Internet of Things? Don’t Forget Your Employees
The expansion of the Internet of Things (“IoT”) continues to accelerate. WiFi connected home security systems, smart cars, and personal health monitoring devices are here to stay. Not surprisingly, such rapid expansion can result in IoT suppliers and users overlooking the security vulnerability of their devices. Numerous articles are being published addressing legal and technological issues related to the Internet of Things. However, for those running real businesses, either in the IoT space or in any way related to the IoT, basic legal principles remain imperative.
An example of a traditional legal area intersecting with the IoT is employment law. The areas of privacy and security are critically important in considering risk management in the IoT context. Employees play a vital role in both privacy and security considerations. Those issues relate to an employer both managing potential risk to third parties arising from the conduct of its employees, while also protecting the interests of those employees. In other words, an employer needs to protect its employees’ privacy/security interests, while also protecting against those same employees contributing to data or security breaches affecting others.
The first concern for an employer is to minimize the risk of a data breach resulting from the actions of careless or rogue employees. Minimizing this “insider risk” posed by a business’s own employees is often the first line of defense. Although data security is often viewed as an IT issue, it is also an employment issue for any business that wants to minimize potential liability. The Federal Trade Commission (“FTC”) issued a Staff Report in January 2015 addressing privacy and security issues in a world of “Internet of Things”.
In that report, the FTC addressed security issues related to the IoT and stated:
As part of the security by design process, companies should consider: (1) conducting a privacy or security risk assessment; (2) minimizing the data they collect and retain; and (3) testing their security measures before launching their products. Second, with respect to personnel practices, companies should train all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization.
The FTC, a federal agency clearly interested in the IoT, recognizes the key role of personnel practices and training in ensuring data security. It has been estimated that more than half of data breaches are not related to third-party hackers, but instead result from such “insider risk” arising from employees or former employees. Fortunately, there are steps that an employer can take to both minimize the risk of liability and mitigate any potential impact of a breach. For companies who process or store IoT data, such employers should only store necessary records and information for the correct period of time and in their proper format. A business is in a better position in any litigation or government investigation if it can show that it took reasonable steps to protect confidential data within its possession. In that regard, most states already impose data breach obligations on companies, and some jurisdictions even require a written information security program (“WISP”) outlining what they have done to protect confidential data. This process involves using specific policies and employment agreements related to the storage and dissemination of IoT and other electronic data, as well as training of supervisors and other individuals with data access.
Employee training can include any or all of the following:
train employees with data access on the overall importance of data security to create a culture of security;
implement policies on what data is retained, how long it is retained, and how it is stored and protected;
adopt policies addressing employee utilization of laptop computers and other mobile devices, including bring-your-own-device policies;
develop policies requiring return of all mobile devices and information from employees upon termination;
develop a policy on employees utilizing public WiFi while outside of the office;
test employee compliance with policies and impose training and discipline as necessary;
develop checklists and procedures to block computer system access for any terminated employee;
develop programs to monitor employee compliance with security, including potential internal attacks to determine employee vulnerability; and
develop appropriate password and encryption policies with assistance from IT.
Some of the world’s most sophisticated companies have been the victims of data breaches. The same threats and solutions apply to IoT data. These are just some of the types of policies and training that an employer who deals with IoT data should consider for its employees.
Taking steps to minimize exposure from breaches caused by employees is just part of an employer’s IoT considerations. Employers also face an obligation to protect the sensitive information of those same employees. Employers are accustomed to maintaining separate medical files on employees to comply with the Americans with Disabilities Act (“ADA”) and also take steps to prevent dissemination of employee Social Security numbers and other confidential information. The expansion of the IoT, however, adds a significant layer to the obligation to protect sensitive employee information.
For most employers, the existence of IoT-related employee data can arise from employee wellness programs and the use of fitness wearables such as Fitbit. By the end of 2015, nearly 33 million wearable fitness devices were owned in the U.S. market.
Worldwide shipments of wearable devices are expected to reach 110 million worldwide by the end of 2016.
Many employers are incorporating the use of such fitness wearables as part of an overall corporate wellness program. Such programs are designed to further the employer’s interests in maintaining a healthy workforce, with the benefits of lower healthcare costs and increased employee productivity. However, the inclusion of wearables and employer monitoring or access to monitoring information can create numerous employer pitfalls.
Wellness programs often use health assessments and biometric screenings to determine an employee’s risk factors, such as body weight, cholesterol, blood glucose and blood pressure levels. Some programs offer financial and other incentives for employees who participate or achieve certain health outcomes. The U.S. Equal Employment Opportunity Commission has provided guidelines on the application of the ADA to employer wellness programs.
The EEOC generally cautions that if a wellness program seeks information about employee health or medical examinations, the program must promote health and prevent disease. Additionally, employees cannot be required to participate in a wellness program, and may not be denied health care coverage or be disciplined if they refuse to participate. Additional requirements are imposed on wellness programs by the Health Insurance Portability and Accountability Act (“HIPAA”) and the Patient Protection and Affordable Care Act.
While operating such programs, an employer may either obtain or have at least some access to health data from its employees. Although HIPAA would not generally apply to employers unless acting as a healthcare provider or insurer, employers can still have obligations to protect the medical privacy rights of its employees under state law or HIPAA derivative actions. The EEOC also imposes confidentiality requirements on disclosed medical information.
Consider a hypothetical scenario in which an employer obtains information from a fitness wearable concerning two separate employees’ respective levels of activities, heart rates, sleeping patterns, and similar data. Imagine the issues that could arise if that employer utilizes that information in determining a promotion decision between the two employees. Is it legal or otherwise appropriate to consider that one employee sleeps late on Saturday mornings and basically lays on a couch all weekend, while the other employee gets up early and goes for an extended bicycle ride each morning? There may not be easy answers to such questions, and even then answers could vary by jurisdiction. What we can assess, however, is that employer liability for failing to protect IoT data from employees’ fitness wearables could trigger exposure under several different theories.
Americans with Disabilities Act
The ADA prohibits an employer from discriminating against an employee based upon an actual disability, history of disability or a perceived
disability. As an employer expands access to information about an employee’s health, fitness and lifestyle activities, it is not difficult to predict a disgruntled employee claiming that she was “perceived” as having a disability based upon sleep patterns, monitored pulse rates or blood pressure readings. Even if those factors do not indicate an actual disability, an employer could be held to have “perceived” the employee as having been disabled, and discrimination could be illegal under the ADA.
Genetic Information Nondiscrimination Act (“GINA”)
The federal GINA protects employers from discriminating against employees based upon hereditary factors or other genetic information in any aspect of employment. GINA also restricts employers and other entities from requesting, requiring, or purchasing genetic information, and strictly limits the disclosure of genetic information. This includes information about an individual’s genetic tests and tests of an individual’s family members, as well as information about a disease or disorder in an individual’s family members. Importantly, GINA does provide narrow exceptions to the prohibition against an employer obtaining an employee’s genetic information. A pertinent exception provides that genetic information and family medical history may be obtained as part of a health program including voluntary wellness programs offered by an employer. Such information could be included as part of the information collected by a wellness program, as any sort of blood test to determine, for example, cholesterol levels, could also indicate similar genetic information. An employer could violate the law if it discriminated against an employee based upon that information.
HIPAA does not normally apply to employers unless they are acting in the capacity of a healthcare provider, health insurer, or business associate of a HIPAA-covered entity. However, common law actions based upon general HIPAA or privacy standards seem to be increasing across the United States. An employer could face exposure for a privacy breach to the extent it has such confidential IoT data about an employee and fails to take appropriate steps to protect that information.
Although the FTC is not technically authorized to regulate data from fitness monitors and similar apps, the FTC is certainly active in the IoT space and should be expected to continue its attempt to expand its protection against unfair consumer practices.
Fortunately, there are basic steps available to employers to help avoid these exposures. Similar to dealing with insider risk issues, employers who collect or obtain IoT data on employees through wellness or other programs should consider steps to protect the security of that information. These steps can include:
ensure that the provider or administrator of a wellness program and any related fitness wearables or apps have their own data security processes to protect your employees;
only seek, obtain and retain information necessary for the wellness program and related monitoring/incentive programs. Avoid getting too much information and limit yourself to actual necessary information for the program.
avoid the collection of personal non-health information unrelated to the wellness program objectives.
create policies to ensure that employees participating in a wellness program are informed of any privacy expectation they might have or the scope of information that may be monitored by the employer. Make sure that an employee’s participation is voluntary and that supervisors do not coerce participation.
implement policies and training for supervisors and HR personnel to ensure that no fitness wearable data or other health data is maintained in an employee’s personnel file or otherwise considered as part of the employment promotion/demotion or hiring process.
The Internet of Things creates wonderful opportunities for society and even for employers in having a more efficient, productive and healthy workforce. However, prudent businesses will take the necessary steps to not only protect themselves against data breaches caused by employees, but will also take steps to ensure that to the extent an employer obtains employee health data, appropriate steps are taken to protect the privacy and proper use of that information.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.
internet of things – Privacy & Security in a Connected World (U.S. Federal Trade Commission Staff Report, January 2015)
U.S. EEOC, Press Release, 4-16-15 – EEOC Issues Proposed Rule on Application of the ADA to Employer Wellness Programs.