Legal Alert
Is Your Company Compliant on Privacy and Security Training for Employees?
August 3, 2022
The privacy and security law landscape is increasingly complex and constantly expanding. Taking center stage, the California Privacy Rights Act (CPRA) and Virginia Consumer Data Protection Act (CDPA) become effective in January 2023, followed by the Colorado Privacy Act (CPA) and the Connecticut Data Privacy Act (CTDPA) next July, and the Utah Consumer Privacy Act (UCPA) in December of 2023—and five more states have privacy legislation in the works. With industry specific laws like GLBA, HIPAA, and FCRA, as well as requirements from regulators like the U.S. Department of Labor, Securities and Exchange Commission, Office of Foreign Assets Control, New York State Attorney General, and New York Department of Financial Services also in place, companies must be particularly attentive to ensure they remain compliant. Inaction is simply not an option, and planning is critical.
Where do you start? Along with a full assessment of data, plus review, revision, and implementation of policies, a key area to focus on this fall is your organization’s privacy and security training program for employees.
All of the laws and the regulatory agencies mentioned above require that organizations implement and maintain a formal and regular training program. This training must be effective in order to be compliant. While there are many ways to approach this, best practices for conducting a successful training remain the same: The training needs to be relevant and, even more important in our view, captivating. We advise the material be presented in a way that is engaging and memorable. If it is too long and complicated, your audience may disconnect and lose track of critical takeaways. On the other hand, if it is interactive, sufficiently short, and entertaining, it is not only more likely to be compliant, it will benefit your organization as you move forward.
In addition to meeting the legal requirement, organizations that have these training programs in place generally fare better when there is a cybersecurity breach. They usually respond more effectively, and in some instances, the existence of this training program can serve to mitigate liability or provide an affirmative defense in the event of a lawsuit.
We Can Help
Privacy and security regulations can be daunting. If you are not sure where to start, we can help. From designing the training program to running it for you, Maslon can guide you on how to ensure you maintain a legally compliant privacy and security training program.