IAPP-GDPR Web Banners-300x250-FINAL

Among the many topics hashed out among Privacy List subscribers in the past month, two of the most robust issues involved data breach notification and organization-wide privacy and security training.

Navigating the myriad legal frameworks surrounding data breach notification

U.S. lawmakers have been proposing draft legislation that would standardize data breach notification, but until such a law is passed, many privacy professionals grapple with how to navigate and address obligations in multiple state-level jurisdictions.

As was reported in The Privacy Advisor last month, institutions of higher education hold vast amounts of personal—and, often, sensitive—information about their student bodies, employees and alumni. Additionally, during a time in which data breaches proliferate, distance learning, notes one privacy pro, has become a viable and convenient option for more students than ever before.

“My understanding,” writes the privacy pro, “is that all entities have to provide breach notifications, whether it’s a corporation or an educational institution that has been breached.”

“Can you tell me,” she queries, “if your attorneys have determined that you have to comply with all 50 (or 46) state requirements rather than merely your own state?”

From a legal perspective, replies one expert, the answer is, “It depends,” adding, “Some data breach notification laws have extraterritorial reach, and some do not.”

“If you determine,” the privacy pro continues, “that you have to send notice to some, you may want to consider sending notice to all—even if some of them live in the states that don’t have data breach notification laws.”

Yet, with the variety of state-level legal obligations, another privacy pro points out that “ultimately it would be a question that really has to be answered by an attorney familiar with the facts of each specific situation.”

Practical considerations resound for several subscribers who chimed in, saying that for many organizations, resources are scarce. This point is reinforced by a privacy pro representing an institution of higher education. “We do not have the resources to study each state or country and alter our notices or procedures to make subsets of our notifications fit various state or foreign country requirements.”

“We are short on resources as well,” echoes another subscriber, adding, “We have also tried to get ahead of the game where we can and notify the local/regional media where appropriate.”

One privacy pro foresees an industry-wide notification standard, but warns, “the thing to watch out for is that some states have different standards regarding what the notice has to say.”

For example, a Privacy List subscriber notes that their organization—located in Connecticut—takes the language of neighboring Massachusetts’ state law into consideration because “a large number of our constituents reside there.”

Generating an Employee Privacy and Security Training Program

It is clear that more organizations are implementing privacy and security training for their employees. Issues including training focus, frequency and duration were covered in one such Privacy List discussion.

“Does your company combine the delivery of training on privacy and information security,” asked one participant. “How often do you train on each area?”

With more than 10 replies, the thread raised a plethora of tips for privacy professionals attempting to introduce company-wide privacy and security training programs—or, what some would call a “privacy culture.”

More than half of the respondents said they combine their privacy and security training programs and require employees to undergo training at least once a year. Most reported that new employees are given initial training as well.

Many respondents also provide specialized training for specific departments, such as healthcare or financial, as well as “periodic face-to-face trainings as it becomes necessary for specific issues.”

Several respondents included time lengths of training modules—for example, 90 minutes for initial training and 30 minutes annually. One privacy expert described efforts “to alternate live vs. online and occasionally bring in other privacy people as ‘guest speakers’ to give a new perspective and keep it interesting.”

One privacy pro notes his company conducts a “risk assessment at each location every three years,” which introduces a “component of education for the staff in each location. This allows the staff to see and get to know the CPO and CSO. We find this very useful to identify issues and let people ask questions.”

The privacy pro added that this provides “more bang for the buck with face-to-face training” because employees “tend to ask more questions during and after the presentation.” Additionally, they are developing targeted learning modules, lasting about five minutes, to train employees on topics such as “how do I secure PHI in my car.”

Another privacy pro provided a detailed analysis of his company’s training program, noting that in some areas “the line between privacy and information security is blurred.” Describing an internal/external paradigm, the privacy pro discloses specific areas where only privacy or information security is addressed.

“The internal/external model,” writes the privacy pro, “requires that an organization’s privacy team be tuned in to the external influencers and also have a strong understanding of the organization’s operating structure, how that structure drives work flow and when changes to the structure or work flow impact privacy.”

Describing the combination of privacy and security training, another privacy pro sums up the discussion: “Clearly, no one-size-fits-all, but on the whole, I find great value in the synergy of these two topics.”

 The Privacy List is a free service for IAPP members only.

Written By

Jedidiah Bracy, CIPP/E, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»