Cybersecurity and the Workplace: Balancing Privacy, Security and Innovation
American workplaces are on the cusp—or already in the middle—of significant, widespread changes brought about by rapid advances in technology.
July 24, 2019 at 12:31 PM
8 minute read
American workplaces are on the cusp—or already in the middle—of significant, widespread changes brought about by rapid advances in technology. Among other issues, new workplace technologies can often capture massive amounts of data about employees, providing employers access to ever-increasing amounts of information about their workforces. As employers continue to innovate and grow their digital capabilities, they must remain mindful of both maintaining the security of the data they collect and protecting, or at least being sensitive to, employee privacy concerns.
|Background
- A brief background of the current paradigm relating to employee privacy and cybersecurity in the workplace.
The current rules of the road relating to balancing data security and employee privacy are an at-times unclear, but typically manageable, compliance hurdle. From a data integrity and security perspective, a web of local, state, federal and international rules impose obligations on many organizations to implement reasonable measures to maintain the security of sensitive data, and impose notification obligations if a breach occurs. While the European Union (EU) has adopted a uniform approach to privacy under the General Data Protection Regulation (GDPR), the United States has a piecemeal approach to privacy driven by, mostly, evolving state and local laws. For example, California recently passed GDPR-like legislation that may place limitations on employers' use of employee or applicant data. The laws relating to data protection are evolving and require employers' regular review of applicable federal and state regulations.
From an employee privacy perspective, many workers expect that they have some degree of privacy in the workplace. This expectation is at times at odds with employers' obligation to maintain data security, which often requires the imposition of certain monitoring requirements to ensure that external or internal breaches do not occur. Whether employees have an actual legal right to privacy depends largely on where and how an employer is accessing the employee's personal information. Over time, courts have developed some generally accepted rules surrounding permissible employer monitoring of employees tied to widely adopted technology (like email). For example, generally, an employer can monitor employees' work emails and internet use when employees are on a company network. Similarly, employers can generally install surveillance cameras to record images in areas where employees have no reasonable expectation of privacy (recording audio is more complicated, as are “hidden” surveillance videos).
- Technology innovations are driving the future workplace.
Over the next decade, the future of work will involve increasing job augmentation and modification due to technological advancements. Already, many American workplaces (large and small) are incorporating ever more technology into their workflows—both in “operations” and “administration.” As just some examples:
- Employers have access to an unprecedented amount of information about employees through big data and advances in artificial intelligence (AI). For example, employers now have access to AI-powered tools that can comb through employee emails and identify which employees are flight risks. AI-powered recruitment tools also can review applicant videos and resumes and provide employers with insights about things like the individual's temperament and fitness for a role.
- Employers are also increasingly incorporating biometric devices into the workplace. Biometric technology recognizes and authenticates employees based on their unique biological or behavioral traits. The biometric technologies most commonly used in the workplace are facial recognition and fingerprint scanning, with some organizations using hand geometry, iris scanning and voice recognition. Companies are using biometric devices as a potentially more secure way to authenticate employee identity for things like time-keeping, accessing facilities or devices, or granting access to sensitive data.
- Employers are providing employees with wearable devices like fitness trackers to encourage employee wellness. Perhaps more significantly, employers are increasingly incorporating wearable technology into their workflows like smart glasses, wearable scanners, and wearable exoskeletons. These devices can augment employees' physical and perceptual capabilities in numerous ways; they also capture significant amounts of data that can be utilized for quality control and risk management, among other things.
These technologies can provide powerful benefits to organizations in terms of increased efficiencies, improved quality, lower cost, and better results. However, almost all forms of technology, particularly ones driven by AI, can collect, potentially analyze and draw insights from data—raising issues of data security and employee monitoring. Over the last decade, a small number of states have implemented new rules attempting to strike a balance between privacy and reasonable employer monitoring relating to technological developments in areas like employee social media activity and biometric privacy.
- Balancing privacy, security and technology.
As new technologies develop, managing employee privacy expectations, cybersecurity obligations and the need to evolve and innovate will become increasingly difficult. Since new regulations have not (and are unlikely) to develop with the pace of technology, the lack of a good “fit” between 21st century technology and 20th century laws creates compliance concerns that can be tricky to navigate. However, implementation of best practices can help to balance employers' competing priorities. Consider:
- Include a cross-disciplinary team of decision makers. Cross-functional teams with a mix of skills and perspectives are ideal when considering new technology and issues of cybersecurity and employee monitoring. The teams should include business and operations management-level personnel and analytics experts, human resources professionals, and legal personnel. Not only should the teams include members with different skill sets, they should also be demographically diverse. Bringing together members with different backgrounds and skill sets can assist with identifying opportunities, ensuring internal alignment, deploying tools consistently with corporate culture, and mitigating legal and practical risks.
- Maintain and regularly review and update policies. Employers should consider the development of clear policies surrounding monitoring of employees and use and access to the data available through new technologies, as well as specific policies surrounding what will happen if data is accessed without authorization and what will happen if a breach occurs. Employers should regularly audit and monitor their policies to ensure that the policies work as designed, and evaluate whether changes are needed.
- Obtain informed employee consent where needed. While, often, it is sufficient to simply have a policy that provides notification, for example, about what data is being tracked by an employer and how it will be used, sometimes it may be advisable to obtain informed employee consent. For example, Illinois' General Assembly passed the Artificial Intelligence Video Interview Act which would require employers to take certain steps before asking applicants to submit to video interviews: notify applicants for Illinois-based positions of plans to have their video interviews analyzed electronically; explain to the applicants how the artificial intelligence analysis technology works and what characteristics will be used to evaluate them; and obtain the applicants' consent to using the technology. The law has not yet been signed by Illinois' governor, but could be a harbinger that similar consent laws may be forthcoming.
- Develop clear communication mechanisms surrounding new technology. Presenting employees with information about changes in workplace technology, including any monitoring of their activities and limitations on their privacy tied to technology, will allow employees to understand and recalibrate their expectations in the workplace. Communication should be timely, clear, and presented by someone in leadership.
- Limit and restrict data access. The more data is disseminated, the more opportunities for it to be breached. Similarly, the more data that is available to an employer, the more opportunity for litigation challenges based on use of the data. Careful advance evaluation of logistical details such as how data is stored, who has access to data, and to what forms of data access is provided (traceable data or anonymized, for example) is important.
This area of the law is constantly evolving. Best practices should be adapted to each employer's operations and should be re-evaluated based on changing legal, technological and business conditions.
Jennifer G. Betts, a shareholder at Ogletree, Deakins, Nash, Smoak & Stewart, represents and counsels employers regarding complex traditional labor and employment matters. She has defended numerous employment class and collective actions for clients in a wide array of industries including retailers, manufacturers, banks, and in the energy sector.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllThe Forgotten Ballot: Expanding Voting Access for Incarcerated Populations
5 minute readRemembering Am Law 100 Firm Founder and 'Force of Nature' Stephen Cozen
5 minute readTrending Stories
- 1Senate Judiciary Dems Release Report on Supreme Court Ethics
- 2Senate Confirms Last 2 of Biden's California Judicial Nominees
- 3Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 4Tom Girardi to Surrender to Federal Authorities on Jan. 7
- 5Husch Blackwell, Foley Among Law Firms Opening Southeast Offices This Year
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250