Try for Free

Missed the July 1st Deadline for SB 553? Take action now to avoid heavy fines!

Cybersecurity/Data Privacy

Why is Data Privacy Training Required for Employees?

gradient
Why is Data Privacy Training Required for Employees?
Data breaches of personal information can hurt a company's employees as well as customers. Learn why training is necessary.

Employees might be quick to throw the fault onto their IT department for not preventing a data breach in order to alleviate themselves of any responsibility but a system is only as good as the people that use it. More often than not human error is the culprit that results in compromising privacy and security which culminates in the loss of sensitive data.

Employers need to stop data hacks and cybersecurity breaches by providing the required data privacy training for employees. If they are not provided with appropriate training by employers as to how hackers can access personal data they will be helpless in identifying a threat to data privacy when it arises.

As an added bonus, states have begun providing legal incentives in order to encourage organizations to provide adequate awareness training on the subject. This should serve as a strong motivator to establish employee training on the matter of data protection.

Get An Instant Free Course Preview
Try our best-in-class, interactive, and engaging courses for free!

Why do employees need to be trained about data security?

Generally, most electronic data losses occur as a result of malware tricking employees to click on a link or install a program from the internet which will then infect the target device may it be a computer, phone or tablet. However, spoofing makes an employee believe they need to send information to a trusted party by pretending the request for information comes from a trusted party in the first place.

One often thinks of data breaches as hackers hired by criminal organizations or nation-states getting into companies' networks in order to extract sensitive and private data. Most of the time employee error, not limited to electronic breaches, is the cause for most data loss. In other words the result of simple non-malicious mistakes due to negligence.

The media is quick to bring attention to hacking attempts where a company is attacked and held for ransom when most happen due to employee error as a result of employees leaving printouts on the copier, bringing printouts with them home to read on public transport or simply discarding paper in the trash instead of shredding it.

As we can see, the risks that can compromise personal data can come in many forms and shapes and it is only by implementing appropriate security awareness training that an organization will be able to give its workforce the tools to protect sensitive data from being leaked to unauthorized third parties.

What are the consequences of data breaches for companies?

First off, both employers and employees may face civil fines and criminal prosecution if a breach occurred as a result of negligence and noncompliance. These penalties should be highlighted to employees in order to bring home the seriousness of data privacy and security and the consequences of personal information loss.

To only name a few, regulations like the Health Insurance Portability and Accountability Act (HIPAA) can impose fines of up to $50,000 while a breach of the Gramm-Leach Bliley Act (GLBA) which mainly covers financial organizations, can result in fines of up to $100,000 for each violation.

Under the European Union's General Data Protection Regulation, also known by the acronym GDPR, organizations can face fines up to €20 million or 4% Adjusted Gross Revenue, whichever is larger. These privacy laws are a significant motivator for companies to establish security awareness training.

What is more, when personal information theft occurs it needs to be corrected with the utmost urgency. In addition to putting a company out of action if the infected networks have been disabled by ransomware, the target companies will need to hire experts which will have to be paid premium rates in order to correct the breach.

One can also not ignore that many consumers are said to be in favor of boycotting companies that do not keep their personal data safe and even more so if such companies are found to sell that data to third parties. Consumers are expecting more transparency and control over their own data and governments are taking notice by instigating their own laws to protect each and every customer.

In this day and age it is difficult for companies to ignore the question raised by data privacy when it comes down to fines and keeping consumers in their good books. Security awareness training can just not be ignored.

Data security training - what legal incentives are there?

The introduction of safe harbor laws by some states has served as an incentive to give companies a legal defense should a breach occur. Ohio and Utah are, for example, two states which have offered such legal incentives to companies that have been proactive in implementing data protection awareness training.

Utah and Ohio companies which have established data security training and an appropriate course on consumer privacy will be able to use the argument of reasonable defense if a data privacy breach occurs. However, this will not protect them if a warning of the impending breach is given and ignored. Connecticut is also considering implementing similar legislation in order and in due course, more states will follow suit.

Also to note is that the Biden administration aims to spend $6 trillion on improving the nation's cybersecurity and this financial commitment should bring with it financial incentives to help each and every company establish a training course to raise employee security awareness.

If you need help raising data privacy awareness in your workforce, try EasyLlama's data security training. We'll educate and show your team everything it needs to know on data privacy and cybersecurity.

Which divisions should be trained in data protection law?

Although cybersecurity is often thought of being the sole remit of the IT department this is actually quite far from the truth. Product developers and all employees can be involved in processing personal data and as such should receive security awareness training to avoid breaches. Let's not forget the HR department handles lots of sensitive employee data and should make sure the company complies with data protection regulations by receiving adequate privacy training.

Privacy awareness training comes down to educating the general workforce about what regulations are in place with respect to data privacy and what policies the company has in place so that both are complied with. For example, making employees aware of the difference between data security and privacy.

Furthermore, while data breaches may come from outside attacks the less obvious risks come in the normal exercise of day-to-day business when personal information is handled by employees - these risks are voluntarily chosen when fallible employees are tasked with complicated tasks which they have to accomplish by meeting deadlines. Often data privacy compliance may go against economic priorities for a company and it is often hard to find the right balance.

What Is Privacy Awareness Training?

Privacy awareness training should cover the relevant regulations within the specific industry of the company concerning data protection, the policies and best practices that are in place in the company and how compliance with them should be covered. Particular emphasis should be placed on making the difference between data security and data privacy.

Some significant differences need to be highlighted such as how personal information needs to be properly handled and employees of the company are specifically targeted by hackers. The risks created by employees in how they conduct business on a daily basis are voluntarily chosen by them and as such the training requirements need to be such that they are fail-safe when employees go about their daily tasks.

For example, the basics of data privacy training should cover how data is classified, handled during the lifecycle namely storage and destruction and the rights of consumers over their data. Specific departments require the introduction of the concept of "privacy by design" such as customer support or marketing where employees' role is specifically to handle private customer or consumer data. The business needs to integrate data protection concepts into everything the employees do.

The purpose of employee training need not to turn them into legal experts but simply to raise their awareness of common sense and basic principles regarding personal data handling, use, choice, access, and consent.

What Information Should The Training Cover?

In order to effectively raise the awareness of an organization's workforce with respect to data privacy, several topics need to be covered ranging from data privacy laws, reporting, data categorization as well as training employees to spot scams and how to prevent them.

Reporting

Privacy training should help employees accurately identify what is personal data, how it can adequately be protected and what the appropriate response should be in case of a breach. A data protection course should pay particular attention to compliance with the data privacy policies and procedures the company has in place and which employees may be able to refer to which in doubt as to how data privacy should be handled. Last but not least a privacy and data protection course should deal with reporting of a breach and employees should be encouraged to speak up even if it is simply a suspicion.

PII and sensitive data

The data protection course should make the distinction between personally identifiable information (PII) and sensitive data. The former would relate to an individual's name, location or identification number while the latter would involve racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation or health records. If employees handle both types of data the privacy training should show how an extra level of caution should be taken when sensitive data is accessed.

Data privacy laws

An organization should also implement a course that touches on the subject of current data privacy laws in order to demonstrate that compliance is not only relevant to the good practices of the organization but a requirement of the law. A compliance training company can help an organization train their employees in order to follow the law.

An overview of current data privacy laws should be integrated into a course without being exhaustive; those that come to mind are the Health Insurance Portability and Accountability Act (HIPAA), California's Consumer Privacy Act (CCPA), Americans with Disabilities Act (ADA), and Family Education Rights and Privacy Act (FERPA). Whether a company will need to comply with these laws will depend on a multitude of factors such as industry group or location since some states have their own like the data privacy laws in New York.

The risk of social networks

While privacy training should make employees familiar with the notions of hacking and ransomware these are more of the realm of the IT department. The course should show that these often occur following a social engineering attack where a hacker gets an employee to do something that will give them access to the information they aim to get hold of.

For example, the employee could receive a link from a known contact which is in reality a hacker using the known contact as a way to trick the employee to hand over protected data or access information which will give the hacker access to this data.

Employees need to be trained in identifying such scams during the data privacy and security training course.

Email scams

Similarly, phishing emails need also be identified and appropriate training will give employees the skills to identify genuine requests from fake ones. For example, a few simple queues, such as spelling or grammatical mistakes in the body or the email or the domain name, should be a red flag and employees need to know how to act accordingly.

The most important course of action for employees is to take their time and think before doing anything with unexpected emails. The same is true when visiting websites where calls to action invite users to click on links.

Password policies

Password security needs to be paramount and a policy should be in place for choosing a unique password but also multi-factor authentication when accessing private consumer or employee data. While passwords create a virtual secure wall physical security should not be taken lightly. Attention should be made to the importance of safe browser use and screen locking. Keeping software up to date with the latest patches and updates will add an extra level of security.

Unfortunately, despite all the training and goodwill, data breaches will occur therefore it is important to have a data privacy policy in place as to how such breaches should be dealt with and to whom they need to be reported once they are recognized, and finally which devices have been compromised.

As we have seen, it is paramount that an organization manages to implement a comprehensive privacy training system that is relevant to the specific risks encountered by employees. By emphasizing the importance of phishing attacks from online threats management will fundamentally change the culture of the organization with respect to data protection and its best practices.

Protecting a company's information is everyone's job

When employees are made aware of data privacy they often think of data security and generally dismiss the matter as not being in their realm of action but rather that of the IT department. This could not be further from the truth. While data security involves how data is protected from external and internal threats, data privacy concerns how data is collected, stored, and transmitted.

While systems and software can prevent breaches humans are considered to be the biggest risk with respect to privacy and security of data. Making employees aware of these distinctions is paramount in order to protect an organization and its private data.

Image for Subscribe
Image for Subscribe
Join The Newsletter
Be aware of new workforce regulatory changes reguarding your industry and state.