A growing number of self-insured employers are tying corporate wellness plans into apps that track their employees’ movements. Looking for ways to cut the increasing costs associated with providing healthcare plans, these employers are encouraging healthy choices and accountability. Some companies are offering additional health plan choices to employees who participate in such programs. But in participating, many workers may not realize their personal information may be at risk.
The Wearable Trend
Employees supply their own devices like smart watches, smart glasses and fitness trackers, known in the industry as “enterprise wearables,” which are then linked into an app accessible by the employer or healthcare plan. Wearables are defined as computers or technologies incorporated into clothing or accessories to be worn by the user. They look similar to watches, bracelets, and even rings or jewelry. Devices like the Apple Watch, Jawbone, Fitbit or Misfit can be used to count steps, calculate calories burned, monitor heart rate, track weight, record sleep patterns, and log nutritional information. Some programs invite users to enter additional data like their mood, sexual activity, and even bathroom use.
A recent PricewaterhouseCoopers study found 70% of consumers say that if it would mean a break in their insurance premiums, they would wear employer-provided wearables sending anonymous data to a pool. A study by technology research firm Tractica, projects that by 2020, revenues from the sale of these types of devices will grow to $6.3 billion from a current $14 million. It predicts that this boom will occur as the devices become a vital component in corporate wellness programs.
Where Does This Data Go?
With this huge growth in users, and information shared among employers and insurers, there comes concern about not only who has access to this data but also any other ways the information may be used. It’s no secret that human resource departments manage their staff using various data-driven methods. These “people analytics” aim to create a highly productive workforce. When given additional activity data about their employees, would these same HR departments add it to their analytics? Would it be advantageous for them to know which employees are getting better, more restful sleep? In a Forbes report, customer data company Salesforce said they “could use the platform to find correlations between the daily physical activity and even sleep patterns of sales staff with their success on sales calls.” Computer security firm Symantec conducted an experiment using the most popular wearables, and found that all software-driven devices were completely trackable. More than half of these devices had no information about privacy policies. One out of every five wearable tested by Symantec also wirelessly transmitted user data including email address, name, and password without any encryption. Additionally, they found that 20% of the devices transmit login and password information in plain text. This opens the door for misuse, identity theft, and even stalking.
Massachusetts Institute of Technology researchers studied one of these devices, the Fitbit, and confirmed some of these suspicions about security: “…Fitbit does not provide device owners with all of the data collected. In fact, we find evidence of per-minute activity data that is sent to the Fitbit web service but not provided to the owner. We also discovered that MAC addresses on Fitbit devices are never changed, enabling user-correlation attacks. BTLE (Bluetooth Low Energy) credentials are also exposed on the network during device pairing.”
Research conducted by the Federal Trade Commission earlier this year echoed these possibilities: “Although a consumer may today use a fitness tracker solely for wellness-related purposes, the data gathered by the device could be used in the future to price health or life insurance or to infer the user’s suitability for credit or employment (e.g., a conscientious exerciser is a good credit risk or will make a good employee)…it would be of particular concern if this type of decision-making were to systematically bias companies against certain groups that do not or cannot engage in the favorable conduct as much as others or lead to discriminatory practices against protected classes.”
The PricewaterhouseCoopers report predicts users will soon see wearables in the same light as social media. “(They) offer a portal into consumers’ willingness to share information with each other and with brands in exchange for rewards—be it emotional validation, monetary compensation or curiosity satiation. Parents and Millennials—two groups who are most excited about the future of wearable technology—are the most willing of any demographic to share their personal information with others via wearable technology.”
Wearables, small computers incorporated into clothing or accessories that collect and report data, are attractive to employers looking to reduce healthcare costs. Some companies are offering insurance discounts to employees using wearables to report their activity, nutrition, and other information. However, security of the data collected by the technology and other uses for this information remain privacy concerns.
CIPP Exam Preparation:
In preparation for the Certified Information Privacy Professional/United States (CIPP/US) exam, a privacy professional should be comfortable with topics related to this post, including:
Regulatory Authorities, FTC (I.A.d.i.)
Limits on Private-sector Collection and Use of Data (II.A.)
Workplace Privacy, Human Resource Management (IV.A.a.i.)
Workplace Privacy, Employee Monitoring (IV.B.b.i.)