Jennifer Betts, Ogletree, Deakins, Nash, Smoak & Stewart

American workplaces are on the cusp—or already in the middle—of significant, widespread changes brought about by rapid advances in technology. Among other issues, new workplace technologies can often capture massive amounts of data about employees, providing employers access to ever-increasing amounts of information about their workforces. As employers continue to innovate and grow their digital capabilities, they must remain mindful of both maintaining the security of the data they collect and protecting, or at least being sensitive to, employee privacy concerns.

Background

• A brief background of the current paradigm relating to employee privacy and cybersecurity in the workplace. 

The current rules of the road relating to balancing data security and employee privacy are an at-times unclear, but typically manageable, compliance hurdle. From a data integrity and security perspective, a web of local, state, federal and international rules impose obligations on many organizations to implement reasonable measures to maintain the security of sensitive data, and impose notification obligations if a breach occurs. While the European Union (EU) has adopted a uniform approach to privacy under the General Data Protection Regulation (GDPR), the United States has a piecemeal approach to privacy driven by, mostly, evolving state and local laws. For example, California recently passed GDPR-like legislation that may place limitations on employers' use of employee or applicant data. The laws relating to data protection are evolving and require employers' regular review of applicable federal and state regulations.

From an employee privacy perspective, many workers expect that they have some degree of privacy in the workplace. This expectation is at times at odds with employers' obligation to maintain data security, which often requires the imposition of certain monitoring requirements to ensure that external or internal breaches do not occur. Whether employees have an actual legal right to privacy depends largely on where and how an employer is accessing the employee's personal information. Over time, courts have developed some generally accepted rules surrounding permissible employer monitoring of employees tied to widely adopted technology (like email). For example, generally, an employer can monitor employees' work emails and internet use when employees are on a company network. Similarly, employers can generally install surveillance cameras to record images in areas where employees have no reasonable expectation of privacy (recording audio is more complicated, as are “hidden” surveillance videos).

• Technology innovations are driving the future workplace.

Over the next decade, the future of work will involve increasing job augmentation and modification due to technological advancements. Already, many American workplaces (large and small) are incorporating ever more technology into their workflows—both in “operations” and “administration.” As just some examples:

• Employers have access to an unprecedented amount of information about employees through big data and advances in artificial intelligence (AI). For example, employers now have access to AI-powered tools that can comb through employee emails and identify which employees are flight risks. AI-powered recruitment tools also can review applicant videos and resumes and provide employers with insights about things like the individual's temperament and fitness for a role.
• Employers are also increasingly incorporating biometric devices into the workplace. Biometric technology recognizes and authenticates employees based on their unique biological or behavioral traits. The biometric technologies most commonly used in the workplace are facial recognition and fingerprint scanning, with some organizations using hand geometry, iris scanning and voice recognition. Companies are using biometric devices as a potentially more secure way to authenticate employee identity for things like time-keeping, accessing facilities or devices, or granting access to sensitive data.

• Employers are providing employees with wearable devices like fitness trackers to encourage employee wellness. Perhaps more significantly, employers are increasingly incorporating wearable technology into their workflows like smart glasses, wearable scanners, and wearable exoskeletons. These devices can augment employees' physical and perceptual capabilities in numerous ways; they also capture significant amounts of data that can be utilized for quality control and risk management, among other things.

These technologies can provide powerful benefits to organizations in terms of increased efficiencies, improved quality, lower cost, and better results. However, almost all forms of technology, particularly ones driven by AI, can collect, potentially analyze and draw insights from data—raising issues of data security and employee monitoring. Over the last decade, a small number of states have implemented new rules attempting to strike a balance between privacy and reasonable employer monitoring relating to technological developments in areas like employee social media activity and biometric privacy.

• Balancing privacy, security and technology. 

As new technologies develop, managing employee privacy expectations, cybersecurity obligations and the need to evolve and innovate will become increasingly difficult. Since new regulations  have not (and are unlikely) to develop with the pace of technology, the lack of a good “fit” between 21st century technology and 20th century laws creates compliance concerns that can be tricky to navigate. However, implementation of best practices can help to balance employers' competing priorities. Consider:

• Include a cross-disciplinary team of decision makers. Cross-functional teams with a mix of skills and perspectives are ideal when considering new technology and issues of cybersecurity and employee monitoring. The teams should include business and operations management-level personnel and analytics experts, human resources professionals, and legal personnel.  Not only should the teams include members with different skill sets, they should also be demographically diverse. Bringing together members with different backgrounds and skill sets can assist with identifying opportunities, ensuring internal alignment, deploying tools consistently with corporate culture, and mitigating legal and practical risks.

• Maintain and regularly review and update policies. Employers should consider the development of clear policies surrounding monitoring of employees and use and access to the data available through new technologies, as well as specific policies surrounding what will happen if data is accessed without authorization and what will happen if a breach occurs. Employers should regularly audit and monitor their policies to ensure that the policies work as designed, and evaluate whether changes are needed.

• Obtain informed employee consent where needed. While, often, it is sufficient to simply have a policy that provides notification, for example, about what data is being tracked by an employer and how it will be used, sometimes it may be advisable to obtain informed employee consent. For example, Illinois' General Assembly passed the Artificial Intelligence Video Interview Act which would require employers to take certain steps before asking applicants to submit to video interviews: notify applicants for Illinois-based positions of plans to have their video interviews analyzed electronically; explain to the applicants how the artificial intelligence analysis technology works and what characteristics will be used to evaluate them; and obtain the applicants' consent to using the technology. The law has not yet been signed by Illinois' governor, but could be a harbinger that similar consent laws may be forthcoming.

• Develop clear communication mechanisms surrounding new technology. Presenting employees with information about changes in workplace technology, including any monitoring of their activities and limitations on their privacy tied to technology, will allow employees to understand and recalibrate their expectations in the workplace. Communication should be timely, clear, and presented by someone in leadership.

• Limit and restrict data access. The more data is disseminated, the more opportunities for it to be breached.  Similarly, the more data that is available to an employer, the more opportunity for litigation challenges based on use of the data. Careful advance evaluation of logistical details such as how data is stored, who has access to data, and to what forms of data access is provided (traceable data or anonymized, for example) is important.

This area of the law is constantly evolving. Best practices should be adapted to each employer's operations and should be re-evaluated based on changing legal, technological and business conditions.