One of an IT department’s responsibilities is to keep people from harming themselves. In some ways, IT is the digital version of OSHA. Instead of keeping ladders from falling on people and boilers from exploding, IT keeps people from getting hacked or from letting people lose track of which of the seven versions of a document people really wanted. Problems appear when an organization tries to use IT to implement safeguards against liability. Liability is a legal issue, not a technical one. For the same reason passwords got co-opted for security purposes when they were originally intended for identity differentiation purposes, legal departments say, “Hey, we can keep people from doing dumb stuff and getting us sued” when in fact people are not doing dumb stuff. Legal just wants the easiest way to mitigate liability. That intention isn’t wrong, but rather misplaced.

While liability remains very real and an important part of professional computing responsibility, IT departments will leverage options intended for other purposes, creating a backlash (and unintended workarounds) that undermine the original intention to mitigate liability. You want to protect people from opening themselves up to liability? Then collaborate to create real legal safeguards. For example, let’s say Legal wants to reduce liability from unauthorized patient data access. The organization as a whole wants to spend less money, and reduce risk. The simple (and wrong) answer is to make IT implement activity timers on computers, because the “only” cost is the software implementation i.e. the IT labor charge. Inactivity timers on computers are input-based software solutions that demand users pay a frequent attention toll e.g. press a button every 2 minutes, so that Legal can shrug and say, “We did our legal best to keep data theft from happening, so we’re safe in court”. Nickel and diming staff attention feels like merely lost pennies to management who make these decisions. Except people with power, influence, and/or creativity (of which there are plenty in any organization) will pursue and spread workarounds to resolve the annoyances created by inactivity timers, creating a liability risk which many people are either willing to undertake or otherwise offload back to the organization, undermining the whole point of inactivity timers in the first place.

If an organization gets serious about liability safeguards, they can implement one of multiple identity-based solutions, where the mere proximity of an employee can grant access to a computer with the touch of a button (or other explicit confirmation of desiring access). Beyond making for a much more user-centric work environment, identity-based solutions also provide an employer with better usage data and user tracking, with which an employer can better defend itself and its employees. If the real question is that the legal department wants a computer screen to turn off when a nurse walks away, then the organization should pay for a solution that detects proximity and not only turns the screen off when out of range, but turns the screen back on when the nurse returns. Make the technology work for the user, not vice versa. If such a system is too expensive, then maybe it’s time to question the financial viability of the whole operation in the first place, because making people do the extra work of technology is how you further sink your financial viability.

Don’t just tolerate users, advocate for them. When done well, IT sees empowering users as an advantage, not a threat. Let’s look further at proximity detection as a way IT could shine, if they understand the opportunity there. Yes, this will require notable hardware and software deployment, but once completed, the organization achieves the following benefits:

1) Legal achieves its desired automated security and corresponding liability protection for all staff.
2) After initial deployment, IT sees minimal hardware and software upkeep.
3) (The one IT doesn’t say out loud) IT gets the opportunity to curry employee favor by actually making people’s workdays easier instead of harder.
4) Management gets access to a whole new dataset for employee physical traffic and workspace use, to monitor busy spots, pain points, underutilization, etc.

And it gets better! #4 will initially freak out a lot of staff. What, you’re gonna track my every movement? Am I gonna get penalized by my boss for taking too long to use the bathroom? The winning answer: patient care is legally HIPAA protected. Metadata about caretaker activity can inadvertently reveal patient data (e.g. by cross-referencing a patient’s visit with their doctor and then seeing that the doctor went to the blood draw station, showing the patient likely got their blood drawn), so employee-tracking data must also become HIPAA protected. Now management can tell employees that if employee activity were used for any HR determinations, that would empower employees to sue the organization for a HIPAA breach for the exact same reason patients could sue.

Employees feel a little better because they understand the seriousness of HIPAA much more than a flimsy, “Oh don’t worry, we would never do that” promise from their employer, plus employees gain a greater stake in why HIPAA protection practices matter, because now management puts employees in the same boat as their patients with regards to data protection. HR breathes easier because they don’t get caught in the middle between employees and management, Legal doesn’t care because they got what they wanted, and IT gets to look even better because they now can provide actual anonymized data that says, hey really, nobody uses the snack room on the third floor. Turn it into a set of offices and put two more vending machines on the second floor where all the staff traffic goes. And now management looks like it’s actually in touch with its employees while making more money off previously unused space.

Let’s be clear, I strung together a whole bunch of made-up possibilities and answers. But the main point stands: when IT advocates for users and positions advocacy such that investment can provide long-term tangible returns to an organization, IT wins by helping everyone win. Mediocre IT people accept directives from superiors and create pain for users. Good IT people sell directives as investment opportunities back to their superiors, and then implement directives in such a way as to reduce pain and maximize goodwill.