Ponemon’s 2018 Cost of a Data Breach Study estimates the average cost of a data breach is USD $148 per record, or $3.86 million, which is a 4.8 percent increase over 2017. The United States, Canada and Germany have the highest per capita costs at $233,
In early 2014, a Yahoo! employee allegedly opened a “spear fishing email that created a massive vulnerability for the company.”3 Half a billion Yahoo! accounts were exposed to Russian hackers, who allegedly forged cookies to directly access more than 6,500 Yahoo! accounts. The hackers sought access to the accounts of Russian and U.S. government officials as well as high-ranking international executives. For two years, Yahoo! was pillaged of user data and its own technology.
Education and awareness reinforce the organization’s privacy policy and practices. Education allows for communication and social acceptance of the privacy policy and supporting processes.
Education efforts may be recorded in employee records and include formal and informal methods such as:
Classroom training
Online learning through streaming, videos and websites
Poster campaigns
Booklets
Workshops
Training is a key control, and under some regulations—such as the U.S. Health Insurance Portability and Accountability Act (HIPAA) of 1996—it is required. However, training must go beyond checking a box. It must address applicable laws and policies, identify potential violations, address privacy complaints and misconduct, and include proper reporting procedures and consequences for violating privacy laws and policies.
The words training and awareness are used interchangeably, but they serve different functions.
Training communicates the organization’s privacy message, policies and processes, including those for data usage and retention, access control and incident reporting. Training must be engaging—for example, using gamification or creating friendly competitive contests—to motivate individuals to protect information.
An organization’s privacy awareness program reinforces the privacy message through reminders; continued advertisement; and mechanisms such as quizzes, posters, flyers, and lobby video screens.
Some mistakes typically associated with education and awareness include:
Equating education with awareness
Using only one communication channel
Lacking effectiveness measurements
Eliminating either education or awareness due to budget concerns
Awareness-raising is one of the key aspects of the privacy framework and should be prioritized for all organizations. It can come in different forms, none of which require huge budgets. If people are not aware of what they are processing, they are also unaware of the consequences and liabilities that result from not knowing.
Most privacy compliance programs have mechanisms for gathering information regarding privacy incidents. While these incidents result in investigative work by the privacy office, they also provide training opportunities. Where possible, the privacy office should provide targeted training to the affected department. When privacy incidents occur, it is important to consider the following:
Where possible, leverage lessons learned from events that make the headlines
Use mistakes as learning opportunities to improve processes rather than as cause for complaint.
Use stories
Hold lunch and learn sessions
Make it fun
Develop slogans that can be used in presentation to capture the essence of the message.
Communication is one of the most effective tools an organization has for strengthening and sustaining the operational lifecycle of its privacy program.
Privacy information is dynamic and constantly changing, so for privacy policies and procedures to remain effective, organizations must continually communicate expectations and policy requirements to their representatives—including contractors and vendors—through training and awareness campaigns.
Awareness means to be vigilant or watchful.
From a privacy perspective, achieving awareness requires communicating the various components of an organization’s privacy program, thus creating a vigilant or watchful attitude toward the protection of personal data. The need for the privacy office to constantly put reminders in front of their workforce requires innovative thinking to identify different reminder techniques.
How does an organization build an awareness program internally? A good place to start is through interdepartmental cooperation working toward the shared goal of privacy protection.
Creating external awareness of a privacy program requires different resources and methods than building internal awareness. External awareness is more directed toward building confidence through brand marketing.
The privacy team, along with all relevant departments, can take the following operational actions to ensure ongoing awareness:
Develop and use internal and external communication plans to ingrain operational accountability
Communicate information about the organization’s privacy program
Ensure policy flexibility for incorporating changes to compliance requirements from laws, regulations and standards
Identify, catalog and maintain all document requirements updates as privacy requirements change.
Staff, managers, contractors and other third parties may need privacy training. The key is to identify who has access to personal information and provide targeted training to those people.
7.7 Training and Awareness Strategies
Training and awareness must have the intention of changing bad behaviors and reinforcing good ones that are integral to the success of the privacy program. Many organizations have a learning and development group managing activities related to employee training.
Steps for a successful communication and awareness campaign include:
Assessing the organization’s education and awareness initiatives
Sustaining communication via awareness and targeted employee, management, and contractor training
Partnering with HR or training functions, or an organizational change management expert
Using badges and slogans
Repeating training over a predetermined period (e.g., annually, biannually)
Using microlearning or blended learning
Inserting privacy messaging into other department trainings
Going to road shows and staff meetings
Tracking participation and comprehension
Companies must think of innovative ways to communicate training and awareness
opportunities to their employees. Methods may differ based on the company’s culture and budget. Some methods are low-cost. It is not uncommon for companies to use different ways for delivering messaging. Examples include:
Formal Education
E-Learning
Road Shows and department team meetings
Newsletters, Emails, and posters
Handouts
Slogans, and comics
Videoteleconferencing
Web Pages
Voicemails
Privacy programs are generally not seen as revenue-generating; however, they can reduce risk. For privacy programs to show how they support the company’s mission and prove to regulators they are actively addressing compliance risks, they must keep records regarding training and awareness programs, including any remediation taken after an event.
Sample training and awareness metrics include:
Number of training or awareness opportunities by topic
Number of individuals who enrolled or received awareness communication
Training method (e.g., live, online, poster, road shows)
Percent of training completed
Results of quizzes or knowledge tests
Changes to the number of privacy incident reports or requests for consultation or additional training
As companies continue to closely monitor training seat time, the privacy compliance program should seek out innovative ways to ensure its message continues to be heard. This means the program must build alliances with other similar organizations, such as cybersecurity and physical security, to ensure a consistent message is carried through all applicable training. Where possible, the topic of privacy should become a core topic within the company, ensuring its importance is emphasized in the code of conduct.
Awareness is an ongoing journey, during which the privacy program can leverage company technology to build a privacy coalition and facilitate friendly competitions but, more importantly, make protecting information personal through practical application. An effective training and awareness program makes a complex topic comprehensible and enables people to integrate key aspects of it effortlessly into their daily routines.