Yes! It is the law in more places and circumstances than you suspect.

Late last year, The Wall Street Journal reported on a survey by the Association of Corporate Counsel (“ACC”) that found “employee error” is the most common reason for a data breach. CSOOnline reported on Experian’s 2015 Second Annual Data Breach Industry Forecast, stating:

“Employees and negligence are the leading cause of security incidents but remain the least reported issue.”

According to Kroll, in 31% of the data breach cases it reviewed in 2014, the cause of the breach was a simple, non-malicious mistake. These incidents were not limited to electronic data – about one in four involved paper or other non-electronic data.

No business wants to send letters to individuals – employees or customers – informing them about a data breach. Businesses also do not want to have their proprietary and confidential business information, or that of their clients or customers, compromised. Unfortunately, no “silver bullet” exists to prevent important data from being accessed, used, disclosed or otherwise handled inappropriately – not even encryption. Companies must simply manage this risk though reasonable and appropriate safeguards. Because employees are a significant source of risk, steps must be taken to manage that risk, and one of those steps is training.

It is a mistake to believe that only businesses in certain industries like healthcare, financial services, retail, education and other heavily regulated sectors have obligations to train employees about data security. A growing body of law coupled with the vast amounts of data most businesses maintain should prompt all businesses to assess their data privacy and security risks, and implement appropriate awareness and training programs.

Data privacy and security training can take many forms. Here are some questions to ask when setting up your own program, which are briefly discussed in the report at the link above:

  • Who should design and implement the program?
  • Who should be trained?
  • Who should conduct the training?
  • What should the training cover?
  • How often should training be provided?
  • How should training be delivered?
  • Do we need to document the training?

No system is perfect, however, and even a good training program will not prevent data incidents from occurring. But as a business, the question you will have to answer is not why didn’t the company have a system in place to prevent all inappropriate uses or disclosures. Instead, the question will be whether your safeguards reasonable under the circumstances.