Home / Columns and Features / Wearable devices pose data security problems

Wearable devices pose data security problems

It’s no question that the Apple Watch has raised the profile of wearable technology. And we’re likely to see a big user increase in wearable devices in the next few years. While wearables have become quite popular, they do pose some risk to employers regardless of the company’s stance on wearables. If you are an employer that will issue wearables to some or all employees, what do you plan to do with the data that is collected and how will you keep it secure? If you are an employer that will permit employees to use their own wearables for work purposes as part of a “bring your own device” program, how do you plan to ensure that this device does not compromise the security of your sensitive data or proprietary information? If you are an employer that does not plan to support wearables at all in the workplace, what are your policies on employees wearing such devices to work? This new world of wearables will require employers to adapt quickly in order to ensure that sensitive data is secure and that employee rights are not infringed.

For the early adopters
Some employers have taken the bold step of issuing wearables to their employees. The most common example of this practice is among those employers that are striving to foster a culture of wellness. To that end, some employers have distributed activity trackers, such as the “Fitbit Flex” and “Jawbone UP,” to employees as part of their wellness offerings. The trick to implementing such a program is ensuring compliance with myriad federal laws, including the Health Insurance Portability and Accountability Act and the Americans with Disabilities Act.

Under HIPAA rules, health-contingent wellness programs (i.e., where employees are rewarded for meeting a particular health standard, such as a step goal) must meet several requirements. For example, employers must offer a reasonable alternative standard to individuals for whom it is unreasonably difficult to or medically inadvisable to satisfy the standard. Moreover, the plan materials must mention the availability of the reasonable alternative standard and list the appropriate contact information. The HIPAA rules also regulate the size of reward that may be offered and how frequently employees must be allowed to qualify, among other things.

But even if a program is HIPAA compliant, it may run into issues with the ADA and similar state laws, such as the New York Human Rights Law. The ADA prohibits disability-related questions and medical exams, unless they are job-related and consistent with business necessity. Asking employees to participate in a step program could violate this rule, as it could prompt an employee to reveal a disability. It is worth noting, however, that the U.S. Equal Employment Opportunity Commission has stated that disability-related inquiries and medical examinations are permitted as part of a voluntary wellness program. “Voluntary” means employees are neither required to participate nor penalized for not participating. But the EEOC has not taken a position on whether and to what extent a reward for participation amounts to a requirement to participate or whether withholding a reward from nonparticipants constitutes a penalty, thus rendering the program involuntary.

In addition to the above, employers who want to embrace activity trackers should also consider other legal issues such as liability waivers and the impact of other federal laws, including the Genetic Information Nondiscrimination Act, Title VII of the Civil Rights Act, and the Age Discrimination in Employment Act.

For BYOD employers
Many employers have already had to confront the bring-your-own-device phenomenon as employees have clamored to use their smartphones and tablets for work. With wearable devices now on the market, this trend will only continue, and employers need to be cognizant of the consequences. For example, an employee may purchase a smartwatch and sync it with his or her dual-use, BYOD smartphone. If the employer allows this new device access to its network, this could create a gaping hole in the security of the employer’s network. The employer must ensure that this device is covered by the employer’s policies regarding password requirements, acceptable use, remote wiping, etc. Moreover, the employee needs to understand that the device is covered by these policies.

Employers should also review their offboarding process to ensure that wearable devices are not overlooked when an employee with access to trade secrets or confidential information leaves the company.

For the rest of us
Even employers who do not plan to issue wearable devices or permit their use via a BYOD program must nevertheless consider how they will deal with employees with wearables. Because many wearable devices have recording capabilities, employers may wish to consider prohibiting employees from wearing such devices in certain settings. Perhaps the greatest threat presented by wearables is the risk of exposure of proprietary business information and trade secrets. Employers should continue to be concerned about the easy availability of discrete, high-resolution cameras in smartphones and other devices. Confidentiality and nondisclosure policies and agreements need to be sufficiently broad to ensure that employees are prohibited from photographing and sharing confidential information and documents without authorization from the company.

The pace of technology adoption is only increasing. The challenges that come with introducing wearable devices into the workplace are not new. The law has always lagged behind technology, forcing employers to apply outdated rules to new situations. Even for savvy employers, wearables in the workplace could lead to legal headaches if the employer has not proactively addressed the risks.

Jeffrey LaBarge is a partner with Nixon Peabody LLP. He developed this article with Joseph Carello from the firm’s labor & employment group.

8/21/15 (c) 2015 Rochester Business Journal. To obtain permission to reprint this article, call 585-546-8303 or email rbj@rbj.net.


Check Also

David Long of Victor is the Director of RIT's MAGIC Spell Studios.

At MAGIC Center, David Long balances student opportunities with professional work (access required)

A year ago this month, David L. Long was standing at a podium showing off Rochester Institute of Technology’s newest ...

Stanley Martin of the Police Accountability Board Alliance Executive Committee.

Court ruling clears PAB for referendum (access required)

A unanimous decision Thursday, Oct. 17 has overturned a decision by Monroe County Supreme Court Justice John Ark, effectively clearing ...