Rebecca HeroldTalk of employees at a Wisconsin (USA) business getting microchip implants to use within its work facilities for a wide variety of purposes (such as for access control to business networks as well as to secured rooms, to use business machines, to make payments in company stores and vending machines, and many other activities), has been the topic of hundreds of recent news reports.

It seems like those giving opinions are almost exclusively in either the “Hell, no! This is Big Brother surveillance run amok, signaling the end of all privacy!” camp, or the “Hell, yes! The benefits this will bring to the business and employees in saving time, improving security, and facilitating better use of machinery is unparalleled!” point of view.

I don’t fall strictly into either point of view. Of course, this microchipping technology could provide a wide range of benefits and prove to be an increasingly pervasive and powerful business tool. However, with great power comes great responsibility. The marriage of technology with business activities and employee information is typically a very complicated situation. Without adequately addressing the privacy issues involved, the situation could quickly spin out of control and result in a messy business divorce, with associated lawsuits, bad PR for the business, and irreparable harm to the individuals involved.

So, let’s consider some of the major potential benefits:

  • No more passwords to remember or manage. This could strengthen access controls into your computers, systems, networks, and anywhere user IDs and passwords are used, and save a lot of time for your user support area. And, it could reduce the risks of hackers getting into your systems.
  • No money for snacks or lunch? No problem! The chips could enable workers to more quickly and efficiently purchase snacks and meals without worrying about having cash or a credit card on hand.
  • No more PCI DSS to deal with! Wait. Really? Hmm. Well, that depends upon how you implement the systems. But you could enable chips to deduct purchases from the business directly from paychecks, so there’s that.
  • Safer facilities. These chips can help organizations, especially those large ones with many workers, as well as businesses in huge, sprawling facilities where workers may be located in virtually unlimited areas, to accurately know where workers are located to help with emergency situations, ensure all individuals are accounted for during disasters such as fires, hurricanes and tornadoes, and any other situation where accounting for the locations of all individuals is critical.

Wow, this is great!

Whoa, there; hold on a minute. Don’t make your decision yet. Keep reading.

Risks and harms
Before you jump onto the pro-microchipping bandwagon, you must also consider the potential business, security and privacy risks and harms. To fully appreciate these risks, you first need to ask yourself some key questions:

  • What data is collected by the microchips? From what has been reported, these will include: individuals’ names, locations, items purchased at date/time/cost, dates/times of facility entries and exits, items purchased and associated dates, times and prices. And, potentially much more.
  • How will all that data be used? To deduct payments from paychecks? To use for attendance? When considering healthcare claims? Salary increases? Promotions or demotions? Firing? And many more possibilities.
  • With whom will the data be shared? HR? Managers? Coworkers? Marketers, to see what employees are purchasing? Outside food and clothing vendors? Police? Government agencies?

Once you establish the answers to these questions, then consider just a few of the many possible risks to the business:

  • Bad press could hurt business reputation. If any of your employees do not like the idea of being chipped and complain to others outside of the business, there is high probability of negative publicity hurting the business and lowering your brand value. Other bad press could occur if the chipping results in physical harm to the individuals, if the data is breached, or if the chipping systems have security incidents or failures.
  • Security incidents could result in breaches, down time, etc. What happens if the chipping system doesn’t play well with the other systems and causes networks to slow to unacceptable speeds, or brings them down completely? Or, what if the systems implemented are not mature and, as a result, data is not processed correctly? Any number of other incompatibility problems could also surface.
  • Lawsuits from those chipped. Even if the chips are made optional, it is possible that those who agreed to get them will come to regret their decisions, perhaps because the chip caused pain, rash or some other physical problem. Or, maybe they read a report about how the chip’s data is used, and then feel like they were tricked into getting them. Don’t forget, the USA and many other countries are litigious societies.
  • Noncompliance violations. It is quite possible that the use of these chips, the implementation of the use, or the associated data use could be violating applicable data protection laws and regulations. For example, consider the many actions you would need to take if you wanted to use microchips in a way that is in compliance with the EU General Data Protection Regulation (GDPR).

And, most importantly from a privacy rights standpoint (and in support of compliance with data protection laws outside of the USA, such as the EU GDPR), consider just a few of the privacy harms that could come to the associated individuals (data subjects):

  • Lost jobs. This could result if the chip data showed the employee was at an off-limits location, was in the cafeteria at a time he or she should have been in a meeting, was doing inappropriate activities on the network based on activities the chips logged, etc. But consider that data taken out of context could lead to bad employment decisions.
  • Denied loans. Purchase habits, as revealed by the chips, could result in employer credit unions or other lenders who obtain copies of the chip data to deny work loans for college, homes, cars or any other purpose. But consider that data taken out of context could lead to bad loan decisions.
  • Denied insurance claims. If the business self-insures its workers or provides the chip data to insurance companies, they could use the data to deny health insurance claims (“A diabetic knows better than to eat candy bars!”), life insurance claims (“They were in a clearly marked restricted area!”), or a wide range of other claims. But consider that data taken out of context could lead to bad insurance decisions.
  • Humiliation and embarrassment. What if the company makes the data available for others to view or decides it is a good idea to have a contest to see, based on chipped data, which employees are doing the best nutritionally? I’ve seen many businesses throughout my career do things that, in hindsight, were ridiculous to even consider. But consider that data taken out of context could lead to incorrect assumptions regarding individuals.

These are just a few examples. Your situation will have other types of risks and harms to consider, many that will be unique and specific to your own business environment.

Bottom line …
Before any business makes any decisions where personal data is involved, it needs to ask three basic questions:

  • Will this improve business? Will micro-chipping employees really improve business? Or, do the costs and potential risks and harms outweigh the potential benefits?
  • What are the risks? How could micro-chipping employees damage business? What are the technical, physical and legal issues involved?
  • What are the harms? Could the sharing or use of data involved with micro-chipping employees potentially cause harm to the associated data subjects?

If your answers to these questions indicate that there will be greater benefits than business risks and personal privacy harms, and that those risks and harms can be acceptably mitigated, then happy chipping! Otherwise, you need to do more research and investigation, or simply conclude, “No. This is not a good action for our business to take at this time.”

I recommend every business perform a privacy impact assessment (PIA) for any type of new system considered that involves personal data. Be like Peter Parker: Before implementing a microchipping system, do a PIA to reinforce the great responsibility of even thinking about using such a powerful system.

Category: Privacy
Published: 8/1/2017 3:00 PM

from http://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/ViewPost.aspx?ID=840