Q&A: A CRASH COURSE ON THE INTERNET OF THINGS

IoT Conference Table

You may have heard the term, but how well do you really understand the “Internet of Things”? Armed with an ever-increasing list of Internet-connected devices capable of collecting employee data, how can your company leverage advantages to employee productivity and collaboration and reduce exposure to information security and privacy pitfalls? 

In an interview with Bloomberg BNA, Christin McMeley, chair of Davis Wright Tremaine’s Privacy & Security Practice, highlights emerging technology trends, discusses the regulatory and legislative landscape and offers practical advice to help employers navigate the uncharted waters of the Internet of Things.

Bloomberg BNA: But seriously, what is the Internet of Things and how is it changing the modern workplace?

McMeley: People have a lot of different ideas about what the Internet of Things actually is. Michael Mandel of the Progressive Policy Institute has one of my favorite explanations. He said that it is the extension of the Internet to the physical world. In other words, the IoT connects physical objects to the Internet and often connects those objects to other objects through the Internet.

Almost any object you can think of has been connected. Automobiles, jewelry, light bulbs and more. The IoT is changing everything, including the modern workplace. Consumers often think of it in terms of the convenience or quality-of-life value their personal devices can bring, while businesses see it as providing cost savings and other benefits. The IoT also is renowned for the vast amounts of data devices can collect, which drive business analytics and innovation.

Bloomberg BNA: Many people are familiar with workplace IoT issues that have received a lot of press attention, such as the collection of employee health data via wearable technology and “Bring Your Own Device” policies. What are some other IoT trends you are monitoring that employers are leveraging?

McMeley: Employers are tapping into the big data aspects of the IoT to gauge things like productivity and collaboration. Sensors can determine whether people are using conference rooms, eating lunch together, working remotely or taking breaks, etc. Employers also use GPS to remotely monitor vehicles and drivers, as well as mobile device management to track the location of personal devices.  

The tracking of health and fitness information is often used to achieve cost savings related to health and benefit plans. The other examples above show how tracking technologies can be used to measure employee productivity, or even theft or fraud. Connected devices also can be used to find efficiencies and to promote safety. For example, they can direct the route a driver takes and can determine whether that same driver is following speed limits.

This tracking and collection of data may have legitimate business justifications, but employee privacy considerations also should be taken into account when these programs are designed.  

Bloomberg BNA: What legal trends are developing in response to the increased prevalence of these technologies in the workplace? 

McMeley: There are a lot of predictions about what the IoT is going to become, the benefits it will provide and the risks it presents. Because this is such a new and growing area, regulators and legislators seem to be watching and taking a wait-and-see approach with respect to whether IoT-specific legislation is needed.  

The Federal Trade Commission (FTC) 2015 report on the subject recognized that the IoT is in its infancy and that any IoT-specific legislation at this time would be premature.

Instead, the staff called for Congress to enact both general data security legislation with a national breach standard, as well as baseline privacy legislation that would include mandatory privacy disclosures and offer consumers choices concerning how their data is collected and used.  Commissioner Maureen Ohlhausen confirmed the Commission’s continued stance on this issue during an IoT panel at the International Association of Privacy Professionals’ Global Summit on April 6.  

The Commission isn’t, however, taking a wait-and-see approach to consumer protection, stating that its priorities in this area are the security of the devices and the privacy of the information collected.

The Commission has brought enforcement actions against two IoT companies – one a company that markets Internet-connected video cameras designed to allow consumers to remotely monitor their homes and the other a manufacturer of network routers and “cloud” based services. Both companies allegedly failed to establish and implement reasonable security practices necessary to protect consumers’ privacy. 

While the National Labor Relations Board hasn’t specifically addressed the IOT, it has weighed in on privacy and monitoring of employee e-mails and social media accounts. Any kind of monitoring that tracks employee congregation and could be used to deter collective bargaining activities might face NLRB scrutiny.  

At the state level, there are laws relating to employee monitoring, tracking and privacy. For example, California, Delaware, Michigan, Tennessee and Texas prohibit electronic tracking of vehicles without their owner’s consent. States, such as Connecticut, Massachusetts and Texas, require employers to provide notice to employees of certain privacy practices.  

Employers also may have contractual obligations under collective bargaining agreements to disclose employee monitoring or to take other actions related to those activities.

Bloomberg BNA: What practical advice would you give to employers on avoiding thorny privacy issues, particularly in areas where regulation and compliance aren’t clearly defined?

McMeley: Remember that employees are consumers, too. There have been several FTC employment actions related to employers not securing employees’ private data. As employees bring connected devices into the workplace, employers should ensure they take reasonable measures to secure the information collected and follow guidance provided in the FTC’s 2015 IoT report and in the IoT enforcement cases.

Although we haven’t seen this particular case yet, an employer’s unfair or deceptive collection or use of employee information could subject them to FTC enforcement actions. Therefore, employers should consider the security of the devices they use to collect employee information, how they communicate their practices to employees and the choices they give employees about the data collected.  

For example, some recommended location tracking practices include:

  • Implement a geotracking policy, with signed acknowledgement;
  • Routinely review employee policies to ensure adequate disclosure of current practices and update policies as necessary;
  • Train employees and managers on the policy’s data collection and use requirements;
  • Limit scope of tracking to (1) employee-owned property, (2) work hours and (3) relevant information (i.e., related to job performance); and
  • Know the law in your jurisdiction.

Bloomberg BNA: Any final thoughts?

McMeley: This is a rapidly developing area—operationally as well as legally. Similar to customer data, employers need to understand what employee data is being collected, how it is being used and what disclosures or consents need to be made or obtained and to confirm that the data is adequately protected, including by third parties. 

Get up-to-date news and expert analysis from respected practitioners and Bloomberg BNA's legal editors, and practical research tools with a free trial to the Labor & Employment Law Resource Center.