IAG used keystroke logging to investigate productivity of remote worker – Security – Software


Insurer IAG used keystroke logging to determine that a long-time employee, working remotely, was not meeting required activity levels and should be terminated.



The worker, who it appears had an otherwise-unblemished 18-year career with IAG, was unsuccessful in getting the dismissal overturned.

The case is a rare public example of the use of application and VPN logs to keep tabs on an employee’s productivity, something that’s been raised as a concern for several years, but where actual usage levels are unknown.

The employee was terminated after a review uncovered a number of hours where zero keystrokes were recorded on the employee’s device; up to 85 percent of work hours in one month.

It also found the staffer “failed to work her designated rostered hours (7.8 hours) for 44 working days out of 49 working days” that were monitored.

‘Cyber review’

The keystroke logging formed part of a “cyber review” conducted on the IAG-owned laptop the employee used. 

A Fair Work Commission ruling states that the “cyber review” examined three categories of logs.

“The first part related to the ‘daily activity’ of the applicant. That recorded the first and last event on the Applicant’s computer on any given day,” the ruling states.

“The second part gave details of ‘hourly activity’, that is user activity broken down by the hour. 

“The third part of the report related to ‘VPN activity’ broken down by day.”

It’s not clear if VPN usage data was particularly useful; the review notes “that many users [at IAG] do not use the VPN unless required due to bandwidth issues.”

The ruling does not state what system logs or tools were used for the daily and hourly activity tracking, and iTnews was unable to source detailed information from an IAG spokesperson.

However, it is understood that keystroke logging is used only in investigations and requires some level of internal approval to utilise.

Anticipated activities

In the ruling, a manager describes the type of activity an employee in that area of the business typically performs, and that requires a minimum 500 keystrokes an hour.

The area of IAG creates and changes static insurance policy documents.

“[The] position required [the employee] to engage with various stakeholders via email and Teams,” the manager wrote.

“[The employee] was also required to access documents on IAG file drives and SharePoint, and track progress of work on platforms such as Planner and Jira, which are all required to be accessed on an IAG laptop device as passwords need to be entered and the VPN (virtual private network) needs to be connected on the IAG laptop device.”

The manager added: “As such, I would expect that there would be at a minimum more than zero keystroke activity during each working hour (other than potentially where [the employee] was attending a meeting where she may be focusing and contributing rather than typing on her laptop) and that as [the] role required data input and correspondence with various stakeholders, [the] keystrokes per hour would be upwards of 500 keystrokes per hour.”

iTnews sought information as to whether the 500 keystrokes figure is based on the average number of keystrokes logged by other members of the same team, or on some other measure.

The employee disputed the numbers in the cyber review but the Fair Work Commission found that no “credible [alternative] explanation” was offered.

“There was little put forward by the [employee] that assisted [the] argument that the cyber records were inaccurate,” the commission ruled, adding it backed the termination.

The commission found the employee had an otherwise unblemished career at IAG, but had experienced mental health issues following “a number of personal traumatic setbacks, including family bereavements”.

It also cast doubt on an argument from IAG that the employee had exposed the company “to penalties and posed ongoing risks to its clients and the public more broadly”, saying that “very limited evidence on this point” was offered up, although one such incident did occur, where IAG was fined.



Source link