Get access to the exclusive HR Resources you need to succeed in 2018.
Sign up for free email newsletters and get more SHRM content delivered to your inbox.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 14 cities across the U.S. this fall.
Gain the skills you need to rise to the next level in your career. Jon us at SHRM's Leadership Development Forum, October 2-3 in Boston.
Members may download one copy of our sample forms and templates for your personal use within your organization. Please note that all such forms and policies should be reviewed by your legal counsel for compliance with applicable law, and should be modified to suit your organization’s culture, industry, and practices. Neither members nor non-members may reproduce such samples in any other way (e.g., to republish in a book or use for a commercial purpose) without SHRM’s permission. To request permission for specific items, click on the “reuse permissions” button on the page where you find the item.
Cross-device tracking—like those ads that follow you from Amazon to Facebook, from your computer to your smartphone—could cause major headaches for HR and IT professionals tasked with keeping data secure.
Employees who visit websites that track their online surfing habits across their computer and smartphone may be inadvertently leaving their work devices vulnerable to hacking.
Cross-device tracking is a huge, yet little-known, security flaw. It's a method of collecting online information from various devices and linking them to a single user—without the user's knowledge.
Companies use the information to create a user profile that could include sensitive personal and workplace information, which could leave organizations susceptible to a security breach.
"When you think of security breaches…companies [using cross-device tracking] can collect lots and lots of information—basically whole profiles about individuals can be set up," said Alja Poler De Zwart, an associate in Brussels for the San Francisco-based law firm Morrison Foerster, speaking during a recent webinar.
Cross-device tracking does not leave a digital footprint, added Julie O'Neill, a partner in Boston for Morrison Foerster, so detection is virtually impossible.
So, too, is controlling it.
[SHRM members-only toolkit: Record-Keeping Policy: Safeguarding Social Security Numbers]
"The biggest threat on multiple-device usage is mainly from an employee using a personal device to complete work-related tasks, assuming the appropriate safeguards are already in place," said Anthony Dagostino, global head of cyber risk in New York City for the-London-based advisory firm Willis Towers Watson, in an interview with SHRM Online.
For example, "e-mailing a work-related file and opening it on a personal device can be a big point of exposure for an organization. Employees using personal devices to complete work tasks are now exposing their organization," he said.
How It Works
There are two types of cross-device tracking: deterministic and probabilistic identification.
Deterministic identification tracks a single user from the information the user gives voluntarily on different devices, such as login information, passwords and answers to security questions. For example, if a user logs into Facebook from his or her smartphone and laptop using the same login information, Facebook can link those devices together as having the same user.
Probabilistic identification collects information from the unique configurations of the devices. Compiling operating systems, apps, IP addresses and plugin details creates a unique fingerprint that connects these devices and makes it highly probable that they are used by the same person. It is this type of tracking that allows ads to appear on a laptop that match a search that a user may have done earlier on his or her smartphone.
Both tracking methods work like cookies—small files that are stored on a user's computer by a browser to customize a website for the user's future visits. But, unlike cookies, cross-device tracking cannot be erased or disabled after a web browser is closed.
"One of the most critical areas in cybersecurity is endpoint security and the mobile device is one of the most exposed endpoints for an organization, so it's important for HR and information security professionals to be orchestrated in their approach to managing the risk, not just through technology but through their people as well," Dagostino said.
The European Union (EU), where cross-device tracking is more pervasive, will be updating its cybersecurity regulations, according to De Zwart. Two new laws regulating the collection of data from users will go into effect May 25, 2018: The General Data Protection Regulation (GDPR) and the ePrivacy Regulation.
The GDPR will give people control over their personal data by requiring user consent to engage cross-device tracking, unifying all EU regulations of data protection and making it easier for non-EU companies to comply. Companies that violate the new laws will face stiff penalties.
Although there isn't a unilateral privacy law in the U.S., the Federal Trade Commission (FTC) has given recommendations to companies that use cross-device tracking:
The Digital Advertising Alliance (DAA) is an independent U.S. nonprofit organization led by advertising and marketing trade associations. Its DAA Application of Self-Regulatory Principles of Transparency and Control guidance recommends, among other things, that users be provided with notice and the choice to opt out when their browsing activity on one device may be used to deliver ads to them on another device.
Experts say it's best to combat this problem on the company level by training employees.
"The best approach is a multifaceted approach managing cyberrisk through three risk lenses: people, technology and capital," said Dagostino. "The people risk should be addressed through continual training of employees, awareness programs to foster a cyber-savvy work environment, and having a strong mobile device and computer usage policy in the code of conduct or terms of employment."
Aaron Hightower is a freelance writer in Detroit. Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Please sign in as a SHRM member before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
9 Things Recruiters Do That They Shouldn't
Do you have what it takes to win the war for talent? Find out.
SHRM’s HR Vendor Directory contains over 10,000 companies