Managing risks related to mobile devices in the workplace is a key area of focus for organizations. These risks are plentiful, ranging from proper storage of information generated/received to meet legally mandated retention requirements, e-discovery and litigation hold issues, addressing cybersecurity vulnerabilities, privacy issues, and so forth. In most instances, the conversations revolve around smart phones and tablets, as those devices lend themselves to business productivity. However, even as these discussions are taking place, technology is bypassing those subject matters, leaving companies to once again play catch-up. This is certainly the case with wearable technology.
The first wave of wearable technology has mostly targeted fitness and health, offering users the ability to monitor his/her activity, calories burned, heart rate, blood pressure, and other biometric data. Primarily marketed to the consumer, it is purchased and brought into the workplace by employees. Except in cases where these devices may be expressly or impliedly incorporated into a corporate wellness program, most companies do not govern their use. But, despite their seemingly innocuous purpose, there are risks presented that must be carefully vetted.
For example, last year in Canada, Fitbit and the data tracked by its devices made headlines when it was introduced into evidence in a personal injury lawsuit. In that case, the data was not directly introduced, but processed through Vivametrica (an analytics platform) to show that the plaintiff’s activity levels were below the baseline in comparison to someone similar in age and profession. More recently (June 2015), a Florida woman was charged with false reports to law enforcement, false alarms to public safety, and tampering with evidence. The charging documents filed with the court state that data from her Fitbit indicates that she was awake and walking around during the time of the alleged attack and rape. While the Fitbit data was not the sole evidence in support of the charges filed, it is yet another instance of data from wearable technology being introduced in a court setting.
The interest in data collected by health and fitness trackers is certainly understandable as these devices monitor the user’s lifestyle and activity choices, which seen under the lens of litigation suddenly becomes a treasure trove of potentially useful ESI. While admittedly, the examples provided do not involve the workplace, extrapolating from the use of the data certainly exemplifies the potential risks – a workers’ compensation claim with data used to support decrease in activities, heart rate and blood pressure data to demonstrate distress where an employee alleges harassment by his/her boss or fellow employee, and so forth. While evidence cuts both ways, these are not insignificant considerations for a company. Furthermore, as the technology develops the issues will only get more complicated.
In the overall scheme of things, wearable technology is still in its infancy. The next wave will be/is a transition in focus of those devices and applications from the consumer to the business environment. In fact, Salesforce is developing applications for wearable devices, Motorola has developed wearable technology for use by law enforcement (biometric straps for monitoring vitals, wearable cameras, and so on), and this is only the tip of the iceberg. However, with added functionality comes more risks to address – these include cybersecurity (viruses/malware), corporate espionage (misappropriation of sensitive/confidential information), privacy (pictures and recording conversations), and safety concerns (accidents resulting from use on or handling company property). Companies will need to make a choice as to use of such technology after carefully weighing the benefits against the risks. But at this time, it may be too soon to come to a conclusion, as the technology is still developing for the business environment. Regardless, even the wearable technology focused on consumers poses a risk from many facets as identified above, and failing to address is, for all intents and purposes, granting permission without any safeguards.
Accordingly, the key to managing risk of wearable technology is to be proactive. Engage legal and IT in discussions regarding risks to your organization, revisit policies related to mobile devices, permissible use, and security to account for the associated risks, look over insurance coverage options, and monitor the technology and its development. Mitigate the risks now, so that you are not left facing the consequences later.
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.