Wearable technology continues to do a full court press on the marketplace and in the process, the step counters of the world and health apps tied to devices capable of tracking real-time biostatistics, are revolutionizing the way companies think about wellness. Wearables are the latest in workplace fads and they’ve got the numbers to back it up: sales are likely to hit $4 billion in 2017 and 125 million units are likely to be shipped by 2019. Wearable technology has transformed the workplace just as more and more employers are utilizing wellness programs to improve employee motivation and health. As the popularity of these technologies soars, so too will concerns around the associated privacy and data security risks. In this blog post, we discuss just a few of the legal implications for employers who run wellness programs embracing this new fad.
We are well into March Madness … and Happy St. Patrick’s Day!
You may have already had your bracket busted by now…..but you should have Mintz Levin’s Third Annual Employment Law Summit on your schedule and the panel on Cybersecurity and Employee Data Breaches may help you avoid a security incident/personal data buster.
It’s our favorite time of year over at Employment Matters – March Madness! Let’s quickly recap where we’ve been.
Our colleagues over at the Privacy & Security Matters blog wrote a really good piece entitled “It’s Tax Time – Don’t be Phished,” which guides employers on how to avoid phishing scams during this tax season. It’s a must read because the targets of these scams are HR and payroll departments, and employer awareness is necessary not only to protect employees, but also because responding to one of these scam emails constitutes a reportable data breach under state laws. Employers could have significant liability for failure to provide notice to employees and/or state regulators (where required).
From: Ned Help
To: Carrie Counselor
Date: June 1, 2016
Subject: Lost laptop containing European customer information
A couple of weeks ago, you wrote me about an employee who will be engaging in a six-month temporary assignment around Europe to scope market opportunities. The employee was Abbie Absent-Minded. Well, we hit a snag pretty quickly. Abbie just e-mailed me to say that she left her laptop on a train in London last evening and it hasn’t turned up yet in the train company’s lost-and-found. It was a brand-new laptop that we had given her for her European assignment, so fortunately it didn’t have a lot on it. Abbie said that the laptop had contact information for her various marketing prospects, plus some sample customer data that she was given by one of her prospects to use in a demo of our web-based advertising product. She thinks that the customer data included around 200 records with the customer’s name, age, gender, e-mail address and the history of purchases that the customer made from our prospective client’s retail stores.
I assume that we should tell our prospective client that the laptop with their customer data was lost. What else do we need to think about?
Last week, the U.S. Department of Labor’s Occupational Safety and Health Administration (OSHA) issued a final rule aimed at updating the way it collects data and preventing workplace injuries and illnesses. The final rule can be broken down into two parts: (1) Electronic Reporting and Data Collection; and (2) and Employee Involvement and Retaliation, each of which we discuss below.
From: Carrie Counselor
To: Ned Help
Date: May 19, 2016
Subject: RE: Privacy considerations for employees working abroad
I understand that one of your employees will be engaging a six-month temporary assignment around Europe to scope market opportunities, and you’d like to have a better understanding of what to be thinking about in terms of privacy. Great question! This is an area where many employers struggle because other jurisdictions protect privacy and personal data quite differently than we do here in the United States.
Everyone loves a good courtroom drama. So just imagine this pitch: henchmen of an evil dictator hack their way into a movie studio computer system. Once inside, they steal the most sensitive personal information of the studio’s stars, executives and employees. Their most intimate secrets, spilled over the Internet. Who can help these poor souls? Why, the brave and hard working class action lawyers, that’s who. Through grit, pluck and lawyerly derring-do, our intrepid heroes soon bring the evil wrongdoers to justice. Think “The Manchurian Candidate” meets “Erin Brockovitch”.
But real life is rarely like the movies, even when it involves the movies. Yes, Sony Pictures Entertainment (“SPE”) did suffer a cyberattack that disclosed employees’ personally identifiable information (“PII”). The data breach was allegedly perpetrated by North Korean hackers in retaliation for SPE’s release of “The Interview,” a satirical comedy depicting an attempt on the life of North Korean dictator Kim Jong-Un. And class action litigation predictably followed. But the evil wrongdoers who faced the wrath of class counsel? Alas, the hackers were inconveniently beyond the reach of our legal system and, thus, unavailable to answer for their crime. So SPE, the studio victimized by the hack, would have to do.
And the result of this drama?
My colleague Mitch Danzig, was quoted in a SHRM article entitled, Keep Employees on the Ball During March Madness, in which he provides strategies for employers to avoid legal claims when monitoring employees’ computer use. The article outlines ways employers can both manage “cyberslacking” and boost morale in the workplace during March Madness.
My colleague, Sue Foster, is out with a quick, but important post on our sister blog, Privacy and Security Matters, about a European Court of Human Rights decision that approved employer access to personal employee communications under limited circumstances. You can read it here. As Sue notes, the decision serves as a reminder that employers should consult local counsel before monitoring of employee communications.