By Robin Shea and Sarah Phaff
Winston-Salem and Atlanta Offices
Constangy, Brooks & Smith, LLP
As one who presumably has no nude selfies, you may not be too concerned about a “hack” like the one that afflicted celebrities like Jennifer Lawrence and Kate Upton. But that doesn’t mean there aren’t still plenty of technology issues that an employer should look out for. Are you guilty of any of these top ten technology blunders that are either committed or allowed by employers?
Blunder No. 1: Recruiting or hiring employees using “coherent people profiles” assembled by aggregators like Spokeo. Spokeo was fined $800,000 in 2012 by the Federal Trade Commission because it gathered all kinds of data about individuals – including race, ethnic background, religion, economic status, and age ranges – and sold the information to employers who used it in making recruiting and hiring decisions. Spokeo was hit because it was not complying with the Fair Credit Reporting Act, but use of this type of information can obviously also violate state, federal, and local anti-discrimination laws, as noted by an attorney from the Equal Employment Opportunity Commission, who spoke at a session on “big data” sponsored by the FTC.
Blunder No. 2: Asking applicants for their social media passwords. This is illegal in an ever-growing number of states, and a bad idea even if you live where it’s legal. As with Blunder No. 1, Blunder No. 2 could give you a lot of information that you’ll wish you hadn’t had.
Blunder No. 3: Legally reviewing “public” social media information too early in the hiring process. This isn’t as bad as Blunders 1 and 2, but it’s still a mistake – particularly if your social media review includes sources that generally contain a lot of personal information, such as Facebook. Again you may get TMI* about an individual’s medical condition or the condition of the individual’s family members, about religious beliefs, about age, and about all kinds of things that you’re not supposed to know early in the process. (On the other hand, reviewing a “professional” social media site like LinkedIn should not be as risky.)
*TMI = Too Much Information
Blunder No. 4: Having a weak, unrealistic, or nonexistent electronic usage policy. If it’s weak, it may not accomplish your goal of having a harassment-free workplace full of productive employees. If it bans all personal internet use during work time, it is unenforceable. Not having a policy at all is bad, too.
A good electronic usage policy will prohibit employees from using the internet and emails, texts, and social media in a way that (1) keeps them from getting their work done, (2) is harassing or discriminatory on the basis of any legally protected characteristic, or (3) is illegal (such as visiting internet gambling sites, doing illegal downloads, or viewing child pornography). Whether you want your policy to go beyond that depends on how much trouble you are willing to risk from the National Labor Relations Board. A good policy will also acknowledge that reasonable personal use of electronic communications is allowed.
Blunder No. 5: If you’re in a business or profession that requires you to preserve the confidentiality of your customers, clients, or patients, failing to ensure that all employees understand that they may never post on social media any individually identifiable information about such customers, clients, or patients. This seems to be a problem primarily with medical care providers, public safety officers, and teachers. Nurse Betty comes home after a hard day, goes on Facebook, and vents, “So glad to be home!!! Had to flip 350-lb man with kidney stones to prevent bed sores, and my back is killing me – must be wine o’clock!” Or Officer Jim posts a photo of the crime scene he handled that day, including the faces of the victims and their families. Or Teacher Anne vents about the spoiled brats in her class (by name) and their idiot parents. Make sure your employees know before it’s too late not to do this – if you don’t, you may have to fire an otherwise good employee.
Avoiding these last five blunders will require the involvement of your IT professional:
Blunder No. 6: Not taking extraordinary means to protect highly sensitive information such as employee Social Security numbers, employee medical information, and the company’s trade secrets and confidential business information.
Blunder No. 7: Using a cloud-based system for employment information without taking reasonably prudent precautions, including consideration of the following:
- Where, physically and geographically speaking, are your “cloud” servers located? If they’re in Siberia, your information may not have the legal protections that it would have in the United States.
- Are the data secure?
- If your relationship with your cloud provider ends, who owns the data? (HINT: It should be you, not the provider.)
- How will your information be destroyed securely if the relationship ends?
Blunder No. 8: Not requiring employees to take reasonable security precautions with mobile devices, including use of passcodes, segregation of business information from personal information, and remote wiping of employer information in the event that the device is lost or the employee is terminated.
And don’t forget “low-tech” security measures, such as requiring employees to lock their cars when they’re leaving laptops or tablets in them to minimize the risk of a security breach via an old-fashioned breaking and entering. (Better yet, encourage employees to never leave laptops or devices in the car at all.)
Blunder No. 9: Failing to keep your employees informed of the latest “hacks” and “phishing expeditions,” and other ways dishonest people may be able to get into your data through the employees’ devices. (This could also include the risks associated with storing nude or other sensitive photos in a “cloud” that is not secure.)
Blunder No. 10: Allowing employees to use unsecured WiFi when working on the road, or in restaurants, cafes, or other public places. (PS – If they’re non-exempt under the Fair Labor Standards Act, then this is “time worked,” too, and you have to pay for it.)
As technology continues to evolve, methods of attack will also become more sophisticated and creative. It’s probably unrealistic to expect that you will never experience some type of technology-related “event.” If you do, act as promptly as possible to limit the damage, and make sure all affected individuals are aware.