By Angelique Carson, CIPP/US

A survey taken over several years has found that out of 165,000 employees, 93 percent knowingly violate policies designed to prevent data breaches. Financial Times reported that the survey also found senior executives to be the worst offenders.

Privacy professionals burn the midnight oil crafting policies in line with best practices, laws and regulations that they believe will keep the company safer from breaches or malicious attacks. But such policies don’t stand a chance at protecting consumer data—and, subsequently, a company’s pockets and reputation—if the employees charged with practicing model data-steward behavior could care less about doing so.

So how can a company ensure that its people are complying with the policies it promises to practice?

Peter Lefkowitz, vice president and chief privacy officer at Oracle, says the major obstacle is comprehension.

“It’s quite likely that this is a problem of the policy’s appearance being too complex, hard to understand and not fitting into the roles the employees have,” he said. “My experience has been most employees are happy to comply with policy, but the policies need to be made understandable; the policies need to be communicated to employees, and employees need to be trained on the policies in a way that fits what their job is.”

At Oracle, all 100,000 employees undergo a training course that involves a survey on the nature of their roles at the organization, which then aligns them with the correct track in the course—whether that be finance, executives, developers or consultants, for example.

Additionally, the system is structured in a way that makes it easy for employees to comply; permissions to access certain data sets are designated by role.

“If you set up a system in such a way that everyone has access to everything, and then you throw a bunch of rules at people, it’s much harder to comply,” Lefkowitz said.

He added that it’s also important that policies be digestible.

“Sometimes, it’s a simple problem of employees not knowing where to go for the answer,” he said.

Tying Risk-Management to Employee Compensation

Stefan Weiss, CIPP/US, is global data protection officer at Swiss Re, one of the largest reinsurance companies worldwide and employing 10,000 globally. The company’s philosophy on breach incidents is akin to a risk management approach. In the reinsurance world you plan, for example, for natural disasters; such events are inevitable. But it’s the action plan that follows that will determine the breadth of the damage.

“You’re going to have earthquakes; that’s a given,” Weiss said. “But once you have them, what do you about it? Can you have a reporting mechanism next time to alert people earlier, can you make people aware of what they are supposed to do when something like that happens? You have risks; you have incidents. We will never have a world without any breaches. But it’s more important to measure the behavior around these things than only measuring mistakes or glitches in a system.”

In that vein, the company has introduced a novel approach to compliance risk—including data protection—by making 125 identified key risk-takers, or top managers, responsible for managing substantial risk, assessing their performance in this task and considering their risk management performance when making compensation decisions. This compensation framework, while it also fulfills regulatory requirements, measures risk and compliance behaviors, tying them into the manager’s end-of-year bonus potential. One crucial aspect on data protection risks is whether managers have reported incidents and mitigated the associated risks.

“It’s measuring risk- and control-related behavior,” Weiss said. “It’s handling things, bringing things to the surface via discussions with myself and others in the business. It’s more important that people actually report incidents than keeping them for themselves.”

Aside from data incidents, managers are also required to maintain vigilance holistically.

“Say someone has a new system here that needs to be implemented, and I can see it’s in conflict with our data protection policy. So what do I do?” Weiss said. “If it cannot be immediately answered, we open a dialogue, solve the issue and the person who brought it up always keeps the responsibility for it.”

The managers are not graded, however, on the number of incidents raised. Rather, it’s a perception of “do they have a risk and control mindset,” Weiss said, “and do they even care?” For example, if issues are known but the risks are not mitigated and they do not get reported for an entire year, it could affect their performance incentive negatively. But finding issues, reporting them and managing them could have an upside effect.

“If you have made an error, and you didn’t report it, and didn’t do anything to solve the issue, then that’s bad. It is all about being aware of risks and proactively discussing what can be done to prevent an incident next time. That’s when it minimizes the risk situation for the company, and that’s when you do something good, and that is rewarded,” he said.

When a risk is raised at Swiss Re, it’s flagged and rated depending on its potential impact to the company. Then a mitigation plan is enacted.

“Most breaches happen because of behavior—an e-mail sent wrong to somebody who hadn’t thought about it and included sensitive data in error. It’s behavior. How can you stop it? You can never stop it 100 percent, but you can make people aware about the risks. That is important,” Weiss said.

Building Relationships, Emphasizing Long-term Success

Andrew Bloom, CIPP/US, CIPP/IT, of the Graduate Management Admission Council (GMAC) said it all comes down to building relationships. Privacy professionals “can’t just push down policies and expect employees to follow them.”

GMAC, a company of about 150 employees, personalizes the investment in privacy in a number of ways. First, employees receive privacy training during an initial meeting with a security officer, then an orientation within the first two weeks of employment. From there, employees working with international data laws receive specific and in-depth training from Corporate Counsel and Chief Privacy Official Allen Brandt, CIPP/US, CIPP/E.

Additionally, GMAC involves more than just those employees with “privacy pro” titles in privacy education. For example, the company recently sent its VP of product development to an IAPP conference.

“So it’s not just the privacy people going. We had someone who is actually intimately involved in developing products. Privacy is not their job, but it sends the message, ‘look, privacy is everyone’s job here.’”

Bloom said privacy messages are reinforced by intranet blogs, chats in the lunchroom or visits to a colleague’s desk.

“Sometimes it’s personal, so it’s not even work-related. But it’s just the thought you keep privacy and security on your mind because it makes it important for them, because if they are thinking about it in their life, they are also going to bring that into work.”

For smaller companies, Bloom recognizes, crafting such relationships is easier than at larger companies.

“But in those cases, professionals should find key individuals with which to build relationships and then count on them to spread the word. This one-on-one contact provides a greater return on investment than just about anything we do,” he said.

Measuring Success

Dan Frank from Deloitte & Touche LLP says measuring success when it comes to employee compliance with data protection policies all boils down to having a formal security and privacy metrics, monitoring and reporting process. This includes defining the metrics associated with policy violations, a formal process and methods for collecting such metrics, reports that can be used to summarize the metrics and a process for periodically communicating metrics and reports to executive management.

Frank mentions a few considerations that can help promote compliance with policies.

First, employee training and awareness programs are essential. A drafted policy isn’t enough.

“The average employee is not typically going to review an organization’s policies on a periodic basis. There is nothing to drive them to do so,” he said.

Rather, policies should be supplemented with formal training programs as well as an annual awareness plan and corresponding awareness campaign, be it through newsletters, computer-based training, e-mails or intranet posts. 

“Consistent communication and reinforcement through training and awareness is essential to changing employee day-to-day behavior and making privacy and security a part of organizational culture,” Frank said.

Frank said data loss prevention solutions are increasingly being used to monitor, detect and respond to organizational policy violations, such as sending or storing sensitive data insecurely.

These solutions can help drive down undesirable behaviors in several ways,” he said.
For example, e-mail notification to the individual who has violated policy; notification to the individual’s manager; blocking, encrypting or quarantining of sensitive information transmissions; movement of sensitive information to more secure storage locations, blocking the movement of sensitive information to external flash drives, etc.”

Additionally, periodic risk assessments should be performed by organizations to assess for people-, process-, and technology-related risks, he said.

“Without such risk assessments, it’s difficult to know whether policies are being followed. It is equally important to communicate and report on identified risks to executive management and define correct actions and solutions to address high-risk areas where policy violations appear to be occurring,” he said.

There should also be disciplinary measures.

“There has to be some sort of impact to employees for repeated violations of organizational policy,” he said, adding that integrating policy-compliance considerations into an organization’s performance management process can also be helpful.

In the end, GMAC’s Bloom said, you’ve got to make sure employees understand that caring about privacy is important not only for mitigating risks but for success.

“My job is not to stop them from doing their job; my job is to help them do their job in the right way, and sometimes I even say that to them,” he said. “I’m always very upfront, and we found that the more and more we work with people in this way, it creates respect. We’ve helped them do their job, and a lot of times, we actually make suggestions that help them do what they’re doing better. As long as the business succeeds, we succeed.”

Read More by Angelique Carson:
Rich Appointed Head of Consumer Protection
Consent Is King in Latin America: Navigating the Eight Existing DPAs with a Look to the Future
Constant Contact’s “Training Day”
When Shopping for Cyberinsurance, Semantics Matter


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»