A survey taken over several years has found that out of 165,000 employees, 93 percent knowingly violate policies designed to prevent data breaches. Financial Times reported that the survey also found senior executives to be the worst offenders.

Privacy professionals burn the midnight oil crafting policies in line with best practices, laws and regulations that they believe will keep the company safer from breaches or malicious attacks. But such policies don’t stand a chance at protecting consumer data—and, subsequently, a company’s pockets and reputation—if the employees charged with practicing model data-steward behavior could care less about doing so.

So how can a company ensure that its people are complying with the policies it promises to practice?

Peter Lefkowitz, vice president and chief privacy officer at Oracle, says the major obstacle is comprehension.

“It’s quite likely that this is a problem of the policy’s appearance being too complex, hard to understand and not fitting into the roles the employees have,” he said. “My experience has been most employees are happy to comply with policy, but the policies need to be made understandable; the policies need to be communicated to employees, and employees need to be trained on the policies in a way that fits what their job is.”

At Oracle, all 100,000 employees undergo a training course that involves a survey on the nature of their roles at the organization, which then aligns them with the correct track in the course—whether that be finance, executives, developers or consultants, for example.

Additionally, the system is structured in a way that makes it easy for employees to comply; permissions to access certain data sets are designated by role.

“If you set up a system in such a way that everyone has access to everything, and then you throw a bunch of rules at people, it’s much harder to comply,” Lefkowitz said.

He added that it’s also important that policies be digestible.

“Sometimes, it’s a simple problem of employees not knowing where to go for the answer,” he said.

Tying Risk-Management to Employee Compensation

Stefan Weiss, CIPP/US, is global data protection officer at Swiss Re, one of the largest reinsurance companies worldwide and employing 10,000 globally. The company’s philosophy on breach incidents is akin to a risk management approach. In the reinsurance world you plan, for example, for natural disasters; such events are inevitable. But it’s the action plan that follows that will determine the breadth of the damage.

“You’re going to have earthquakes; that’s a given,” Weiss said. “But once you have them, what do you about it? Can you have a reporting mechanism next time to alert people earlier, can you make people aware of what they are supposed to do when something like that happens? You have risks; you have incidents. We will never have a world without any breaches. But it’s more important to measure the behavior around these things than only measuring mistakes or glitches in a system.”

In that vein, the company has introduced a novel approach to compliance risk—including data protection—by making 125 identified key risk-takers, or top managers, responsible for managing substantial risk, assessing their performance in this task and considering their risk management performance when making compensation decisions. This compensation framework, while it also fulfills regulatory requirements, measures risk and compliance behaviors, tying them into the manager’s end-of-year bonus potential. One crucial aspect on data protection risks is whether managers have reported incidents and mitigated the associated risks.

“It’s measuring risk- and control-related behavior,” Weiss said. “It’s handling things, bringing things to the surface via discussions with myself and others in the business. It’s more important that people actually report incidents than keeping them for themselves.”

Aside from data incidents, managers are also required to maintain vigilance holistically.

“Say someone has a new system here that needs to be implemented, and I can see it’s in conflict with our data protection policy. So what do I do?” Weiss said. “If it cannot be immediately answered, we open a dialogue, solve the issue and the person who brought it up always keeps the responsibility for it.”

The managers are not graded, however, on the number of incidents raised. Rather, it’s a perception of “do they have a risk and control mindset,” Weiss said, “and do they even care?” For example, if issues are known but the risks are not mitigated and they do not get reported for an entire year, it could affect their performance incentive negatively. But finding issues, reporting them and managing them could have an upside effect.

“If you have made an error, and you didn’t report it, and didn’t do anything to solve the issue, then that’s bad. It is all about being aware of risks and proactively discussing what can be done to prevent an incident next time. That’s when it minimizes the risk situation for the company, and that’s when you do something good, and that is rewarded,” he said.

When a risk is raised at Swiss Re, it’s flagged and rated depending on its potential impact to the company. Then a mitigation plan is enacted.

“Most breaches happen because of behavior—an e-mail sent wrong to somebody who hadn’t thought about it and included sensitive data in error. It’s behavior. How can you stop it? You can never stop it 100 percent, but you can make people aware about the risks. That is important,” Weiss said.

Building Relationships, Emphasizing Long-term Success

Andrew Bloom, CIPP/US, CIPP/IT, of the Graduate Management Admission Council (GMAC) said it all comes down to building relationships. Privacy professionals “can’t just push down policies and expect employees to follow them.”

GMAC, a company of about 150 employees, personalizes the investment in privacy in a number of ways. First, employees receive privacy training during an initial meeting with a security officer, then an orientation within the first two weeks of employment. From there, employees working with international data laws receive specific and in-depth training from Corporate Counsel and Chief Privacy Official Allen Brandt, CIPP/US, CIPP/E.

Additionally, GMAC involves more than just those employees with “privacy pro” titles in privacy education. For example, the company recently sent its VP of product development to an IAPP conference.

“So it’s not just the privacy people going. We had someone who is actually intimately involved in developing products. Privacy is not their job, but it sends the message, ‘look, privacy is everyone’s job here.’”

Bloom said privacy messages are reinforced by intranet blogs, chats in the lunchroom or visits to a colleague’s desk.

“Sometimes it’s personal, so it’s not even work-related. But it’s just the thought you keep privacy and security on your mind because it makes it important for them, because if they are thinking about it in their life, they are also going to bring that into work.”

For smaller companies, Bloom recognizes, crafting such relationships is easier than at larger companies.

“But in those cases, professionals should find key individuals with which to build relationships and then count on them to spread the word. This one-on-one contact provides a greater return on investment than just about anything we do,” he said.

Measuring Success

Dan Frank from Deloitte & Touche LLP says measuring success when it comes to employee compliance with data protection policies all boils down to having a formal security and privacy metrics, monitoring and reporting process. This includes defining the metrics associated with policy violations, a formal process and methods for collecting such metrics, reports that can be used to summarize the metrics and a process for periodically communicating metrics and reports to executive management.

Frank mentions a few considerations that can help promote compliance with policies.

First, employee training and awareness programs are essential. A drafted policy isn’t enough.

“The average employee is not typically going to review an organization’s policies on a periodic basis. There is nothing to drive them to do so,” he said.

Rather, policies should be supplemented with formal training programs as well as an annual awareness plan and corresponding awareness campaign, be it through newsletters, computer-based training, e-mails or intranet posts. 

“Consistent communication and reinforcement through training and awareness is essential to changing employee day-to-day behavior and making privacy and security a part of organizational culture,” Frank said.

Frank said data loss prevention solutions are increasingly being used to monitor, detect and respond to organizational policy violations, such as sending or storing sensitive data insecurely.

These solutions can help drive down undesirable behaviors in several ways,” he said.
For example, e-mail notification to the individual who has violated policy; notification to the individual’s manager; blocking, encrypting or quarantining of sensitive information transmissions; movement of sensitive information to more secure storage locations, blocking the movement of sensitive information to external flash drives, etc.”

Additionally, periodic risk assessments should be performed by organizations to assess for people-, process-, and technology-related risks, he said.

“Without such risk assessments, it’s difficult to know whether policies are being followed. It is equally important to communicate and report on identified risks to executive management and define correct actions and solutions to address high-risk areas where policy violations appear to be occurring,” he said.

There should also be disciplinary measures.

“There has to be some sort of impact to employees for repeated violations of organizational policy,” he said, adding that integrating policy-compliance considerations into an organization’s performance management process can also be helpful.

In the end, GMAC’s Bloom said, you’ve got to make sure employees understand that caring about privacy is important not only for mitigating risks but for success.

“My job is not to stop them from doing their job; my job is to help them do their job in the right way, and sometimes I even say that to them,” he said. “I’m always very upfront, and we found that the more and more we work with people in this way, it creates respect. We’ve helped them do their job, and a lot of times, we actually make suggestions that help them do what they’re doing better. As long as the business succeeds, we succeed.”