Personal

The use of personal devices may grow if supply-chains of computers and other devices dry up, leaving companies with limited corporate-owned devices to allow their employees to work from home in a secure environment.

Some businesses, especially in the delivery and transportation industries, already use geolocation tools to track users’ physical movements while on the job. Geolocation tracking is less of a concern on company-owned devices if a business is transparent about such collection.

Employees in many sectors, though, likely have a reasonable expectation of privacy in their personal movements, said Reece Hirsch, co-head of Morgan Lewis’ privacy and cybersecurity practice.

“Using geolocation data without a valid purpose is potentially objectionable,” Hirsch said.

The unprecedented shift to telework is likely to expose the lingering uncertainty about some rules of the road for monitoring, according to Jena Valdetero, co-head of Bryan Cave’s privacy and data security team in Chicago.

“There’s no playbook for what we are experiencing,” Valdetero said.

To contact the reporters on this story: Chris Opfer in New York at; Daniel R. Stoller in Washington at

To contact the editors responsible for this story: Bernie Kohn at; John Lauinger at