Do Not Hit The Red Button! Making Cybersecurity and Data Privacy Training A Requirement

By Antonia Dumas, Associate at XPAN Law Group LLC

Keep your employees from hitting the red button! Those of you that are fans of The Twilight Zone (Button, Button) or saw the poor modern remake (The Box) may remember the episode with the mysterious box that arrived on someone’s doorstep with only a big red button inside. That button, if pushed, would result in a large prize (only $200,000 in 1986 but $1 million in the remake in 2009) but would result in sequence of unknown consequences and even death. 

In the cybersecurity and data privacy realm, the “red button” can be visualized as the potential actions that your employees may make that can trigger a sequence of events that ultimately puts your business seriously at risk and even failure. You want to keep your employees from becoming successful targets from phishing attacks by choosing to click that enticing link when the circumstances are suspicious or from other risks as a result of poor cybersecurity and data privacy practices. 

Employees must be a priority in your business’ cybersecurity and data privacy management as they are your biggest threat as your companies line in defense. (See my previous post about employees as insider threats here). You need to train your employees and make sure they are aware of potential cybersecurity threats or vulnerabilities, familiar with the business’ existing security and data privacy best practices, and knowledgeable as to when and how to most effectively execute the business’s cybersecurity and data privacy policies and procedures. Not only should employee training regarding security and privacy be a priority for all businesses, but it is becoming a standard practice and/or requirement under data privacy regulations as well as technical control frameworks.  

Employee Training As A Legal Requirement

As the expansion of data privacy regulations and requirements continues internationally and here in the US, specific requirements to establish and maintain employee training and awareness programs have emerged.   

Some domestic laws specifically require a form of employee training or awareness. For example, employee training is required under two laws in the state of New York, both the New York State Department of Financial Services Cybersecurity Requirements (“NYDFS”) and the new “Stop Hacks 2 and Improve Electronic Data Security Act” (“NY Shield Act”). As part of the “reasonable security requirement” under the NY Shield Act, a business is required to implement “reasonable administrative safeguards” which includes the training and management of employees in the business’s security program practices and procedures. (Sec. 899-bb.(2)(b)(ii)(A)(4)). (See more information about the NY Shield Act in our previous blog here). Under the NYDFS, a covered entity is required to provide regular security awareness training to all employees and that training must be updated to reflect risks that have been identified by way of a company risk assessment (also required under the Act). (Sec. 500.14).  Also, the Vermont Data Broker Law further specifies that all employees that must undergo training include temporary and contract employees and that training should be ongoing, i.e., on a regular basis (Sec. 2447). 

The states that have adopted the National Association of Insurance Commissioners (NAIC) issued the Data Security Model Law (MDL-668) (“Model Law”) have generally included employee training as well. As adopted by Michigan, it requires a licensee to conduct employee training and management. (Section 555(d)). As adopted by South Carolina, it also specifies that the training is required to reflect risks identified through a risk assessment, as does the NYDFS. (Sec. 38-99-20). (For more information about the Model Law, see our previous blog post here). 

Further, employee training also appears in  international data privacy law. Under the General Data Protection Regulation (“GDPR”), there is an implied requirement of employee training and “awareness-raising” of  staff that are “involved in processing operations.” Art. 39. The California Consumer Privacy Act (“CCPA”) has drafted its training requirement similarly with an emphasis on training to be provided to “all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with” the Act. (Sec. 1798.130(a)(6)).

Employee Training As A Cybersecurity Practice 

Even technical standards and frameworks emphasize the importance of making employee training and awareness a priority. For example, the well-known and commonly followed National Institute of Standards and Technology’s Cybersecurity Framework provides “voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk.”  Within this framework, it recommends that all users are informed and trained. (NIST CSF, PR.AT-1). Specifically, NIST recommends that cybersecurity awareness and training ensure that personnel and partners are “adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements.” (NIST CSF, PR.AT). 

So, if both data privacy compliance and technical cybersecurity standards call for employee training and awareness as a requirement for all business and for all types of employees, then your business should make it a priority.

What Should Your Training and Awareness Program Include?

An efficient training and awareness program should address applicable legal requirements and technical standards as well as ensure that your employees walk out of the training sessions with the necessary knowledge in cybersecurity and data privacy to best protect your business. 

Key Items To Meet Legal Requirements and Technical Standards

Overall, you should consider these items when creating an employee training and awareness program: 

  1. Create an on-going training program that provides initial training as well as on a regular basis; 
  2. Include training requirement for permanent and temporary employees, as well as independent contractors; 
  3. Make sure training addresses identified company risks; 
  4. Make sure training covers data subjects rights and handling of consumer inquiries and/or complaints (if applicable); and 
  5. Ensure that training materials are continuously updated and refresher trainings are provided. 

Key Items That Your Employees Should Know

Employees should have a general understanding of cybersecurity and data privacy issues, knowledge of the business’s cybersecurity and privacy practices, and specific departmental and/or role-based requirements in order to meet the business’ policies and procedures. 

Overall, your employees should walk out of the training sessions with a knowledge of at least the following:

  1. Data (generally); 
  2. Data that requires protection (e.g., sensitive data); 
  3. Data processing activities (and their implications); 
  4. Suspect activities (potential cybersecurity incidents/breaches or data privacy risks);
  5. Risk and vulnerabilities of sharing with or receiving data from third-parties (and the use of third-party services); and 
  6. Your business’s security and data privacy policies and procedures (and any updates). 

Here at XPAN, we encourage our clients to develop cybersecurity and data privacy training programs to provide awareness-raising and training of staff (new and existing employees, permanent or temporary) that are involved in data processing activities. We also emphasize the importance of continued reinforcement to ensure that employees maintain an understanding of the business’s data privacy policies and practices. 

Further, XPAN provides company tailored cybersecurity training and education programs to its clients in addition to its general cybersecurity, data privacy, GDPR compliance, information governance, mergers and acquisitions, and e-discovery services. (For more information, please contact us.) 

So, make security and privacy training a priority today and better protect your business and your data. And remember, luck favors the prepared!

* * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.