Security awareness training has always been considered a key component of a security program. The success of an organization’s security program can be measured by how successfully end users take preventative cybersecurity measures and whether they know what to do in the event of a malicious email, network intruder or unauthorized access to physical or technical information.
Privacy and security are often bundled into one organizational security awareness training program that focuses on confidentiality and the mechanisms in place to protect the confidentiality of data. Confidentiality, as it is defined by the US National Institute of Standards and Technology (NIST), concerns ”preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.”1 Although there is a clear link between privacy and security, preserving the confidentiality of data is only one objective of data privacy; therefore, awareness of the additional objectives should be addressed separately. When privacy and security are combined into one program, there is a tendency to dilute the privacy message or reduce it to just one facet of maintaining data confidentiality, but there is more to data privacy.
Why Organizations Should Treat Privacy Separately
The publication of NIST Internal Report NISTIR 7298 Revision 1 in February 20112 was the first time that personally identifiable information (PII) was defined separately. PII is a common US term, and it includes any information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. This definition, which is routinely used interchangeably with the European term of personal data,3 is the key objective of privacy.
Privacy laws give an individual certain rights to their data, and organizations have a duty of care to their clients, customers, vendors and consumers to ensure that any data in its care are adequately protected. Employees within those organizations must be made aware of their responsibilities when processing personal data, and the organization is accountable for ensuring that happens. Employees are always the weakest link, but when they are not aware of their role in ensuring PII is adequately protected, mistakes happen and privacy breaches can occur.
Privacy in the News
Privacy breaches in 2011 helped move the privacy awareness agenda up the priority list. The Sony PlayStation Network, Sony Online Entertainment, Sony Pictures and many Sony websites faced multiple class action lawsuits over their failure to protect the personal information of more than 100 million users.4, 5 RSA experienced its most high-profile breach, which involved hackers stealing information related to its Secure ID system through simple social engineering tactics.6 And Nasdaq found hackers may have had the ability to see the boardroom level communication of 10,000 senior executives through its cloud-based application Directors Desk, which gave them access to inside information that they could have sold to other enterprises or used to make market trades.7
Organizations realized that a high-profile privacy breach could be just as disastrous as a security breach. This is likely where the mind shift started, and organizations began to do more to bring privacy to the forefront.
Once the EU General Data Protection Regulation (GDPR) was adopted in 2016, US-based global organizations started to pay more attention to privacy and developed annual compliance training programs that included security and privacy awareness training as separate modules.
A good privacy training program should address PII, personal information and personal data as distinct terms because even though they are used interchangeably, they are different.
What Makes a Good Privacy Program
A good privacy training program should address PII, personal information and personal data as distinct terms because even though they are used interchangeably, they are different. Common privacy principles and data subject rights should also be addressed along with local and international privacy legislation such as GDPR and the US State of California Consumer Privacy Act (CCPA) where applicable. Topics such as the differences between anonymization and pseudonymization, privacy by design and what to do in the event of a data breach provide context to the question of why privacy is important and give employees the knowledge they need when processing personal data.
A good privacy training program should use a variety of visual interactive components to engage the user and should not be too long. For example, employees do not want to sit through a 45-minute presentation; however, if it is too short, the benefit of the training will be minimal. It is highly recommended that a short test is provided at the end to solidify understanding of the key points. Lastly, privacy training should be performed at least annually, although short trainings throughout the year are becoming increasingly common.
Many small organizations will argue that the risk to their business is small, so they do not need to separate privacy awareness training from security awareness training. That may be true; however, all organizations, even small ones, are ultimately accountable for making sure all employees are trained and given the resources to perform their roles adequately. If employees are not trained in the correct handling of PII, the organization will, ultimately, pay the price, which is a risk they have to decide if they are willing to take.
Conclusion
Separating privacy awareness training helps highlight key privacy principles that are not addressed in security awareness training. When PII data are collected, everyone is responsible for ensuring those data are processed, stored, used and protected. Any lack of understanding of this responsibility is a vulnerability the organization is accountable to fix.
Ultimately, it comes down to a business decision. Having a privacy and security awareness training program is better than not having one at all, but having two focused programs addressing high-risk topics is beneficial to not only organizations, but employees as well.
Endnotes
1 Paulsen, C.; R. Byers; National Institute of Standards and Technology (NIST) Interagency or Internal Report (IR) 7298 Revision 3 Glossary of Key Information Security Terms, USA, 2019
2 National Institute of Standards and Technology (NIST), NIST Interagency or Internal Report (IR) 7298 Revision 1 Glossary of Key Information Security Terms, USA, 2011
3 Personal data are information that relate to an identified or identifiable individual. What identifies an individual can be as simple as a name or a number or can include other identifiers such as an IP address or a cookie identifier.
4 De Groot, J.; “The Biggest Moments in Cybersecurity History (in the Past 10 Years),” Digital Guardian, 22 August 2022
5 Baker, L. B.; J. Finkle; “Sony PlayStation Suffers Massive Data Breach,” Reuters, 26 April 2011
6 Greenberg, A.; “The Full Story of the Stunning RSA Hack Can Finally Be Told,” Wired, 20 May 2021
7 King, L.; “NASDAQ Out of Date Software Helped Hackers Report,” CSO, 22 November 2011
Yunique Demann
Is a security and privacy professional with more than 20 years of experience managing global compliance programs. Demann started her career in privacy before moving into information security and back to privacy. Her diverse experience allows her to see how the convergence of privacy and security support organizational strategic goals. Although you cannot have one without the other, the knowledge of both as separate but equally important disciplines is a message that Demann shares with senior executives who want to demonstrate privacy compliance at the board level.