Please do not leave this page until complete. This can take a few moments.
As companies across all sectors rely more heavily on technology and digital data, how can employers make sure they’re playing by the rules and steer clear of potentially costly security issues or legal challenges?
Mainebiz talked to Maine-based experts working in cybersecurity, human resources and law to weigh in on new workplace technologies and some of the risks they pose, along with their advice for businesses.
Here’s a roundup of what they told us.
Smart watches, fitness trackers and other wearable devices that track a person’s physical activity are more than a lifestyle accessory in what’s projected to become a $57 billion industry by 2022, up from $19 billion in 2016.
Increasingly, wearable technology is being used in corporate wellness programs to monitor employees’ movements and job performance, measuring everything from truck drivers’ sleep to logistic workers’ efficiency in a warehouse. Other companies, for example in health care or defense, are using fingerprint, voice recognition and retina scanners for security purposes.
All that adds up to a huge amount of biometric or personal employee data in the hands of their employers, exposing companies to increasing legal liability.
“We’re at a time in the United States when we don’t have any federal law that oversees the collection of this biometric data from an employment standpoint, but we’re seeing more and more states that are stepping in and creating statutes to protect consumers and employees from the use of this data, because it’s an asset,” says Tawny Alvarez, a partner in the labor and employment practice at Portland law firm Verrill. She points to statutes in Illinois, Texas and Washington and the new California Consumer Privacy Act.
While Maine doesn’t have a statute or case law in this area, Alvarez cites the 2007 bankruptcy of a California company called Pay By Touch that attempted to sell its database of fingerprints from grocery shoppers using its technology.
“It was at that point that all the legislators said, ‘you can’t sell this, it’s not like a credit card number,” she says. “I think in the future we’re going to see more states mandating protections in place for employees.”
So what should Maine employers do when it comes to collecting personal data? Proceed with caution, according to Alvarez and other lawyers.
“I would make sure that a policy is in place beforehand that provides an outline of what they’re going to use the data for, who is going to have access to it, and the timeline for destruction of the data,” Alvarez says. She also recommends getting written consent from employees that’s signed and dated, and looking to statutes in other states as guidance.
Robert Brooks, also a partner in Verrill’s labor and employment practice suggests, “Before a business starts collecting this kind of data, they should ask themselves, ‘Do we really need to collect it?’ and then evaluate how much it’s going to cost to protect that information from inappropriate disclosure.”
And Dawn Harmon, a director and shareholder at Portland law firm Perkins Thompson, says: “If you are going to implement wearable technology, then your handbook should have clear guidelines giving employees notice of what type of data you’re collecting … Transparency is key, as well as being able to tie it to a business necessity.”
From a technical standpoint, the increasing number of people working remotely carries new risks for employers.
“A remote workforce makes managing mobile devices that store company data more challenging than ever,” says Rob Simopoulos, a 20-plus-year security-industry veteran who co-founded Portland cybersecurity startup Defendify with Andrew Rinaldi in 2017.
For companies with employees working from home or other remote locations on their personal phones, tablets or laptop computers, Simopoulos recommends protecting those devices in the same way they do company-owned computers.
“Our mobile phones today carry an incredible amount of information,” he says, “and once business data is included, that now means it has sensitive company emails, documents and photos.” He adds that many companies are responding with so-called mobile device management solutions that give them control over devices — by forcing the user to enter a password or allowing a lost phone, tablet or laptop to be detonated remotely so the data is not available to the finder.
He also recommends requiring employees to use strong passwords with so-called two-factor authentication on laptops, along with encrypting all hard drives, to prevent access when computers are lost or stolen. Lost USB flash drives pose another problem that many companies avoid by prohibiting their usage, or deploying technology to block a connection.
When employees logging in on mobile devices from coffee shops, hotels and restaurants connect to public wireless or wifi networks, they put their devices at risk, according to Simopoulos. His suggestion: Provide employees with company-owned hotspot devices allowing them to communicate on their own connection. “Even in your personal life,” he says, “you might want to consider using your phone’s hotspot feature rather than public wifi.”
On the human resources front, Simopoulos recommends that all companies issue a standalone technology and data use policy guide.
“It is a simple handbook that an employee reads and agrees to that outlines with rules as to how company devices and company data should be used,” he says. “It should be more than a paragraph in your employee handbook and should be reviewed, and all company employees should be trained on it regularly.”
Companies thinking of storing and accessing data programs over the web, often referred to as cloud computing, should look before they leap.
That’s a suggestion from Meg Fleming, president of Symquest Group Inc., a wholly owned subsidiary of Konica Minolta Business Solutions U.S.A. Inc. with dual headquarters in South Burlington, Vt., and Westbrook. Symquest designs, installs and supports business technologies, including cloud service solutions.
“The top risk for employers when it comes to moving to the cloud,” Fleming says, “is that their business applications may not be cloud-ready, resulting in a business disruption. My advice would be to fully vet out every application they use to ensure that they are as efficient or more efficient when they cut over.”
For large employers screening large numbers of job applications, automated computer systems or artificial intelligence can be a huge time-saver. Other uses include tracking job performance or identifying employees for promotion.
While the automated systems are intended to ensure impartial recruiting, that’s not a guarantee, as Amazon discovered when it found out that its new recruiting tool was biased against women. The flawed computer models had apparently been trained to vet applicants for software developer jobs by observing resumes submitted over a 10-year period that had mostly been submitted by men, so the algorithm was essentially teaching itself to discriminate against women, Reuters reported in October 2018.
While the e-commerce giant eventually disbanded its team of machine-learning specialists who had developed the program, the number of automated tools for screening resumes and conducting personality tests is growing—all designed to eliminate human error and subjectivity. But without any guarantees, human resources professionals and lawyers alike urge employers to be cautious.
“If A.I. can do something to decrease the amount of touches a recruiter needs to make, that would be one argument for it,” notes Tara Jenkins, a business consultant who worked in human resources for 25 years at companies including IDEXX Laboratories Inc. and Portland-based law firm Pierce Atwood.
But she says that only 14% of employers nationwide are using A.I. in hiring and recommends employers who do so use it strategically, warning: “There’s a huge amount of questions around discrimination and bias within A.I. already, and it opens up employers to a huge amount of liability.” She also notes that job search and networking platforms like LinkedIn have some built-in artificial intelligence capabilities that she never became dependent on as a recruiter.
“I don’t want a passive candidate that the A.I. has hatched,” she says. “I want to look at candidates that have actively applied. That’s always been more effective for me.”
Kim Anania, president of KMA Human Resources Consulting in Falmouth, also believes in keeping the human element in HR and not becoming overly reliant on technology.
She says that while applicant tracking tools are great for helping narrow down a pool of applicants, they can also miss a lot of qualified people.
“The larger the client, the more it’s needed, but our approach doesn’t rely on the system sorting through the resumes, even if we get hundreds … We take the time and look at the quality of the candidate.”
While applicant tracking systems as a “wonderful tool for communication,” she sees human interaction as more important. “KMA’s approach to everything is that technology can never replace the face-to-face relationship character of people, and that’s what HR is all about,” she says.
0 Comments