It’s a compliance conundrum for the modern age: The proliferation of digital data generated while using employee monitoring technologies—often to ensure that workers stay on the right side of compliance—is creating a whole new set of data security and privacy risks that compliance officers need to worry about.

Companies today can monitor the work-related activities of employees in many ways, from GPS tracking on company-issued vehicles and iPhones to fingerprint or retina scanning for authentication purposes. Do they work? You bet. But using those technologies is forcing companies to strike a careful balance between legitimate business purposes and employees’ expectation of privacy and security.

“Employers need to make sure they have a really compelling business reason for requiring employees to use biometrics in the workplace,” says Mariam Wugmeister, a partner with law firm Morrison Foerster.

One easy example of legal risk is discrimination claims, such as for disability or religion. If employers want to use monitoring technologies, they should be prepared to respond to any reasonable accommodations employees might request. For example, earlier in March the Equal Employment Opportunity Commission urged a federal judge in West Virginia to grant an injunction to stop coal mining company Consol Energy from forcing its employees to use biometric hand scanning devices, because they could violate anti-discrimination laws under Title VII of the Civil Rights Act. “The likelihood of future violations may be inferred from past unlawful conduct,” the EEOC said.

In January, a jury awarded $150,000 in compensatory damages to a former employee of Consol, Beverly Butcher, who argued that he was forced to leave his job after refusing to comply with the company’s hand scanning policy for timekeeping purposes. As an evangelical Christian, he believed that submitting a hand scan had a connection to the “Mark of the Beast,” as referenced in the Book of Revelations. Consol refused Butcher’s request to allow him to track his time through a manual time recording system instead. The EEOC has since filed a motion seeking an additional $413,000 in lost wages.

“Employers need to make sure they have a really compelling business reason for requiring employees to use biometrics in the workplace.”
Mariam Wugmeister, Partner, Morrison Foerster

C.R. Wright, a partner with law firm Fisher & Phillips, says the case serves as a valuable lesson to compliance and risk officers that they must carefully evaluate an employee’s reasoning for not using biometric technology. By listening to employees’ concerns, and finding other ways to accommodate them, the company may be able to avoid a discrimination claim, he says.

Privacy Risks

A common concern for GPS-tracking devices is privacy risk. The privacy risks posed by GPS tracking, while not a new concept, are especially relevant today in an age of wearable devices, and when an increasing number of companies allow employees to bring their own devices to work—many of which are equipped with GPS tracking capabilities. “Compliance officers have a greater problem with respect to employees bringing this new technology to the workplace,” says Tracy Moon, a partner with law firm Fisher & Phillips.

The benefits of GPS tracking are many: companies can confirm that vehicles they own are being used for proper work purposes, or they can track delivery and pickup times to customers more accurately. The risk, however, is that companies also end up collecting data concerning employees’ private and personal non-work-related activities (sometimes inadvertently). The risk of privacy-related claims is especially heightened when the company seeks to put such tracking capabilities on a device the employee owns rather than the company—say, installing a tracking app on a worker’s own phone.

New York Labor Law on Fingerprinting

New York Labor Law §201-a states, in full:
§201-a. Fingerprinting of employees prohibited. Except as otherwise provided by law, no person, as a condition of securing employment or of continuing employment, shall be required to be fingerprinted. This provision shall not apply to employees of the state or any municipal subdivisions or departments thereof, or to the employees of legally incorporated hospitals, supported in whole or in part by public funds or private endowment, or to the employees of medical colleges affiliated with such hospitals or to employees of private proprietary hospitals.
Source: New York Labor Standards.

The policy management challenges to navigate that situation are not easy. First, your policy should notify employees that their whereabouts and activities are being tracked or monitored. “Employees need to be put on notice that the employer is conducting tracking and surveillance, so that they waive potential claims for violations of privacy rights,” Tracey Moon says. “An important factor is for employers just to be honest with their employees about what their uses are and what protections are in place.”

To develop such a policy, companies must first identify the legitimate business interests they want to protect by collecting that data. “The key is trying to strike a balance between the employee’s personal privacy interests versus the company’s legitimate reasons or interests and trying to use the least intrusive method possible to achieve the company’s goals,” says Lilly Moon, a shareholder of law firm Jackson Lewis. One solution, for example, would be to track mobile devices only during business hours.

Most devices with tracking capabilities have a feature that allows users to turn them off.  “Often, the company will tell the employee, ‘Turn it on when you come to work, turn it off when you leave work’,” Tracy Moon says.

“Only collect that information that you really need,” Wugmeister says.  “If you don’t need it, don’t collect it.”

Security Measures

As with the use of any technology, employee monitoring devices create security risks as well. “Companies need to stay abreast of the latest, greatest security measures to keep the biometric data—just like any other data—from being inappropriately accessed,” Wright says.

The same data security and privacy measures companies already put in place for other forms of personally identifiable information (PII) apply to employee tracking data. “Make sure that only the people who really need to have access to the information to do their jobs have access,” Wugmeister says. “Make sure whenever you have sensitive data that you can articulate a business rationale as to why each different employee really needs access to that data.”

Another important security measure: data destruction. “Get rid of data when you don’t need it anymore,” Wugmeister says. “Don’t just keep everything because maybe someday it might be useful.”

In some respects, biometric data is even more invasive and sensitive than other PII. It’s also permanent, which makes the loss of such data all the worse if you get hacked. “You can change your password, but you cannot change your iris, or your thumbprint, or other biometric indicators,” Wugmeister says. Given how difficult it is to keep basic information like user names and passwords secure, companies need to assess whether the risk of using the biometric data outweighs whatever benefit you expect, she says.

Another way to avoid legal claims is to “keep up with privacy and other potentially relevant laws,” Wright says. “Laws are quickly changing in response to public pressure.” New York State, for example, prohibits employers from fingerprinting employees unless required to do so by law.