Seyfarth Synopsis: Information is everywhere, especially in the workplace. But traditional means of securing and sharing data—which typically involve accessing password protected information from various sources—is inefficient, cumbersome, and risky. As old authentication methods are replaced with biometric and blockchain applications, companies will enjoy increased efficiency, security, and cost-savings. But they would be wise to prepare by first understanding the potential legal pitfalls involved.

1.     The Problem

It is no secret that “username” and “password” have become the evil twins of nineties-era data protection. The username and password combinations designed to keep third-parties out often block access to the very users the system was designed to protect. As a result, login credentials are often simplified to increase memorability, or the same credentials are used to access different devices or systems at work and at home. Either way, security is compromised in favor of efficiency. Worse still, the typical solution to this problem involves an added layer of bureaucratic inconvenience: mandatory password changes every 90 days.

The username-password paradigm is also costly. According to Microsoft’s Director of Program Management, Alex Simmons, the company spends over $2 million per month helping people change and recover passwords. And IBM estimates the average cost of a single data breach to be $3.6 million.

2.     Biometric & Blockchain-Based Solutions

Luckily, biometric and blockchain technologies—which have applications far beyond data protection—are already replacing this broken system. Biometrics refers to the measurement and analysis of an individual’s biological characteristics, like one’s face, fingerprint, iris, gait, or ear cavity (which happens to be more unique than a fingerprint). Chances are, you already use biometric data to unlock your phone or car. If you ever call your bank, the odds are high that it uses biometric technology to authenticate your voice. And, as the technology becomes more affordable, employers are using biometric data to record employee hours, protect against fraud, and restrict access to the workplace.

Although biometric authentication promises to reduce costs while increasing convenience, it does not by itself present a silver bullet to the username-password conundrum. Traditional authentication methods that rely on usernames, passwords, driver’s licenses, and social security numbers can be changed or replaced if stolen or compromised. But biometric data is immutable and, as a result, its use in the workplace raises a host of privacy concerns and potentially places employees at a heightened risk of identity theft. While biometric data is more secure than a username and password, biometric data is still data, which can be copied, shared, leaked, and hacked.  As a result, if biometric data is stored on a misplaced thumb drive, anyone who finds the thumb drive could use the data for nefarious purposes. And this exposes a company’s entire system to a single point of failure.

The solution? The blockchain—a decentralized, digitized, distributed ledger. Unlike traditional authentication methods that rely on a single point of access to a centralized database, blockchain secures information by distributing it across a series of digitized “blocks” on a network of unrelated computers or servers (i.e., “nodes”) that are cryptographically linked and secured. In layman’s terms, this means that there is no single point of compromise because you can’t hack one block in the chain unless you hack them all. And that is exceptionally difficult.

When married, biometrics and blockchain are solving the username-password quagmire that costs companies billions. Biometric technology ensures that the user is who she says she is, and that she can access the information she needs with the touch of a finger or blink of an eye. And blockchain technology ensures that her personal data is secure and private, but shareable on a trusted network. The result is an immutable digital identity that enables companies to seamlessly and securely transact with employees and customers.

3.     Legal Issues

There is no shortage of legal issues for companies to consider before rushing into the brave new world of digital identity. California has not yet enacted legislation specifically regulating biometric data. But, Labor Code § 1051 prohibits employers from sharing employee fingerprints and photographs with third parties. And Civil Code § 3344 prohibits the use of a person’s “name, voice, signature, photograph, or likeness” for profit without prior consent. Thus, California employers need to be sure that any biometric data in their possession is secured and not shared outside the company without employees’ consent.

Likewise, the federal government has not yet enacted legislation specifically regulating biometric data. However, in 2012, the Federal Trade Commission recommended best practices for companies using facial recognition technology. And in 2016, the National Telecommunications and Information Administration followed suit. The agencies’ reports stand as helpful reminders that the improper use of biometric data may be actionable under existing law.

Given the highly personal nature of biometric information, companies will also have to contend with a host of privacy laws, most notably the European Union’s General Data Protection Regulation (“GDPR”), which applies to any company that collects, processes, manages or stores the data of European citizens, regardless of where the company is located.

Companies must also be aware of their obligations in the event of a security breach. All 50 states have enacted legislation requiring companies to notify users of security breaches related to personally identifiable information. In California, privacy is constitutionally protected, and the state was the first to enact a data breach notification law. Under Civil Code sections 1798.29(a) and 1798.82(a), companies must notify California residents, including employees, whose “personal information” was, or is reasonably believed to have been, compromised.

Also, in 2015, the California State Assembly introduced A.B. 83, which would have expanded the definition of “personal information” to include biometric data. The Bill would have also required businesses to implement reasonable efforts to protect biometric data from unauthorized access and permitted individuals to file civil actions and recover civil penalties in the event of a breach. While the bill was not passed by the Senate, we can expect it won’t be the last effort to make laws on this in California. Stay tuned to your CalPecs blog for further updates!

Workplace Solutions: Biometric applications are making the workplace more efficient and secure. But, like any new technology, biometrics pose a range of compliance issues as new laws are enacted and regulatory agencies apply existing law to new business practices. Luckily, Seyfarth’s Global Privacy & Security and Blockchain Technology Teams are here to help.

Edited by Coby Turner

Seyfarth Synopsis: With the availability of new vehicle GPS devices and smart phone tracking applications, employers need to be mindful of employee privacy rights when using location technologies in the workplace.

It Doesn’t Take A Magellan To Map Routes Anymore

Employers now have available the technology that concerned parents of wayward teenagers have often wished for. Thanks to technological advances, one can now monitor another’s movements in ways that could only be imagined a couple of decades ago.

The benefits of tracking employee activity through GPS (Global Positioning Systems) include: (i) verifying routes and locations for mobile employees, particularly in the transportation or delivery industry, (ii) ensuring that employees are not violating traffic laws, (iii) monitoring employee overtime, (iv) verifying that employee time records are accurate, (v) locating company-owned stolen vehicles, and (vi) verifying that employees are not misusing company vehicles by, for example, driving to inappropriate locations or at inappropriate times.

With the advent of GPS smart phone applications, companies have begun to install GPS tracking apps on company-issued smart phones, which monitor not only the employees’ transportation in vehicles, but may allow for out-of-vehicle monitoring as well.

So with all of this great new technology, where (if at all) must employers draw the line when it comes to tracking employee mobility?

Navigating The Nexus of Privacy and Employer Needs

At the center of the debate on the lawfulness of tracking employees via GPS is the employee’s right to privacy vs. the employer’s need for productivity and business-related information. California has a strong tradition of protecting individual privacy rights. Article I, Section 1 of the California Constitution provides that “all people” have an inalienable right of privacy. This provision applies to private as well as public employers. California employers thus must be wary of infringing on employee privacy by learning too much about private time and lawful off-duty activities.

Litigation Beginning To Moovit Related To GPS Tracking

Of major importance is whether the GPS tracking information is related to job performance: if it is not, then cataloging off-duty activities may violate constitutional rights to privacy. Consider this recent cautionary tale: In Arias v. Intermex Wire Transfer, an employee sued her former employer, claiming she was fired for uninstalling a GPS tracking app from a company-issued smart phone that was tracking her movements even when she was off the clock. The employee objected to being tracked on her own time and compared the GPS to the ankle bracelet placed on someone under house arrest. She sued for wrongful termination, invasion of privacy, unfair business practices, retaliation, and other claims, seeking over $500,000 in damages. This suit, privately settled, is likely not the last of its kind.

An additional source of legal restriction on remote employee monitoring is California Penal Code section 637.7, which prohibits the use of “an electronic tracking device to determine the location or movement of a person” via a “vehicle or other moveable thing” unless “the registered owner, lessor, or lessee of a vehicle has consented to the use of the electronic tracking device with respect to that vehicle.” So while an employer arguably can install GPS tracking on company-owned vehicles, and even on employee-owned vehicles used for work purposes (with advance consent as we’ve blogged previously), there is currently no such carve-out allowing employers to require GPS tracking through smart phones.

In What Waze Should Employers Be Mindful About Using GPS?

A California employer using GPS to monitor employees should have policies carefully considering employee privacy issues. As with other kinds of workplace monitoring (e.g., cameras in the workplace, use of email and Internet systems), we recommend (a) full disclosure to employees, and (b) obtaining employee consent, including implementing a separate GPS tracking policy. The policy should:

  • Outline the legitimate business reasons for using GPS tracking (e.g., increasing operational efficiencies, improving customer service, maintaining accurate timekeeping records, improving safety).
  • Provide clear notice of the company’s right to monitor employee locations while the employee is using company-owned property, describe when and how employees should expect to be monitored, and tell employees they should have no expectation of privacy while using the company property.
  • Explain how the employer will use and safeguard data collected.
  • Notify the employee of the consequences that could lead to discipline for disabling a GPS device without the employer’s permission.
  • Communicate the policy to all employees, and have them provide written acknowledgement of their receipt and understanding of the policy.

Other best practices to consider include:

  • Limit monitoring of activity to work hours, and monitor an employee’s location only for a specific business purpose in compliance with the GPS tracking policy. The collected data should not reveal details of the employee’s private life.
  • Limit access to the GPS tracking information to company personnel who have a clear business need to know that information.
  • Make sure that you store any GPS-related data securely.
  • Where employees are unionized, consider whether there is a duty to bargain before implementing the use of GPS tracking, depending on the language of the contract and the parties’ course of dealing. The NLRB has advised that a complaint would issue when an employer failed to bargain before unilaterally implementing a vehicle data recorder system to monitor employee compliance with driver safety rules.

Workplace Solution: Because this area of law is still developing as new technologies emerge, employers should continually revisit their GPS policies for compliance. We monitor developments in this area and will provide our readers with further information as it becomes available. In the meantime, if you have any questions, please contact the author or your favorite Seyfarth attorney.

Edited by Coby M. Turner.