Privacy Advisor

This month on the Privacy List

September 1, 2011

By Jedidiah Bracy, CIPP

Among the many topics hashed out among Privacy List subscribers in the past month, two of the most robust issues involved data breach notification and organization-wide privacy and security training.

Navigating the myriad legal frameworks surrounding data breach notification

U.S. lawmakers have been proposing draft legislation that would standardize data breach notification, but until such a law is passed, many privacy professionals grapple with how to navigate and address obligations in multiple state-level jurisdictions.

As was reported in The Privacy Advisor last month, institutions of higher education hold vast amounts of personal—and, often, sensitive—information about their student bodies, employees and alumni. Additionally, during a time in which data breaches proliferate, distance learning, notes one privacy pro, has become a viable and convenient option for more students than ever before.

“My understanding,” writes the privacy pro, “is that all entities have to provide breach notifications, whether it’s a corporation or an educational institution that has been breached.”

“Can you tell me,” she queries, “if your attorneys have determined that you have to comply with all 50 (or 46) state requirements rather than merely your own state?”

From a legal perspective, replies one expert, the answer is, “It depends,” adding, “Some data breach notification laws have extraterritorial reach, and some do not.”

“If you determine,” the privacy pro continues, “that you have to send notice to some, you may want to consider sending notice to all—even if some of them live in the states that don’t have data breach notification laws.”

Yet, with the variety of state-level legal obligations, another privacy pro points out that “ultimately it would be a question that really has to be answered by an attorney familiar with the facts of each specific situation.”

Practical considerations resound for several subscribers who chimed in, saying that for many organizations, resources are scarce. This point is reinforced by a privacy pro representing an institution of higher education. “We do not have the resources to study each state or country and alter our notices or procedures to make subsets of our notifications fit various state or foreign country requirements.”

“We are short on resources as well,” echoes another subscriber, adding, “We have also tried to get ahead of the game where we can and notify the local/regional media where appropriate.”

One privacy pro foresees an industry-wide notification standard, but warns, “the thing to watch out for is that some states have different standards regarding what the notice has to say.”

For example, a Privacy List subscriber notes that their organization—located in Connecticut—takes the language of neighboring Massachusetts’ state law into consideration because “a large number of our constituents reside there.”

Generating an Employee Privacy and Security Training Program

It is clear that more organizations are implementing privacy and security training for their employees. Issues including training focus, frequency and duration were covered in one such Privacy List discussion.

“Does your company combine the delivery of training on privacy and information security,” asked one participant. “How often do you train on each area?”

With more than 10 replies, the thread raised a plethora of tips for privacy professionals attempting to introduce company-wide privacy and security training programs—or, what some would call a “privacy culture.”

More than half of the respondents said they combine their privacy and security training programs and require employees to undergo training at least once a year. Most reported that new employees are given initial training as well.

Many respondents also provide specialized training for specific departments, such as healthcare or financial, as well as “periodic face-to-face trainings as it becomes necessary for specific issues.”

Several respondents included time lengths of training modules—for example, 90 minutes for initial training and 30 minutes annually. One privacy expert described efforts “to alternate live vs. online and occasionally bring in other privacy people as ‘guest speakers’ to give a new perspective and keep it interesting.”

One privacy pro notes his company conducts a “risk assessment at each location every three years,” which introduces a “component of education for the staff in each location. This allows the staff to see and get to know the CPO and CSO. We find this very useful to identify issues and let people ask questions.”

The privacy pro added that this provides “more bang for the buck with face-to-face training” because employees “tend to ask more questions during and after the presentation.” Additionally, they are developing targeted learning modules, lasting about five minutes, to train employees on topics such as “how do I secure PHI in my car.”

Another privacy pro provided a detailed analysis of his company’s training program, noting that in some areas “the line between privacy and information security is blurred.” Describing an internal/external paradigm, the privacy pro discloses specific areas where only privacy or information security is addressed. 

“The internal/external model,” writes the privacy pro, “requires that an organization’s privacy team be tuned in to the external influencers and also have a strong understanding of the organization’s operating structure, how that structure drives work flow and when changes to the structure or work flow impact privacy.”

Describing the combination of privacy and security training, another privacy pro sums up the discussion: “Clearly, no one-size-fits-all, but on the whole, I find great value in the synergy of these two topics.”

 

To participate in Privacy List discussions, or to view list archives, visit the IAPP Web site. The Privacy List is a free service for IAPP members only.