Data privacy has matured over the last five years; notably with GDPR, the California Consumer Privacy Act (CCPA) and other legislation throughout the world. In my previous blog on reasonable and appropriate security, I noted that privacy legislation requires specifically training users who have access to personal data. But it’s also worth incorporating privacy training into your general security awareness program. In this post, we explore some reasons why and how to do it.
Privacy and Security Are Intertwined
There are few people who think about the relationship between privacy and security more than Professor Daniel J. Solove, a law professor at George Washington University Law School and founder of TeachPrivacy, a company that provides computer-based privacy and data security training. In a recent interview, Solove emphasised how intertwined privacy and security really are:
“Privacy and data security go hand-in-hand…You can have the most impregnable safe, but if you give out the combination to too many people and don’t control how they use the data, then the data won’t be protected.”
And this connection, he pointed out, is reflected in the law. “Many privacy and security laws are intertwined,” he said. “The security protections under HIPAA are not just in the HIPAA Security Rule—there are security provisions in the HIPAA Privacy Rule as well.
And while he insisted that “privacy and security have sometimes become siloed to the detriment of each,” he also acknowledged that privacy laws can bring new security challenges. “The CCPA allows people to contact companies to exercise their rights, but companies must figure out a way to verify the identities of those making the requests.”
Security Awareness vs. Privacy Awareness
What does privacy awareness training consist of and how is that different than security awareness training? Security awareness training could be oversimplified to state that it deals with the people elements of the CIA (Confidentiality, Integrity and Availability) Triad, ensuring that users are aware of how their actions can security and privacy of the organisation’s data.
For privacy awareness, users need to understand that their customers, partners and employees have specific rights and should expect reasonable protection of their personal information. And the organisation probably needs to support the legislative requirements of many industries, states, and countries. Various privacy laws impose different responsibilities on organisations. These responsibilities can range from governance provisions, documentation, vendor management, risk analysis and more.
As with security awareness training, privacy awareness training needs deep domain expertise to ensure it provides appropriate and relevant training and awareness. The privacy profession, guided by organisations such as IAPP, rigorously tracks privacy legislation and enforcement.
Privacy training provides guidance on the use, access and transfer of personal data, and data subject rights (the right to be forgotten, the right to access and other rights). Providing one example, Solove explains that, “privacy involves who should have access to data; security involves how to ensure that the access is appropriately provided to the right people…several laws define data breaches quite broadly to encompass improper access to personal data even by employees of an organisation. Privacy training teaches employees about appropriate access and use of personal data, which can help prevent such breaches.”
How an Integrated Solution Can Fulfill Security and Privacy Needs
Organisations are recognising that their privacy and security training must be integrated for three main reasons. First, managing, administering and supporting two separate platforms is not efficient or cost-effective. Second, security awareness training now includes extensive privacy and compliance training, sourced from experts around the world. Finally, and most importantly, a centralised platform enables the organisation to carefully control who gets what training when.
Users can easily grow numb to excessive training—the time requirements must be carefully managed. With targeted content and centralised administration, security and privacy awareness training can be assigned and monitored based on the privacy and security needs of the organisation; avoiding the ineffective ‘one-size fits all’ approach that can be burdensome to users and training administrators.
The way forward is security awareness training that includes privacy content from privacy experts. Proofpoint recently announced the acquisition of The Defence Works and a partnership with Solove’s company, TeachPrivacy, adding additional variety, formats and more extensive compliance content to the Proofpoint security awareness training platform.
To learn more, please watch our on-demand webinar (co-hosted by TeachPrivacy), “Privacy and Security: Two Challenges, One Solution.”