Introduction
This checklist will assist in-house counsel, private practitioners, and compliance personnel who are fully or partially responsible for developing or overseeing their organization’s data privacy and security law training program. It provides an overview of the key areas to cover when training business colleagues on data privacy and security compliance. The checklist covers the following steps:
- Provide context for training
- Detail device policies
- Set out office security measures
- Develop phishing awareness
- Train on data privacy obligations
- Explain reporting and enforcement policies
The checklist is presented as a list of requirements that you can check off as they are addressed in your training plan. At the end of each step, there are explanatory notes corresponding with each requirement in the checklist. This checklist may be used in conjunction with How-to guides: How to determine and apply relevant US privacy laws to your organization, How to develop, implement and maintain a US information and data security compliance program and Checklist: Understanding privacy laws in the US.
Step 1 – Provide context for training
| No. | Requirement |
| 1.1 | Discuss the overlap of data security and privacy |
| 1.2 | Explain what a data breach is |
| 1.3 | Explain importance of data breach prevention |
| 1.4 | Discuss common causes of data breaches |
| 1.5 | Explain typical company data life cycle |
Step 2 – Detail device policies
| No. | Requirement |
| 2.1 | Company devices |
| 2.2 | Personal devices |
| 2.3 | Password management |
| 2.4 | Email policies |
| 2.5 | Website access policies |
| 2.6 | Download restrictions |
Step 3 – Set out office security measures
| No. | Requirement |
| 3.1 | Disclose monitoring by organization |
| 3.2 | Share restricted area policies |
| 3.3 | Require reporting of unknown persons in office |
Step 4 – Develop phishing awareness
| No. | Requirement |
| 4.1 | Explain what phishing is |
| 4.2 | Explain how to identify phishing attempts such as email, spear, and HTTPS phishing |
Step 5 – Train on data privacy obligations
| No. | Requirement |
| 5.1 | Explain data privacy and data security obligations |
| 5.2 | Detail privacy and data security compliance requirements |
Step 6 – Explain reporting and enforcement policies
| No. | Requirement |
| 6.1 | What to report |
| 6.2 | How to report |
| 6.3 | Explain enforcement obligations |
| 6.4 | Discipline for non-compliance |
| 6.5 | Explain where to direct questions |
Explanatory Notes
General Notes
Legal framework
At a high level, organizations have an obligation to take reasonable steps to ensure data is secure from unauthorized access or corruption, as well as to keep certain types of sensitive information private. The sources of these obligations are multiple and are explained in more detail in How-to guides: How to determine and apply relevant US privacy laws to your organization and How to develop, implement, and maintain a US information and data security compliance program.
What is data security and privacy training?
Data security and privacy training provides training to employees about how to keep the organization’s data safe from unauthorized access and corruption as well as why it matters. It provides best practices for ensuring data remains protected from unauthorized users while remaining in a usable format. A review of Cybersecurity Basics, a resource developed by the Federal Trade Commission (FTC), will provide helpful tips on cybersecurity and how to reduce the risk of cyber-attacks, that may be incorporated into the cybersecurity policies and training programs, such as:
- regular training on phishing;
- using email authentication; and
- protocols for handling a security threat or breach.
Importance of data privacy and security training for employees
All organizations that collect data have data and security training obligations, but it is the employees who must carry out these obligations on a daily basis. Training ensures employees are aware of their obligations, how to fulfill them, and why compliance with data security and privacy policies and procedures matters.
In some states, companies that develop, maintain, and comply with a cybersecurity program can assert a statutory affirmative defense against certain cybersecurity-related claims, such as a claim that an organization failed to appropriately respond to a security breach. Training is a required part of such cybersecurity programs. See Ohio Revised Code section 1354.402.
Additionally, while hackers get much of the media attention, many data breaches are the result of employee action or inaction. Training can help avoid these types of breaches.
All personnel must be at least made aware of data security measures. Training is necessary for those employees with access to data; however, the extent and frequency of their training varies according to the need for the employee to access data, and the amount of access they have. For example, a bank employee who sees customer social security numbers on loan applications will need more training in data security than an employee whose job does not entail any access to customer data.
Step 1 – Provide context for training
1.1 Discuss the overlap of data security and privacy
Data security and privacy are intertwined concepts. Data security generally refers to the protection of an organization’s data from unauthorized access and corruption. Data privacy generally refers to a subset of data security that is focused on the handling and sharing of an individual’s personal data (eg, health information) and information that could identify a particular individual (eg, their address, phone number, email address, and credit card number).
1.2 Explain what a data breach is
A data breach occurs when protected, confidential, or other sensitive information is accessed, used, or disclosed without authorization. Data breaches may be digital, when unauthorized persons gain access through technological means such as phishing or hacking; or physical, when unauthorized persons gain physical access such as when an employee loses a laptop or cellphone.
1.3 Explain importance of data breach prevention
The importance of data breach prevention to the organization should be explained to personnel. Data breach prevention helps ensure an organization’s legal compliance, protects against fines and adverse judgments, and maintains an organization’s reputation.
Also explain that data breach prevention is important to protect individual employees. Employees’ individual data, just like the data of customers, may be the target of a criminal’s efforts. Further, in some circumstances, high-level employees may be subject to fines or other legal liability for their role in certain data breaches.
1.4 Discuss common causes of data breaches
Data breaches are most commonly the result of technological missteps, human error, or some combination of the two. Common causes of data breaches include:
- Cyberattacks – these are currently the most common cause of data breaches. They come in a multitude of forms, from malware to hacking to phishing.
- Physical loss – physical loss or theft of a device is a common cause of data breaches, though appropriate passwords and security measures can help prevent a data breach even when a device goes missing.
- Inadvertent insider action – sometimes insiders inadvertently breach data restrictions. For example, an employee using a co-worker’s computer could gain access to files they would otherwise be restricted from accessing.
- Malicious insider action – insiders with access to sensitive data may intentionally leak or misuse information for personal gain or to harm the organization.
During training, the link between individual action and data breaches should be emphasized to convey that individual actions, such as complying with password policies and not clicking on suspicious emails, play an important role in protecting an organization’s data.
1.5 Explain typical company data life cycle
Explain how data moves through the company. Highlight areas where data is particularly vulnerable, as appropriate.
Step 2 – Detail device policies
How devices such as computers, tablets, and phones are used has a direct impact on data security in an organization. Training on policies related to device usage should set out the organization’s policies and when possible, to help employees understand their importance, explain why the policies are in place. Training should also inform employees about how to find the policies and procedures for device usage.
2.1 Company devices
Training should explain all company device policies. Common company device policies include:
- passwords to log on to devices;
- physical locking of devices, if and when required;
- two-factor authentication, requiring an additional level of security beyond a username and password to obtain access (eg a personal identification number, a security question, or biometric identification);
- prompt acceptance of software and security updates;
- use of Virtual Private Network for remote work;
- device encryption;
- non-circumvention of security measures; and
- regular data backups to ensure data recovery in case of loss or breach.
2.2 Personal devices
In training sessions explain all policies on the use of personal devices, aka ‘Bring Your Own Device’ policies. Common personal device policies to explain during training cover:
- the types of personal devices that are permitted;
- the requirement to separate work and personal use;
- the requirement that the same security standards that apply to company devices also apply to personal devices;
- the type of work that is not permitted on personal, non-company computers; and
- the procedures for reporting lost or stolen personal devices to ensure data protection.
2.3 Password management
Explaining password requirements during training is of utmost importance as weak passwords pose a substantial risk to an organization’s data. Inadequate passwords can be hacked in one second or less. NIST’s Digital Identity Guidelines provide useful password best practices that organizations may wish to review in developing their policies and training. At the very least, training on passwords should cover:
- password creation requirements such as length of password, avoidance of common words and phrases, and other strong password standards;
- permissible and impermissible methods of storing passwords;
- how frequently to update passwords; and
- prohibition on sharing passwords.
2.4 Email policies
Training on email policies should cover company guidelines for sending emails including:
- when to use email encryption;
- how to send encrypted emails;
- policies for sending and opening attachments;
- alternatives to email for transmitting sensitive information;
- use of the term ‘confidential’ to denote sensitive information in an email; and
- recognizing and reporting phishing attempts in order to maintain email security.
2.5 Website access policies
Training should include information about website access policies and what type of websites should not be accessed.
2.6 Download restrictions
During training, convey to employees any restrictions on what can be downloaded as well as best practices for permissible downloads.
Step 3 - Set out office security measures
3.1 Disclose monitoring by organization
As part of training, your organization should disclose any monitoring that it performs. This disclosure serves a few purposes: it can deter would-be malicious insiders, it underscores the company’s efforts to keep data (including employee data) secure, and it helps prevent the company from being accused of invasion of privacy by an employee or contractor. For instance, if a company discloses that it monitors the use of company computers and employees have no reasonable expectation of privacy when using these computers, it would be difficult for an employee’s invasion of privacy claim to succeed. To avoid ambiguity, make the extent of device monitoring clear to your employees. For example, your company’s monitoring disclosure might let employees know that the company monitors what websites they visit, but you should also disclose whether your company monitors emails sent by employees.
Common monitoring disclosures are as follows:
- use of security cameras;
- monitoring of devices;
- swipe-card monitoring; and
- monitoring of network activity and internet usage.
Make the extent of device monitoring clear to your employees. For example, disclose whether your company monitors emails sent by employees.
3.2 Share restricted area policies
Explain to your employees which physical and digital areas are restricted. Employees should understand that there are different levels of access provided to different personnel depending on their role in the organization.
Caution employees not to share their personal information, such as computer logins or swipe cards, with other employees or guests, or share access to restricted areas. Employees often view this type of sharing as benign, but it can lead to harmful data breaches and it is an important point to reinforce during training. Provide a contact person. Employees can then direct those seeking access to restricted areas to that contact person.
3.3 Require reporting of unknown persons in office
During training, share the organization’s policies for reporting unknown persons in the office. Training should clearly identify what type of unknown persons to report and how to make a report. For example, in a medical office, unknown persons in the waiting room are an everyday part of business; however, unknown persons accessing computers or lingering in rooms with medical records are highly suspect and should be reported.
Step 4 - Develop phishing awareness
4.1 Explain what phishing is
Phishing is a type of social engineering data breach that occurs when the perpetrator pretends to be a trusted entity such as a bank, utility provider, or government agency to trick the victim into providing sensitive information. Phishing can occur over the phone, text message, or email.
4.2 Explain how to identify phishing attempts such as email, spear, and HTTPS phishing
Training should help employees identify common types of phishing attempts and underscore when to seek advice from appropriate professionals in the IT department. Using examples is particularly helpful. Studies have shown that simulation training improves employees’ ability to identify phishing emails.
4.2.1 Email phishing
Email phishing uses an email that seems to be from a legitimate organization to obtain information. In training, emphasize that email phishing is one of the most common methods of phishing that impacts organizations.
Common indicators of phishing emails include:
- requests for sensitive information;
- misspellings and grammatical issues;
- sent from a non-business domain such as gmail.com or yahoo.com;
- includes attachments;
- entire email is a hyperlink; and
- purports to be from an individual you do not know or business you have not interacted with.
4.2.2 Spear phishing
Spear phishing is phishing that is directed towards a particular individual, such as a specific named employee of a company, or an individual with a particular title. These types of phishing attacks are generally more tailored to their targets. They often use personal information and spoofed or hacked email addresses to convey an impression of authority. Spear phishing is typically harder to identify than the traditional broad email phishing attempts.
4.2.3 HTTPS phishing
HTTPS phishing involves the issue of websites that have HTTPS or padlock designation (markers of a ‘secure’ website) to lure victims into believing that the website is safe. Perpetrators then use the website to obtain sensitive information. A common HTTPS phishing approach is to mimic the website of a legitimate organization using a domain that is a misspelling of the organization’s name. HTTPS phishing has been expanding rapidly, but most people are generally less aware of it. Awareness of this new type of phishing is an important element of training.
4.2.4 Voice phishing
Voice phishing, or vishing, is phishing that is similar to email phishing but uses a phone call instead of a questionable email. In vishing, the attacker utilizes social engineering and is at times threatening.
Step 5 - Train on data privacy obligations
5.1 Explain data privacy and data security obligations
Training should explain that certain types of information are subject to heightened or additional requirements under privacy and data security laws and related contractual obligations. These requirements will vary based on an organization’s industry and contracts. For example, an organization may have contractually agreed to use certain data security measures. As another example, an individual’s health information is subject to heightened data privacy and security requirements under the Health Insurance Portability and Accountability Act 1996. See further How-to Guide: How to determine and apply relevant US privacy laws to your organization.
5.2 Detail privacy and data security compliance requirements
Training should detail an organization’s privacy and data security requirements under governing laws or contracts as well as what employees are required to do to ensure compliance. The goal is not for every employee to become a legal expert. Rather, the goal is for employees to generally understand the compliance environment and have detailed knowledge regarding the requirements that are relevant to their role and to promptly elevate suspicious activity to the appropriate resources within the organization. For detailed information regarding data privacy requirements, see How-to guides: How to determine and apply relevant US privacy laws to your organization and How to develop and implement and maintain a US data security compliance program.
Step 6 - Explain reporting and enforcement policies
6.1 What to report
Training should include identifying which activities or occurrences to report. Common occurrences to report include suspicious activity, a known data breach, a suspected data breach, and high-risk events such as loss of a device.
6.2 How to report
Training should include how to report data security and privacy issues, including a named contact to report to, the format for making a report (eg, form, call, etc), and the timeline for reporting. Training should also include where to report issues (eg a webpage, or a designated office). During the training on reporting include reminders that an employee who reports an issue will not be subject to any kind of harassment or retaliation.
6.3 Explain enforcement obligations
Training for managers should explain their obligations for enforcing their report’s compliance with the organization’s data privacy and security policies and procedures.
6.4 Discipline for non-compliance
The type and progression of disciplinary actions for non-compliance should be explained during training. The prospect of disciplinary action helps convey the seriousness of not complying with data privacy and security requirements and ensures compliance.
6.5 Explain where to direct questions
Employees should be told where they can find and review data privacy and security policies and procedures as well as to whom they should direct questions.
Additional Resources
NIST’s Digital Identity Guidelines
Related Lexology Pro Content
How-to guides:
How to determine and apply relevant US privacy laws to your organization
How to manage your organization’s data privacy and security risks
How to implement privacy by design within your organization
How to develop, implement, and maintain a US privacy law compliance program
How to develop, implement and maintain a US information and data security compliance program
How to evaluate the effectiveness of a data security or data privacy compliance program
How to develop a vulnerability disclosure program (VDP) for your organization to ensure cybersecurity
How to draft a privacy policy, and privacy and data security provisions in contracts
How to manage third party supply chain data privacy, security risks, and liability
Incident response plan readiness and identification of a reportable data breach
How to prepare for and respond to a governmental investigation or enforcement action for violation of US privacy laws
Checklists:
Understanding privacy laws in the US
Completing a data privacy risk assessment
Drafting internal privacy policies and procedures
Completing a data and information security risk assessment
Drafting a consumer privacy policy
Developing key privacy and data security contractual terms and provisions (B2C)
Completing a data incident response plan assessment
Responding to a data breach
Privacy and data security due diligence in M&A
Quick views:
Key data privacy and data security terms
Collection and use of non-consumer data
Regulation of data brokers
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.