Increased remote work due to the COVID-19 pandemic has only exacerbated privacy and cybersecurity concerns, and likely has not changed the finding in Experian’s 2015 Second Annual Data Breach Industry Forecast:
Employees and negligence are the leading cause of security incidents but remain the least reported issue.
A more recent state of the industry report by Shred-It, an information security company, found that 47 percent of business leaders said employee error such as accidental loss of a device or document by an employee had caused a data breach at their organization. Moreover, CybSafe, a behavioral security platform, analyzed data from the UK Information Commissioner’s Office (ICO) in 2020 concluded that human error was the cause of approximately 90 percent of data breaches in prior year. This was up from 61% and 87% in 2018 and 2019. The annual half hour phishing training is important, but it may not be sufficient.
No business wants to send letters to individuals – employees or customers – informing them about a data breach. Businesses also do not want to have their proprietary and confidential business information, or that of their clients or customers, compromised. Unfortunately, no “silver bullet” exists to prevent important data from being accessed, used, disclosed or otherwise handled inappropriately – not even encryption. Companies must simply manage this risk though reasonable and appropriate safeguards. Because employees are a significant source of risk, steps must be taken to manage that risk, and one of those steps is training.
It is a mistake to believe that only businesses in certain industries like healthcare, financial services, retail, education and other heavily regulated sectors have obligations to train employees about data security. Recent Department of Labor guidance concerning cybersecurity best practices for retirement plans includes a recommendation to: “Conduct periodic cybersecurity awareness training.” Indeed, a growing body of law coupled with the vast amounts of data most businesses maintain should prompt all businesses to assess their data privacy and security risks, and implement appropriate awareness and training programs.
Data privacy and security training can take many forms. Here are some questions to ask when setting up your own program, which are briefly discussed in the whitepaper at the link above:
- Who should design and implement the program?
- Who should be trained?
- Who should conduct the training?
- What should the training cover?
- When and how often?
- How should training be delivered?
- Should training be documented?
No system is perfect, however, and even a good training program will not prevent data incidents from occurring. But the question you will have to answer for the business is not why didn’t the company have a system in place to prevent all inappropriate uses or disclosures. Instead, the question will be whether the business had safeguards that were compliant and reasonable under the circumstances.