Listen to this post

Catch ’em all!  Pokémon Go is a mobile game that uses “augmented” reality to create a virtual scavenger hunt.  In the quest to catch ’em all, over 15 million people have downloaded the Pokémon Go game since its recent release.  Employers have grappled with employees’ personal use of electronic devices during work hours since gaming fads such as Candy Crush and Draw Something were released.  However, beyond creating a simple distraction in the workplace, the explosion of Pokémon Go subjects employers to potentially costly risks, including worker safety issues, lost productivity, data breach possibilities, and misuse of company resources. What are the Risks?

1.  Worker Safety

An attractive feature for Pokémon Go users is an integrated module that “lures” players to various locations such as shops and landmarks.  Employees may also chase their beloved Pikachu down the hall at work, thereby increasing the chance of workplace accidents or entering restricted or hazardous areas.  The exploratory nature of this game is particularly concerning for employers whose workers operate motor vehicles, work outside, or travel as part of their job functions.  The app increases the potential for risks such as pedestrian and vehicular accidents and other dangers that may result from user distraction or wandering in unfamiliar territory.

2.  Productivity

With eyes locked on smartphone screens, the addictive and time-consuming characteristics of this game are a natural cause for employers’ concern.  Employees taking extended lunches and breaks to chase fictional game characters are a reasonable cause for concern.  Against this unprecedented technology-driven dilemma, employers will need to remind workers of the company’s social media and device policies while closely monitoring unusual delays, lowered work productivity and increased absenteeism.

3. Data Vulnerability

The great wealth of information pooled through Pokémon Go’s user base has led to concern for data vulnerability in company databases and systems.  First, the sign-in function of the app requires plugging in data from an existing Google account or vis-à-vis a Pokémon Trainer Club account. Until recently, users were unable to sign up for the Pokémon Trainer Club accounts from the Pokémon website.  Therefore, for a majority of users, the sole channel to play Pokémon Go was by signing into their Google account.  A serious concern is the opening up of floodgates for third party access to a company’s database and system, especially when an app developer has unfettered access to users’ Google Drive and Google information.

Second, there is a host of permissions that are bypassed by users which gives third parties full access to corporate mobile devices used by employees.  This is particularly alarming given the numerous ancillary apps and websites which have sprung up since the release of Pokémon Go, providing hints and tips to users.  While the infectious Pokémon Go bandwagon is a feather in the cap of free-rider app developers, this means imminent risks for employers, include phishing emails and malware potentially entering a company’s system, if the employee is using an employer’s device to play the game. As such, employees could potentially expose their employer’s systems to mass data breaches and identity theft.  Not surprisingly, the app developer under the game’s terms of service is currently authorized to sell information that is received from third parties.

“Brace Yourself, Employers” – The Key Takeaways

Given that the gaming app continues to explode in popularity and similar games are likely to follow suit, it is important that employers roll up their sleeves and revisit workplace policies.  Employers should review and update acceptable use policies including use of mobile devices in the workplace.  Further, employers should look to discipline employees who violate these policies and ensure discipline is carried out in a consistent manner.

Employers also need to consider their legal duties to take all reasonable steps to ensure that the personal information they collect and retain is secure.  Employers should be specific in telling employees how they may use their company-owned devices.  For example, employers should enumerate the circumstances in which personal use of company-owned devices will be permitted.  Further, employers might consider blocking the app on company-owned devices or implementing a “Bring Your Own Device” program.  In addition, employers should consider the following steps to address the foregoing risks:

  • Develop or amend, if necessary, an electronic device policy that requires employees to refrain from downloading and accessing smartphone apps, websites, programs and files that may pose a security risk, such as Pokémon Go;
  • Create or enforce written procedures on installing company encryption software for protecting sensitive data with an agreement signed by employees to not modify the software;
  • Introduce guideline language for employees to refrain from playing games or restrict the time and place such games can be played during work hours and on work property; and
  • Review, and amend if necessary, written safety procedures to capture activities that may pose safety risks, including a provision limiting the use of handheld devices and entering restricted or hazardous areas.

For background on employer monitoring of company technology and BYOD policies, see our previous posts here and here.