Ten technology mistakes made by employers
December 12, 2014
New technologies redefine the workplace practically every day, and they always will. Employers have the challenging job of evaluating those new technologies and new applications. As they do, they must consider how they would affect legal compliance issues and privacy issues for both the employer and individuals. The following are some of the top technology mistakes made by employers:
- Using “coherent people profiles” assembled by aggregators (such as Spokeo) to recruit or hire. Companies such as Spokeo are aggregators of information about people. They obtain information from dozens of sources including public records and social networks. They merge the data and thus create composite profiles of job candidates, potential clients, etc. The problem is that by doing so they can turn themselves into consumer reporting agencies in the eyes of the law, thus being subject to the Fair Credit Reporting Act. In fact, Spokeo was fined in 2012 by the FTC for doing just that.
- Asking applicants or employees for their social media passwords. In December 2012, the State of Michigan passed the Internet Privacy Protection Act (IPPA). IPPA prohibits employers from requesting that an employee or applicant grant access to, allow observation of, or disclose information that allows access to or observation of personal Internet accounts such as gmail, Facebook and Twitter. Under the IPPA, an employer may not discharge, discipline, fail to hire, or otherwise penalize an employee or applicant who declines such requests.
- Legally reviewing “public” social medial information too early in the hiring process. Social media provides information that can be helpful in screening job candidates. But information found on social media may or may not be accurate, it certainly is unverifiable, and it may reveal “protected” information such as race, age, religion, and medical information. Using such information is not, in itself, specifically prohibited by the law. But the earlier in the hiring process it is used, the higher the risk that someone will accuse you of using it to discriminate against someone in a protected group.
- Having a weak, unrealistic, or nonexistent electronic usage policy. Employers’ policies must prohibit harassment and discrimination in the use of electronic communications. Employees should have no expectation of privacy when using the employer’s equipment and systems, and they must know that they are subject to monitoring at all times. If the policy is weak it may not prevent a harassment-free workplace; or, employees may spend too much work time on personal email or social media sites. But the policy cannot be so rigid (such as completely banning its use for personal purposes) that it is unrealistic and unenforceable.
- Failing to ensure that employees protect individually identifiable information about customers, clients, or patients when posting on social media. Protecting customer information is a key responsibility and obligation of employers. When employees use social media to communicate with friends and family, it must be clear that they cannot share confidential information about customers or clients. Oftentimes employees do this without even knowing it. Social media blunders can have a very real impact on an employer’s business and may do lasting harm to their reputation.
- Not protecting sensitive employee information such as social security numbers, medical information and the employer’s trade secrets and confidential business information. Some of the most common technology risks for employers arise from employees taking or revealing customer lists, posting confidential information on social-media platforms, and moving proprietary data off the company’s network. In addition there are various federal and state employment laws related to protection of employee medical information. The Michigan Social Security Number Privacy Act requires every employer to maintain a policy for safeguarding employee social security numbers.
- Using a cloud-based system for employment information without taking reasonable prudent precautions. Cloud storage systems are efficient and affordable, but they also carry the heightened risk of data breaches due to theft, hacking and human error. Employers need to be aware of where (physically and geographically) the cloud servers are located and what the vendors security protocols are. Further, employers need to determine up front who owns the data (it should be the employer) and how information will be appropriately destroyed if and when the relationship ends.
- Not requiring employees to take reasonable security precautions with mobile devices. With the widespread use of mobile devices by employees, particularly because of bring-your-own-device (BYOD) policies, the risks for employers have significantly increased. Phones can be easily lost or stolen so the business information stored on them must be protected. Data should be encrypted, employers should require the use of passcodes, business information should be segregated from personal information, and employers should have the ability to remotely wipe data in the event of a lost or stolen phone or the employee is terminated.
- Failure to keep employees informed of the latest “hacks” and “phishing expeditions.” The risk and damage associated with a “phishing” breach is significant for companies of all sizes. “Phishers” are becoming more and more clever about their scams so that even vigilant employees might get caught off-guard. Employee training is just one of many ways employers can use to keep their data secure.
- Allowing employees to use unsecured WiFi on the road. When employees use unsecured devices such as laptops, tablets, and smartphones, they greatly increase the risk to company networks and their sensitive data. It is incredibly easy for cyber criminals to access sensitive information through unsecured mobile devices. Organizations should implement a virtual private network solution (VPN) that will encrypt data traveling to and from computers using unsecured wireless networks.