by ·0 Comments

Your employees may return to the office after the holidays with new gadgets strapped to their wrist. Wearable devices like the Apple Watch, Android Wear smart watch, and FitBit are some of the hottest holiday gifts of 2015. Or maybe your company gave wearable devices as gifts to its employees. Either way, wearables are showing up more and more in the office. With that trend come a slew of legal concerns. Here are some of the legal issues created by wearables to be aware of:

Privacy

Wearable devices make it easier to violate privacy rights. If the wearable device is employer-issued, it could be used to track and monitor employees. Be sure to give notice to employees before doing that, and obtain their written consent to having their activity monitored. Employees should be told what information the company collects and how it will be used. If your workforce is unionized, use of wearables for monitoring purposes may be a point for collective bargaining.

Then there’s the privacy of co-workers. Some wearables can record audio and video, but they’re generally less detectable than smartphones and cameras. An employees’ ability to record interactions with co-workers and customers without their knowledge raises a variety of legal challenges. Workplace policies should explain the circumstances under which certain categories may or may not be used and describe the kind of notice employees who use wearables in the workplace must give to co-workers and customers.

Data Security

If a wearable device is allowed access to the company network, it should be subject to BYOD policies like use of encryption, strong password requirements, device locks, etc. Don’t let wearables be an undetected hole in your network’s security. Also be sure to preserve the right to collect work-related information stored on your employees’ wearable devices, as such access might be necessary to comply with information requests in an investigation or litigation.

Productivity

Smartphones and web browsers already give employees plenty of opportunities to engage in distractions that kill productivity, and wearables make that problem even more challenging. Consider modifying your workplace policies to address the use of company resources and company time to engage in personal activity using wearables.

by ·0 Comments

A recent National Labor Relations Board Shore Point Advisory Letter gives a bit of good news to employers who want to use modern monitoring technology to monitor employees that they suspect are breaking work rules. On November 2, 2015, the NLRB concluded that an alcoholic beverage distributor (Shore Point), did not violate labor laws by failing to negotiate with its employees’ union before installing a GPS tracking device on an employee’s company truck. Shore Point suspected that the employee was stealing time while on his work routes. Shore Point’s collective bargaining agreement contains rules against stealing time.

Shore Point hired a private investigator to follow the employee to collect evidence for disciplinary purposes, an established practice the union had not objected to in the past. The investigator placed a GPS tracking device on the employee’s truck to maintain and regain visual contact.  The GPS was only installed on the employee’s vehicle on the days when the investigator was following the employee, and was used as a backup method in case the investigator lost visual sight of the employee and his truck. Based on the investigator’s observations of the employee engaging in misconduct, Shore Point terminated the employee. The union filed a charge alleging that the employer unilaterally engaged in electronic surveillance without bargaining in violation of the National Labor Relations Act.

The NLRB determined that Shore Point did not have an obligation to bargain over the installation and use of the GPS device. Although the use of the device was a mandatory subject of bargaining, it did not amount to a material, substantial, and significant change in the terms and conditions of employment.  Shore Point had an existing practice of using a personal investigator to monitor employees suspected of misconduct. Using a GPS tracking device was just “a mechanical method to assist in the enforcement of an established policy,” and therefore was not a material, substantial, or significant change in policy.  The NLRB also noted that the GPS device only added to information that the private investigator had collected through personal observation, did not increase the likelihood of employee discipline, and did not provide an independent basis for termination.

At least two lessons can be learned from this case. First, when crafting employee work rules subject to bargaining, build in flexibility to allow for use of technological advances in enforcement methods. Second, disciplinary action against an employee should be supported with various types of evidence if possible. Just relying on evidence collected with a controversial or untested method is risky because if the use of the method is determined unlawful, the basis for the disciplinary action disappears.

by ·0 Comments

The FTC released two guides on the privacy and security issues related to the Internet of Things.  The first is a staff report based on discussions in an FTC-hosted workshop on the subject held on November 19, 2013.  In addition to summarizing the workshop discussions, the report contains staff’s recommendations in the IoT space.  This prompted a FTC Commissioner (Joshua Wright) to dissent from the decision to issue the report.  In Commissioner Wright’s view, it is premature to publish staff recommendations in this area without further research, data, and analysis.  The dissenting statement can be found here.

The report discusses the benefits of IoT as well as three risks:

  1. enabling unauthorized access and misuse of personal information;
  2. facilitating attacks on other systems; and
  3. creating risks to personal safety

The report also discusses Fair Information Practice Principles including security, data minimization, notice, and choice.  Click here to read the full report.

Along with the staff report, the FTC issued a guide called “Careful Connections” that provides recommendations on building security into IoT applications.  Download the guide here.

Related articles

by ·0 Comments

The Federal Trade Commission (FTC) just announced that Snapchat agreed to settle charges that it deceived consumers about how its popular mobile message app worked and what personal user data it collected.  (Read the FTC’s press release here). Part of Snapchat’s appeal was a feature enabling users to control how long a message could be seen by the recipient. After the designated time limit expires, the message is destroyed, much like the mission briefings in Mission Impossible. At least that’s what Snapchat told users. According to the FTC, Snapchat misled consumers because the app didn’t exactly work the way it said it did. The FTC’s complaint against Snapchat (read it here) included these allegations:

  • Recipients of a “snap” (a Snapchat message) could save the snap using tools outside of the app. Snapchat apparently stored video snaps in a location on the recipient’s mobile device outside of the app’s secure “sandbox.” This enabled recipients to find and save video snaps by connecting their mobile device to a computer and using simple file browsing tools. Another way to bypass the deletion feature was to use apps that connected to Snapchat’s API to download and save snaps.
  • Snapchat told users that if a message recipient took a snapshot of the snap, the sender would be notified. In fact, the screenshot detection mention could be bypassed.
  • Snapchat collected geolocation data of users when it said it would not.
  • Snapchat told users to enter their mobile number to find friends who also use the app, implying that the user’s mobile phone number was the only information it collected. Without the user’s knowledge, Snapchat also collected the names and phone numbers of all contacts in the address book on the user’s phone.

So what’s the significance of the settlement? Here are a few quick takeaways.

  • Descriptions of mobile apps in an app marketplace like iTunes App Store or Google Play are product descriptions that could be the basis for false advertising claims.
  • Including boilerplate language in an app description, terms of use, or privacy policy is a bad idea if you don’t know what it means or can’t verify its accuracy. Snapchat’s privacy policy told users that it “did not ask for, track, or access any location-specific information.” A lot of apps say that. The problem was that Snapchat integrated an analytics tracking service in the Android version of the app that did collect location information.
  • Take into account exploits and workarounds when drafting privacy policies and product descriptions. This includes software that uses the app’s API.
  • The FTC is getting more active in pursuing false advertising claims against mobile app makers. In December of last year, the FTC settled charges that the developer of the “Brightest Flashlight Free” app deceived consumers about how their geolocation information would be shared with advertising networks and other third parties. The FTC’s interest in suing companies that allow a data breach to occur is also a growing concern, especially after the New Jersey federal district court’s decision in FTC v. Wyndham Worldwide Corp., recognizing the FTC’s authority to prosecute cases where a company is alleged to have failed to maintain “reasonable and appropriate data security for consumers’ sensitive personal information.”
  • Information transmitted over the Internet is rarely, if ever, gone forever. Somehow, somewhere, electronic data can be retrieved.
Related articles
Enhanced by Zemanta

by ·0 Comments

It’s time to roundup the bills related to computer technology that the Hawai‘i legislature is considering in its 2014 regular session.  Click here for a chart summarizing the proposed legislation.  Here are the highlights:

Social Media and Internet Account Passwords:  Several bills to prohibit improper requests for access to personal social media accounts of employees and students were introduced in the 2013 session.  None of the them passed.  This year, HB2415 renews the effort to outlaw improper social media password requests.

Internet Sales Tax:  HB1651 would require online companies with arrangements with Hawaii merchants for referral of business  to collect use taxes on sales made in Hawaii.  This bill would affect online retailers like Amazon, who allows local merchants to sell their products through Amazon Marketplace.

Restrictive Covenants:  In an effort to encourage the development of technology business in Hawai‘i, a state with a relatively small geographic area, two bills (HB2617 and SB3126) would prohibit technology businesses from requiring employees to enter into noncompete agreements and restrictive covenants.  “Technology business” is defined as “a trade or business that relies on software development, information technology, or both.”

Cybersquatting: SB2958 would put the burden on a cybersquatter to prove that it did not register a domain name in bad faith or with intent to use it in an unlawful manner, provided that the person claiming cybersquatting can demonstrate the potential of immediate and irreparable harm through misuse of the domain name.

Cybersecurity Council: SB2474 would establish the Hawai‘i cybersecurity, economic, education, anfrastructure security council.

Mobile Devices: Three bills (HB1509HB1896, and SB2729) would make it a State offense to use a mobile electronic device while operating a motor vehicle.  Certain counties already have similar laws.

3D Printing: In response to the rising availability of 3D printers, HB1802 would make it a crime to create, possess, sell, trade, or give another person a firearm made with digital manufacturing technology.

Computer crimes: A series of bills criminalizes various kinds of computer activity, including unauthorized access to a computer or network and damage to a “critical infrastructure computer” (HB1640); theft of a computer (HB1644);  or personal electronic device for storing or retrieving personal information (HB2080); and revenge porn (SB2319).