Training and Awareness

Ponemon’s 2018 Cost of a Data Breach Study estimates the average cost of a data breach is USD $148 per record, or $3.86 million, which is a 4.8 percent increase over 2017. The United States, Canada and Germany have the highest per capita costs at $233,

In early 2014, a Yahoo! employee allegedly opened a “spear fishing email that created a massive vulnerability for the company.”3 Half a billion Yahoo! accounts were exposed to Russian hackers, who allegedly forged cookies to directly access more than 6,500 Yahoo! accounts. The hackers sought access to the accounts of Russian and U.S. government officials as well as high-ranking international executives. For two years, Yahoo! was pillaged of user data and its own technology.

7.1 Education and Awareness

1. Education and awareness reinforce the organization’s privacy policy and practices. Education allows for communication and social acceptance of the privacy policy and supporting processes.

2. Education efforts may be recorded in employee records and include formal and informal methods such as:

   1. Classroom training

   2. Online learning through streaming, videos and websites

   3. Poster campaigns

   4. Booklets

   5. Workshops

3. Training is a key control, and under some regulations—such as the U.S. Health Insurance Portability and Accountability Act (HIPAA) of 1996—it is required. However, training must go beyond checking a box. It must address applicable laws and policies, identify potential violations, address privacy complaints and misconduct, and include proper reporting procedures and consequences for violating privacy laws and policies.

4. The words training and awareness are used interchangeably, but they serve different functions.

   1. Training communicates the organization’s privacy message, policies and processes, including those for data usage and retention, access control and incident reporting. Training must be engaging—for example, using gamification or creating friendly competitive contests—to motivate individuals to protect information.

   2. An organization’s privacy awareness program reinforces the privacy message through reminders; continued advertisement; and mechanisms such as quizzes, posters, flyers, and lobby video screens.

   3. Some mistakes typically associated with education and awareness include:

      1. Equating education with awareness

      2. Using only one communication channel

      3. Lacking effectiveness measurements

      4. Eliminating either education or awareness due to budget concerns

   4. Awareness-raising is one of the key aspects of the privacy framework and should be prioritized for all organizations. It can come in different forms, none of which require huge budgets. If people are not aware of what they are processing, they are also unaware of the consequences and liabilities that result from not knowing.

7.2 Leveraging Privacy Incidents

1. Most privacy compliance programs have mechanisms for gathering information regarding privacy incidents. While these incidents result in investigative work by the privacy office, they also provide training opportunities. Where possible, the privacy office should provide targeted training to the affected department. When privacy incidents occur, it is important to consider the following:

   1. Where possible, leverage lessons learned from events that make the headlines

   2. Use mistakes as learning opportunities to improve processes rather than as cause for complaint.

   3. Use stories

   4. Hold lunch and learn sessions

   5. Make it fun

   6. Develop slogans that can be used in presentation to capture the essence of the message.

7.3 Communication

1. Communication is one of the most effective tools an organization has for strengthening and sustaining the operational lifecycle of its privacy program.

2. Privacy information is dynamic and constantly changing, so for privacy policies and procedures to remain effective, organizations must continually communicate expectations and policy requirements to their representatives—including contractors and vendors—through training and awareness campaigns.

7.4 Creating Awareness of the Organization’s Privacy Program

1. Awareness means to be vigilant or watchful.

2. From a privacy perspective, achieving awareness requires communicating the various components of an organization’s privacy program, thus creating a vigilant or watchful attitude toward the protection of personal data. The need for the privacy office to constantly put reminders in front of their workforce requires innovative thinking to identify different reminder techniques.

7.4.1 Internally

1. How does an organization build an awareness program internally? A good place to start is through interdepartmental cooperation working toward the shared goal of privacy protection.

7.4.2 Externally

1. Creating external awareness of a privacy program requires different resources and methods than building internal awareness. External awareness is more directed toward building confidence through brand marketing.

7.5 Awareness: Operational Actions

1. The privacy team, along with all relevant departments, can take the following operational actions to ensure ongoing awareness:

   1. Develop and use internal and external communication plans to ingrain operational accountability

Communicate information about the organization’s privacy program

1. 2. Ensure policy flexibility for incorporating changes to compliance requirements from laws, regulations and standards

   3. Identify, catalog and maintain all document requirements updates as privacy requirements change.

7.6 Identifying Audiences for Training

1. Staff, managers, contractors and other third parties may need privacy training. The key is to identify who has access to personal information and provide targeted training to those people.

7.7 Training and Awareness Strategies

1. Training and awareness must have the intention of changing bad behaviors and reinforcing good ones that are integral to the success of the privacy program. Many organizations have a learning and development group managing activities related to employee training.

2. Steps for a successful communication and awareness campaign include:

   1. Assessing the organization’s education and awareness initiatives

   2. Sustaining communication via awareness and targeted employee, management, and contractor training

   3. Partnering with HR or training functions, or an organizational change management expert

   4. Using badges and slogans

   5. Repeating training over a predetermined period (e.g., annually, biannually)

   6. Using microlearning or blended learning

   7. Inserting privacy messaging into other department trainings

   8. Going to road shows and staff meetings

   9. Tracking participation and comprehension

7.8 Training and Awareness Methods

1. Companies must think of innovative ways to communicate training and awareness

opportunities to their employees. Methods may differ based on the company’s culture and budget. Some methods are low-cost. It is not uncommon for companies to use different ways for delivering messaging. Examples include:

1. 1. Formal Education

   2. E-Learning

   3. Road Shows and department team meetings

   4. Newsletters, Emails, and posters

   5. Handouts

   6. Slogans, and comics

   7. Videoteleconferencing

   8. Web Pages

   9. Voicemails

7.9 Using Metrics

1. Privacy programs are generally not seen as revenue-generating; however, they can reduce risk. For privacy programs to show how they support the company’s mission and prove to regulators they are actively addressing compliance risks, they must keep records regarding training and awareness programs, including any remediation taken after an event.

2. Sample training and awareness metrics include:

   1. Number of training or awareness opportunities by topic

   2. Number of individuals who enrolled or received awareness communication

   3. Training method (e.g., live, online, poster, road shows)

   4. Percent of training completed

   5. Results of quizzes or knowledge tests

   6. Changes to the number of privacy incident reports or requests for consultation or additional training

7.10 Summary

1. As companies continue to closely monitor training seat time, the privacy compliance program should seek out innovative ways to ensure its message continues to be heard. This means the program must build alliances with other similar organizations, such as cybersecurity and physical security, to ensure a consistent message is carried through all applicable training. Where possible, the topic of privacy should become a core topic within the company, ensuring its importance is emphasized in the code of conduct.

2. Awareness is an ongoing journey, during which the privacy program can leverage company technology to build a privacy coalition and facilitate friendly competitions but, more importantly, make protecting information personal through practical application. An effective training and awareness program makes a complex topic comprehensible and enables people to integrate key aspects of it effortlessly into their daily routines.