No one wants a data breach. No one wants to be the latest ransomware victim, trying to figure out what bitcoin is so you can pay some guy in Romania to give you access to your own data. No one wants to be that company.
So you no doubt have some kind of security training in place, and that’s important. You must make sure employees know to use different passwords on different platforms — to use a password manager, in fact — and to not click on links in emails unless they’re very, very sure they’re legitimate.
But if your organization isn’t accompanying that security training with privacy training, you’re exposing yourself to significant risk.
Security training teaches your employees about access to data. They should know how to lock the doors to your organization’s house and provide only the proper people with the keys to the front door (and the combination to the safe, perhaps). Privacy training teaches them how to behave themselves while they’re inside the house.
It’s important for employees to know that not all data is the same and that just because you have data doesn’t mean you can do whatever you want with it. Some data, like bank account numbers or credit card numbers, are valuable by their very nature. Employees likely understand that they should be secured. But a health record is worth far more on the black market than hundreds of credit card numbers, which can be cancelled. It’s hard to change your national ID number or, worse, your fingerprint. In Europe, courts have ruled that even IP addresses are personal data that must be protected, used in ways only the data subject allows and destroyed after their usefulness has ended.
As data move around the world and employees and customers interact with organizations over the internet, where it’s sometimes impossible to know where they are in physical space, it’s important for employees to understand the responsibilities that come with collecting personal data.
In Canada, you can be fined for simply emailing a person without having first established a business relationship. Do you know for sure that your data broker is reliable? The United Kingdom frowns on spam texts. Does the list you’re sending to have consent attached to it? In Hong Kong, investigations have occurred over bank statements mailed to the wrong recipients. Does your bulk mail vendor have references?
Employees must be trained to spot potential red flags. If you ask a list of people for their meal preferences and many of them request kosher meals, is it possible you’ve just created a data set in which you identify religious affiliations? That data is considered particularly sensitive in many jurisdictions, and losing track of it could be a legal issue, though an unknowing employee might simply leave such a list behind after a corporate banquet.
Privacy training should be role-based. Marketers should understand the ad-buying network, what behavioral targeting really means and how to vet vendors. HR managers should understand the sensitive nature of health data, even data as seemingly innocuous as how many steps someone logged in the corporate fitness challenge. Customer service reps should know how to spot scammers trying to acquire knowledge they might use to figure out the answers to security questions.
Even the information security department needs privacy training, so employees understand the privacy risk they might be taking when they’re setting up access controls or monitoring who logged in to which servers, from which locations, at which times. Someone who understands data minimization will realize such logs probably only need to be kept for a month or so. Someone who doesn’t will likely keep them forever, thinking storage is cheap, and thereby maintain a giant database of personal location data for no good reason.
Perhaps the risk your employee identifies is small. Maybe privacy training turns an unlikely event into a very unlikely event. Avoiding a story in the New York Times about your organization’s “creepy” practices, though, has real value. And it’s the type of event that can only be avoided when you go beyond simply training to avoid a data breach and train your employees about how they can use personal data.
