Fitbit celebrates a banner year in 2015—the company’s IPO raised $841 million and sold $1.8 billion worth of merchandise. It also made strides entering the corporate wellness market with over 70 large employers like Target and Barclays having purchased devices in bulk for their staff. Today, it is the largest provider of wearable devices in corporate wellness, and the first choice in devices by employers familiar with the technology, according to the Corporate Health & Wellness Association’s 2015 survey, The State of Wearables in the Workplace.
But the success of 2015 has been overshadowed early in 2016 by two company problems: the rollout of its new smartwatch sent the company stock tumbling and a data breach from hackers looking to commit warranty fraud compromised personal data of Fitbit device users.
Warranty fraud is when hackers gain access to a user’s account, changes the user’s personal information like email addresses and passwords, and then order a replacement device under the user’s warranty. The problem is the hackers were able to gain access to user’s GPS history, letting the attackers know where and when users exercise and sleep. Other big companies like Sony Pictures, Primera Blue Cross and Anthem, plus retailers such as Staples, the Home Depot and Target, have all been subject to cyber-attacks in the last year.
Security investigation analysts believe that this was not a breach at Fitbit, but rather the normal problem of companies having to deal with user account takeovers that stem from password re-use and user PC compromises.
Scientists, like Dr. Rosalind Picard, at Massachusetts Institute of Technology (MIT), Cambridge, Mass., indicate that privacy information and wearable technology is a tough space.
“A lot of these devices are right on the border of consumer health and medical information but most are not seeking HIPPA compliance,” Dr. Picard explained. “I don’t think you’re going to get the highest standards, standards that are being upheld by a government body like the FDA because it’s a lot of work. These companies are consumer oriented, they sell to consumers and maximizing that. To my knowledge, they are not going for the highest standard FDA clearance. There is no perfect protection out there. A wearable tech device company can just do more work and be subject to more scrutiny and choose the higher path.”
Critics in the corporate wellness industry do not believe the compromising of personal data of Fitbit users will be problematic for the wellness industry.
“I don’t think this is going to be a major setback for the wellness industry,” said Al Lewis, CEO of Quizzify. “The Staywell hack wasn’t, and this really involves very few accounts. I think this is another reason why an employer should find wellness solutions, though, that do not involve employees having to put data somewhere, and where employers are providing wellness for employees and not to them—find something that does not involve data but culture instead. I think in the long run it will spur people to move away from wellness done to them rather than for them.”
The data breach for Fitbit users raises questions about the liability employers, and Fitbit itself, faces well as questions surrounding data security and privacy in the future. News reports by CNBC.com report that Fitbit put the blame for security issues on the shoulders of their users, stating that a spokeswoman from Fitbit said, “Our investigation found that the accounts that were accessed by an unauthorized party had ‘leaked’ credentials [email addresses and passwords], compromised previously from other third-party sites.”
“Are employers liable for the damages caused by this data breach, since they put wearables into their employees hands?” said Lewis. “No, I am almost certain they are not. If you required people to get Fitbits as a condition of being insured by you, then yes, there is certainly some kind of derivative liability argument, but if making them available for free, there’s no liability there.”
So what does this mean for employers? In many cases, the employer put the device on their employee’s wrist, so what is their responsibility to their employees for any damages that may arise from this situation? Will employers begin to migrate to a new device with better security?
“For the actual device market itself, I don’t think this will cause employers to switch to different devices,” said Lewis. “The issue is whether or not employees are willing to put their personal data somewhere in order to get money from an employer. Fitbits tend to have more functionality per dollar, they’re a good deal. This won’t change adoption rates.”
As to Fitbit’s response to the leak, there is a lot of room for improvement, according to Lewis. “I think this is a classic example of how Johnson and Johnson responded to the Tylenol tampering—they went out of their way sacrificing short-term profit to put the country at ease, so their response is a lesson in learning how to best respond. The customer is always right until proven wrong. They did not do that.”
This data leak will not spell the end of wearable devices, it is just a signal that employers need to educate themselves on what wearables are and how they operate.
“What is working in the wearable technology space are those devices that are manufactured by companies who provide a solid education to its users—consumers as well as employers, who are really consumers in this case—of its technology,” explained Jonathan Edelheit, President, Corporate Health & Wellness Association (CHWA). “Our CHWA wearables survey reports there are many employers who are aware of wearable devices but lack the knowledge of how they exactly work. When breaking news of this nature happens it reveals what is not working in a space where no room for compromising sensitive data should even exist.”