• United States



Adventures in Key Logging

Jan 28, 20112 mins
Core Java

As companies become more and more concerned with employee misuse use of their computer systems (e.g., excessive Internet use, downloading pornography, protection of company proprietary information, theft of trade secrets, use of systems for illegal purposes, etc.), there is a growing trend toward the use of monitoring software and, in some cases, key logging hardware or software. While these measures may be entirely justified in some circumstances to protect the company and its assets, they should be used with discretion.

In some states, you are required to place employees on notice that their computer-related activities may be monitored. My recommendation is to always provide that notice. The object is to avoid the potentially damaging conduct in the first place by educating employees regarding the issues and putting employees on notice that they will be held accountable, including by means of monitoring.

Notice is generally accomplished through clearly written policies on employee use of technology in the workplace. I have blogged about these policies in the past. The point of this post is to specifically note the heightened risk in monitoring and key logging and to strongly suggest the need for clear notice in company policies is all the more important.

Failing to properly advise employees of monitoring activities may violate state and federal laws and, at a minimum, create employee relationship issues. To minimize the potential for these issues, every company considering use of monitoring tools should also consider updating its technology use policies.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author