There’s nothing illegal about remotely monitoring your team with software applications. It’s how you use them—and what you do with the data—that can get you into trouble.
When the coronavirus forced non-essential businesses to close their doors in mid-March, U.S. employers began a sudden experiment in managing millions of Americans working remotely. For a lot of managers, that shift introduced a great deal of uncertainty over whether their teams really would be productive outside the confines of their office walls.
As a result, companies that make software to monitor employees remotely have seen a surge in demand in the past three months. The crowded industry comprises InterGuard, Time Doctor, Teramind, VeriClock, InnerActiv, ActivTrak, and Hubstaff, among others.
As many businesses consider maintaining remote work arrangements after the pandemic, remote monitoring may become a longer-term reality. In their most Big Brother-ish form, these products let managers literally watch what employees are doing via their webcams and take periodic snapshots of what’s on their computer screens. They can also track a user’s “active” work time versus idle time, file transfers, incoming and outgoing emails, printing of documents, and many other tasks.
Eli Sutton, vice president of operations at Miami-based Teramind, says the company’s software has gotten increased interest from prospective customers, while 40 percent of its current customers have added more user licenses to their plans in the past three months. He emphasizes that the software isn’t intended to spy.
“Lots of people have that misconception,” he says. “Upper management has better things to do than spy on employees.” Instead, he says, Teramind’s customers use it as “an extra set of eyes” to help managers monitor productivity and data security. Sutton also added that because employees must turn on the software themselves in order to be monitored, their privacy is better protected.
At the same time, while these products’ sales pitches sound simple enough—who doesn’t want a better view into how their remote teams are working?—monitoring employees via software applications can quickly run into tricky legal territory.
“In and of itself, there is nothing wrong with a product like this,” says Joseph Lazzarotti, an attorney who co-leads the privacy, e-communications, and data security practice at the law firm Jackson Lewis in Morristown, New Jersey. “It’s how you use it and how you give notice to the people who are being monitored.” Here are some of the biggest issues to consider before deploying such a system at your company.
1. Know your disclosure requirements.
Laws vary from state to state on how you need to notify employees and obtain their consent to be monitored. If you have workers spread out across various states, it’s your responsibility to follow the statutes specific to the state where your employee works. There may be additional requirements if you’re using devices that monitor, say, the pressure an employee puts on the keyboard or their heart rate. Some companies track such metrics to monitor workers’ stress levels, Lazzarotti says. Both would fall into the category of biometric data, which is protected under separate privacy laws.
2. Identify what you’re trying to accomplish–and what the software is capable of.
Lazzarotti says employers often start with one specific goal in mind, which may be sound, but then get into trouble because they don’t realize the sheer quantity of data these programs collect. For instance, a manager wants to periodically see what an employee is working on, so he installs software that takes screenshots of the employee’s computer desktop. “But what if that employee goes to her personal e-mail and writes an email to her spouse about their child who needs treatment for a disease? Now you’re collecting health care information,” which is especially sensitive data, he says.
Another example, and one that predates the pandemic: Let’s say you purchase software to track how fast employees drive in company cars. “Then the IT folks get the dashboard and realize they can configure it to listen in on the car, turn the car off, find out where people are all day long,” Lazzarotti says. “You need to be aware of what the employees implementing the software will be able to do with it.” Create a clear purpose statement as well as guidelines on how to use the software internally–and how not to.
3. Limit what you collect.
Once you’re familiar with just how much data your software can collect, figure out if you can put limits on it, Lazzarotti says. You will be responsible for keeping all data confidential and secure, so the less you have access to, the better. Always think about the worst-case scenario: “If you experience a data breach, you’re going to have to tell everybody, ‘We collected all this data on you and here’s what happened to it,'” he warns.
You should also ask your software vendor what employee data they are storing and what they’re doing to protect it. Is there anything that can be done to limit the vendor’s access to it? “There are a lot of new players in this market and they see an opportunity. It’s not hard to put up a sophisticated website and look like you’ve been in business for years,” Lazzarotti says. “It’s very important to vet the vendor in terms of quality of work and the data security safeguards they have in place.”
4. Be careful about making correlations between data and performance.
If you’re considering using remote monitoring software products to gain new insights about an individual’s performance, you need to be especially careful. Lazzarotti considers them rather blunt instruments for decision making. “Bad data will mean bad [conclusions],” he says. The reports and dashboards associated with these products may offer a lot of room for misinterpretation.
For instance, while an employee’s laptop activity could suggest she’s been idle for too long and not productive, it’s possible she was conducting business by phone. Or, as in the above example, adjusting an employee’s workload after tracking his heart rate and keyboard pressure could create a host of legal issues.
“That could mean you’re discriminating against somebody when you don’t have enough information. That could be an ADA (Americans With Disabilities Act) violation,” Lazzarotti says. Any conclusions you’re tempted to make will require further analysis and conversations with employees.
If you’re going to use monitoring programs to, say, keep track of when employees are online or how they’re using email, Lazzarotti says you’re on much sounder footing, legally and practically, if you use the data to analyze broader trends among your team. Such metrics “may help employers to understand different patterns, preferences, practices, and problems that emerge when the work is performed at home,” he says. In other words, use the data solely for purposes of managing the business rather than for imposing discipline, and you’ll lessen the potential privacy issues.
5. Weigh the pros versus the cons of what it might do to your culture.
Santa Monica, California-based software design and strategy firm Sidebench has had remote workers since its inception in 2012 and has appeared on Inc.‘s list of the fastest-growing private companies in the U.S. three times. Everyone, including CEO and founder Kevin Yamazaki, is accustomed to logging their hours worked online.
Sidebench has also experimented in the past with using software to take screenshots of contractors’ computers and track keyboard and mouse strokes. Yamazaki says it was useful in the beginning to help course-correct employees, particularly those for whom English wasn’t their first language. “It helped us hone our communication skills early on,” he says.
But when he tried to roll it out to several full-time employees, even just as a temporary experiment, “it had very different cultural implications. It didn’t feel right. It didn’t fit what we do as a team and how we trust each other,” he says. The company had multiple conversations about the software, and every time it quickly got shot down. Yamazaki adds that as Sidebench has taken on more government and health care clients during the pandemic, he’s looking into monitoring programs again—but strictly for data security purposes. “My number one priority is making sure it would be adopted … [but not at the cost of] impacting culture,” he says.
By Lindsay Blakely