What does a microchip the size of a grain of rice implanted into an employee's hand have to do with workplace safety and security?
It's why, experts and attorneys say, HR professionals should proceed with caution if their companies are considering trying to microchip workers.
Three Square Market (32M), a Wisconsin-based technology firm, began implanting willing employees with radio-frequency identification (RFID) technology on Aug. 1; it allows employees to log on to computers, open doors, use the copy machine and purchase food at work instead of using a badge or a credit card.
More than 50 employees opted to have the chips implanted. The company is partnering with BioHax International in Sweden, which makes the chips.
"We foresee the use of RFID technology to drive everything from making purchases in our office break room market, [to] opening doors, [using] copy machines, logging into our office computers, unlocking phones, sharing business cards, storing medical and health information, and [using] as payment at other RFID terminals," stated 32M CEO Todd Westby in a press release.
32M isn't the first company to implant employees with technology.
Epicenter, which provides workspace for more than 300 digital companies in Stockholm, Sweden, has been implanting its employees and people who use its workspaces for years.
"Many of the workers have chosen to be chipped, and they've done so mainly for convenience around the 86,000-square-foot facility," the company states on its website. "Most of the nearly 1,000 members still use traditional means, but a healthy handful have opted in to the voluntary feature."
Neither company responded to SHRM Online's requests for comment.
However, experts tell SHRM Online that HR should be fully aware of the complications that may arise from "chipping" employees. Those include: personal privacy complaints; security lapses; workers' compensation claims should the chips cause medical complications; and the need to make medical and religious accommodations if chips become mandatory.
While these RFID chips have no GPS tracking capabilities, the company noted that one day they could be used for other reasons. The 70-year-old technology uses radio waves to detect, identify, track and manage chips that are nearby or far away. The technology transmits data from the chip or tag to a stationary RFID reader, for example, one placed in a break room or an office entryway. (Think about how automated toll collection systems interact with transponders placed on the inside of a car windshield).
In a blog post on the legal ramifications of microchipping employees, Sarah J. Platt and Keith E. Kopplin, attorneys for Ogletree Deakins in Milwaukee, write that "depending on where access points are installed, an employer could gain useful information, such as how long an employee spent in the break room, in the same vicinity as another employee who was allegedly harassed, or where material went missing."
[SHRM members-only HR Q&A: How to Safeguard Employee Information]
They also ask what would happen if an employee's body were to reject a chip. Would employers be financially responsible if the chip affected an employee's health?
Security is also a concern. RFID technology isn't really all that secure, experts say.
"I could see bad actors trying several techniques to attack the chip itself or the data that is transmitted to and from the chip," said McAfee Chief Consumer Security Evangelist Gary Davis in an interview with SHRM Online. McAfee is a computer security company based in Santa Clara, Calif.
"The biggest risks [with RFID] are … eavesdropping, data corruption or modification, and interception attacks," he said
Jason McNew, CEO of Stronghold Cyber Security, an Aspers, Pa.-based cybersecurity firm, agreed. He called the microchipping of employees "an absolutely horrible idea. This technology is the same technology that is used in proximity cards," which hotel guests often use to enter their rooms. "Technically speaking, it is a trivial matter to duplicate" these cards."
He added: "Read-write tags are permanently encoded when manufactured," and the tags "have serial numbers which are permanent, but also contain data blocks which can be altered. RFID tags implanted into humans would most likely—like those in animals—be read-only tag."
Also, what happens to the chip when an employee leaves? Who owns the data that is on it?
McNew previously worked for the military unit known as the White House Communications Agency and held one of highest security clearances (known as the "Yankee White.") He told SHRM Online that "the chip itself may be your personal property, but the information probably isn't."
"It is not the employee's property, rather a branding of the employee for convenience," said Chief Technology Officer John Callahan of identity access management company Veridium in an interview with SHRM Online from his office in Quincy, Mass.
Callahan said he was mostly concerned with people who leave one job with a chip and go to another job and receive a new chip. This eventually may require companies to share their RFID chips and encryption keys. "This represents a single point of vulnerability and an opportunity for abuse. It's the potential sharing of that data without consent that will be of concern to regulatory agencies."
Lawmaker Says 'No'
At least one state senator – in Nevada – has introduced legislation that would bar any employers from forcing employees to get these chips.
"I believe it should be completely voluntary. Absent some legislation," employers could attempt to force employees to be chipped and to fire any employees who refused, said C.R. Wright, an Atlanta-based attorney with Fisher Phillips, a labor and employment law firm. "So what HR should know is … we don't advise that something like this would be made mandatory," he said.
Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.