January 27, 2022
A growing demand by consumers for transparency and control over their personal data is resulting in more data privacy laws intended to safeguard their sensitive information. Beyond laws and regulations, there is the human factor. One misstep by an employee using a weak password, falling for a phishing scam or browsing a fraudulent website can put consumer information at risk and result in angry customers, costly fines and potential lawsuits. Training employees on how to properly access, use and share consumer data is essential to meeting customer expectations and government regulations.
A study conducted by Ponemon Institute, a research center dedicated to privacy, data protection and information security policy, found that 40% of remote and hybrid workers spend time in coffee shops and shared workspaces, where unsecured Wi-Fi networks and prying eyes can put data privacy at risk.
To ensure customer data remains private, organizations need employees working onsite, remotely or in a hybrid model to be aware of how to properly handle sensitive information and prevent unauthorized access.
To raise employee awareness, data privacy and information security training should cover 6 topics.
- Recognizing personally identifiable information (PII)
Personally identifiable information or PII can be used to identify an individual and therefore must be handled differently to protect privacy. It includes someone’s name, social security number, home address, phone number, and personal email address. PII data is often found on customer, financial, credit, email communications, health and education records.
- Complying with data privacy laws
Privacy laws require organizations to disclose their data collection efforts, follow security requirements to protect personal data, and impose penalties for data breaches. They include California’s Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR), which give consumers more control over how businesses collect, use and share their personal information. Additionally, the Health Insurance Portability and Accountability Act (HIPAA) and the Texas Medical Privacy Act (TMPA) regulate how PHI is stored, used and transmitted.
- Avoiding fraudulent emails and websites
Hackers frequently use phishing emails and phony websites to steal sensitive information and access an organization’s network and data. Employees need to be able to identify genuine email requests and websites from fake ones attempting to trick them into disclosing information, downloading files or clicking on a link.
- Keeping passwords secret
Organizations should have policies in place for choosing a unique password and using multi-factor authentication when accessing private consumer or employee data. Careless practices, like weak passwords, sharing computer credentials, using the same password across multiple systems or platforms and not signing out when away from your laptop, gives hackers an opening to steal sensitive information.
- Maintaining visual privacy
Employees should be aware of their surroundings to protect sensitive information within physical documents or on an exposed screen. Laptops, smartphones and paper documents should not be left unattended. Follow your organization’s policy for record retention and use approved methods to dispose of old records containing personal information, such as shredding paper files or erasing electronic files.
- Reporting a data breach
Unfortunately, data breaches can occur despite training, firewalls and security software, and time is of the essence when responding to them. Data privacy training should explain what employees should do to immediately report their suspicions of a compromised device or data breach.
Organizations can’t afford to treat data privacy as an afterthought. Protecting consumer data privacy is everyone’s job and starts with training to identify what sensitive data is, how to manage and protect it, and what the appropriate response is in case of a breach.