By Parnian Vafaeenia and Karla Grossenbacher
Seyfarth Synopsis: Pokémon GO’s popularity is at a fever pitch. However, the game poses several risks for employers including software security, privacy and workplace safety concerns.
Your employees may be on a quest to catch ‘em all. Over 15 million people have downloaded the Pokémon GO game since its release two weeks ago. In this augmented reality game, players use their mobile devices to catch Pokémon characters in real-life locations captured by the camera in a user’s cellular phone. Though the game is very popular with Pokémon GO players, employers may not like the game quite so much.
Data And Security Concerns
There are data security concerns that arise from use of the Pokémon GO app.
First, users that want to play Pokémon Go must sign in to the app. There are two ways to do so—through an existing Google account, or through an existing Pokémon Trainer Club Account. Up until very recently, the Pokémon website did not allow users to sign up for Pokémon Trainer Club Accounts due to overwhelming demand. Thus, for most people, the only way to play Pokémon GO was by signing in to the app with their Google accounts. Even though the option to create a Trainer Club Account is now available, doing so requires more time and effort than signing in through an existing Google account.
On Monday July 11, it was discovered that users who signed in through their Google accounts were unwittingly giving Niantic Labs—the developer that created the game—full access to the information in their Google accounts. This included access to email. The developer insists that it is not actually accessing all of the information in users’ Google accounts and claims that an update that was recently released apparently limited the scope of Niantic’s access. Nonetheless, for employers who have employees that use Gmail accounts for work purposes, there has been and continues to be risks to information security presented by allowing such employees to play Pokémon GO.
To make matters worse, there is a malicious version of the Pokémon GO program that includes a remote access tool called Droidjack. This tool, which was uploaded to a file sharing service on July 7, can give hackers full control over android users’ phones. If a Pokémon GO user is playing the game on the phone they use to send work-related communications or on which they store work-related documents, this means that hackers could conceivably access such communications and documents on infected android phones of Pokémon GO users. This poses risk for employers as well.
Employers that have Pokémon GO players in their facilities may also face safety issues. Niantic teamed up with Google Maps to put Pokémon characters in real-life places. When a Pokémon is nearby, the app informs the player of its location. Additionally, certain locations such as “gyms” and “poké stops” are hotspots for catching Pokémon. Certain characters in the game are harder to catch and more highly coveted than others, so finding one of these popular characters nearby often excites players, and they will “hunt” them in a wide variety of physical spaces.
As recent headlines have demonstrated, employees who are focused on the game while walking around work property could be putting themselves in danger of tripping, falling or otherwise injuring themselves while playing. Similarly, employees whose job duties include driving or operating heavy machinery, or whose jobs require them to work in the vicinity of heavy machinery, risk injury to themselves or others if they attempt to play the game during work hours. Indeed, there may be heightened safety concerns for certain employers in highly regulated environments like healthcare, where patient safety and health could be impacted by a distracted workforce. Indeed, even employers in the retail industry could suffer if their employees are too distracted to assist customers.
If an employer’s workforce is using company-issued devices, employers can simply disable access to the app on company-owned devices. In fact, some employers have already taken this step. Though blocking the app on company-owned devices takes care of part of the problem, many employers have BYOD (Bring Your Own Device) programs and will have employees using the same device to perform work and play Pokémon GO. Employers in this situation should consider the following steps:
- Have employees install encryption software provided by the employer to protect sensitive data and agree to not modify the software;
- Monitor or prohibit employees from accessing and downloading of external programs, apps and files or specific ones that pose security risks, like Pokémon GO;
- Review your safety policy to ensure it encompasses activities similar to safety risks associated with Pokémon GO (i.e., limited use of handheld devices in hazardous work areas, etc.);
- Create guidelines that prohibit employees from playing games such as Pokémon GO during work time (even if it is downtime) and restrict when and where such games can be played on work property during non-work hours.
For more information on this or any related topic please contact the authors, your Seyfarth attorney, or any member of the Workplace Policies and Handbooks Team or OSHA Compliance, Enforcement & Litigation Team.