CCPA Countdown: Are Your Employees Trained and Ready?

Cybersecurity and data privacy compliance is a journey: not an out-of-box, set-it-and-forget-it solution. It needs to be built to organically fit within an organization and consistently reviewed and revised as the business changes and evolves. 

And with the California Consumer Privacy Act of 2018 (“CCPA”), this approach is especially relevant. The CCPA regulatory journey started when it went into effect January 1, 2020. It continues with the Attorney General set to commence enforcement on July 1, 2020. 

As we countdown to this next milestone, you should be thinking about key areas of compliance NOW. In our weekly videos, “CCPA Enforcement Countdown: What to do in the final weeks!,” we highlight those key compliance requirements. A top area to address immediately: training

The CCPA’s Training Requirements

Training is an express requirement of the CCPA: 

“[A] a business shall: . . . Ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed of all requirements in [the CCPA] and how to direct consumers to exercise their rights under those sections.”

Section 1798.130(a)(6); see also Section 1798.135(a)(3). While this training appears, on its face, limited to the handling of consumer inquiries, those consumer inquiries are likely to impact the  entire enterprise involving a number of different business operations and  employees in multiple departments. Therefore, for all intents and purposes, this training requirement spans the whole business. 

What Should CCPA Training Entail?

While requiring that employees be trained on the CCPA, the regulation itself is very vague on what that training should entail. Like many privacy and security regulations, the details are left to the discretion of the business. The business is also then charged with demonstrating at least a minimum level of reasonable compliance with the language and spirit of the law. 

Drawing support from security and privacy best practices, businesses should consider incorporating the following areas in a CCPA training program:

1. Business-Specific Training Materials

Privacy and security training is not a one-size-fits-all proposition. Each industry has nuances in the data collected, the impact of data regulations, the systems used that should be uniquely addressed in training. Additionally, each business is unique. The way one business uses email or document storage is likely very different from the way that another business uses these same systems. It is important that training materials are customized to your specific business and operations to ensure that employees understand how your organization is  complying, not with how the industry itself is complying. Using industry standards is one thing, using standard non-customized training programs is something very different. The worst thing a business can do is use an off-the-shelf solution that does not align with its data collection and processing practices. 

2. In-Person Training

Technology is a great resource and has drastically changed the way in which we do business. However, technology has its limitations. And, this is dramatically seen in privacy and security training. Yes, you can purchase a solution that provides online, platform based training. However, nothing can replace in-person, living training customized to the organization’s business practices. Employees can ask questions, they can run table-top exercises to test their knowledge and understanding of cyber and privacy responsibilities. The key is to find a partner that can create dynamic and engaging trainings that encourages your employees to embrace security and privacy across the entire business. 

Employees are both your greatest asset and your greatest threat. Clicking on a link, wiring the money to a new account, providing a password to the alleged representative from IT: these are all people problems that cannot be mitigated with a technological solution. They require training of your employees to take proactive privacy and security steps in their daily operations. And, engaging in live training is the best form of obtaining that engagement. Watching a video and answering questions at the end is great, but employees are never fully engaged unless they are in a (virtual) classroom with a live-person teaching them. 

3. Job-Specific Training

Each department will operate with unique operations and within different systems. As such, it is key that employees receive job-specific security and privacy training. The finance department collects different information and faces different threats than the human resources department. Therefore, one training will not meet the needs of both. Instead, privacy and security training should be designed to address the day-to-day operations of the various departments and roles within the organization. While there may be some overlap, the distinctions will demand training that answers the needs of the different stakeholders, and better prepares those stakeholders to mitigate cyber and privacy risks. 

4. Executive-Level Training

Security and privacy training is key for ALL employees, including those at the top of the organization. Executives are just as likely to cause privacy and security exposures via their use of email and other systems. It is important that executives receive security and privacy training that is uniquely tailored to their responsibilities at the organization. In addition to safe system usage, executives need to understand the business risks and strategies around security and privacy. With executive training, company leaders can more effectively prepare for the future and minimize risk in cyber and privacy going forward.   

Do Not Wait, Start to Train Today

With the CCPA enforcement starting on July 1, 2020, employee training should be a top priority. Your employees can receive initial CCPA training, with additional follow-up training as you continue to build your security and privacy program. Our team at XPAN provides extensive and customized training, with certificates of completion, to meet your business needs. Using attorneys who are able to respond to legal questions can help create a more comprehensive and robust training program. Click here to learn more and reach out to an XPAN team member today!

Training = preparedness, so don’t wait! After all, luck favors the prepared! Start training your employees today!

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.