By Steven C. Sheinberg, General Counsel of the Anti-Defamation League & Guest TMT blogger.*
A recent McKinsey report on twelve “disruptive” technologies included four that will fundamentally transform how employers relate to their employees: mobile Internet, automation of knowledge work, the Internet of things and cloud computing. I would add to the list three results of these technologies: big-data, cybercrime and privacy.
From an employment law perspective, the common element here is data – data that flows to, is stored by, and is used (or misused) by employers, third parties and employees.
As new devices and technologies are deployed, employers will likely inadvertently gather information they probably do not want – for instance, protected health information (perhaps by detecting a disease-related app on a phone) or detailed records of employee movements (which can be very harmful in wage and hour litigation).
As employers look at these (and other) large pools of data (including applicant data), some will wish to “mine” this data using increasingly low-cost “intelligent” automated systems. Such work has to be carefully done – both algorithmic errors and poor statistical methodology can easily lead to significant errors in the information derived from the raw data. The results, from at least an EEO point of view, can be quite disastrous.
This data will likely be stored on third-party “cloud” storage systems –an arrangement that will raise new risks for employers.
Employers need to be concerned data in third party hands — whether it is there intentionally or not.
For instance, employers ask employees to use devices that are loaded with third party apps – and sometimes they even ask employees to use these apps. These apps routinely collect significant amounts of data, including location and unique device identifier information. Such data can be combined to create a very detailed profile on users. This data – owned, protected and even sold by these third parties – can create a new window into an employer’s operations that litigants and corporate spies alike would love to see.
Next, data will inevitably end up in third party hands through litigation and discovery. As the cost of sophisticated analytics concerning that data is falling, there will be a sea-change in how employment cases are litigated – especially class actions. And in the regulatory and EEO context, as a recent White House panel on so-called “big data” concluded, “the federal government should build the technical expertise to be able to identify practices and outcomes facilitated by big data analytics that have a discriminatory impact on protected classes.” The use or misuse of this information by the government or litigants will require a very sophisticated legal response – one that will likely involve the world of statistical analysis and coding.
Information will also end up in third party hands through crime. Whether inadvertent or not, the primary source of data breaches is through an employee’s keyboard. As the breaches continue and the costs rise, employers will have to take radical approaches to data protection, including new levels of data segregation, radically shoring up security-related policies and treating mobile phones, whether company-owned or not, as on par with laptops.
As data is produced by more and different devices, there will be serious questions about who owns the data those devices store and generate. Will an employee-owned, GPS-enabled app used on a “BYOD” device contain data that is owned by the employee (say, concerning their fitness activity) or, because it was worn during work, will it contain proprietary information (such as a record of where the employee visited)? Employers must understand what data their employees are gathering – and update policies and executive employment agreements to deal with it.
In the social media context, employers will be forced to grapple with always-on devices, including those that constantly stream video. It is unclear whether a simple workplace ban on such recording (as recently permitted under the NLRA) will survive video streaming’s convergence with social media –the latter of which the NLRB maintains can be a form of protected concerted activity.
Last, employers need to have action plans in place for data breaches caused by or impacting employees. Employers should also ensure that insurance policies cover employee-caused data breaches and incidents involving employee information.
Concerns about privacy cover all three areas, but this is well covered elsewhere.
This short survey illustrates that the world of the employer will more and more involve data-driven risk –placing their lawyers deep in the world of statistics, system design and security management.
*EBG appreciates Steven C. Sheinberg’s contribution and respects his views, but notes they are his views and not necessarily those of EBG or any of its attorneys.