Is employee error really a problem?

Even if that is true, do we have a legal requirement to train employees?

Healthcare providers, health plans and business associates. Certain health care providers and health plans, and their business associates are subject to the privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA privacy regulations require that:

“covered entities must train all members of its workforce…as necessary and appropriate for the members of the workforce to carry out their functions.”⁸

The HIPAA security regulations require covered entities to:

“[i]mplement a security awareness and training program for all members of its workforce [including management]”⁹

So, all covered healthcare providers such as, hospitals, physician practices, dental offices, nursing homes, and home healthcare providers, have a regulatory requirement to train their workforce members. These requirements also apply to business associates of these covered entities including, accounting firms, consultants, brokers, law firms, and medical billing companies.

The training requirement also extends to certain employer-sponsored group health plans. Many employers sponsor some form of a self-funded health plan, such as a self-funded plan that meets the minimum value requirements for purposes of the Affordable Care Act, or a health flexible spending arrangement. Employees

who handle protected health information in the course of administering these plans must be trained.

Financial Institutions. As one of the most heavily regulated industries in the United States and globally, financial services organizations are subject to a wide range of data privacy and security requirements given the critical nature of the data they use, receive, maintain and disclose. These requirements include employee training:

Safeguards Rule. Under the Gramm-Leach-Bliley Act (“GLBA”) and pursuant to regulations issued by the Federal Trade Commission (“FTC”), certain financial institutions are required to develop administrative, technical, and physical safeguards to protect customer information (known as the “Safeguards Rule). Financial institutions generally include organizations such as lenders, financial advisors, loan brokers and servicers, collection agencies, tax preparers, and real estate settlement services that have customer information, whether collected from their own customers, or received from other financial institutions.

Section 314.4 of the Safeguards Rule requires financial institutions to assess and address the risks to customer information in all areas of their operations, including employee management and training. FTC guidance for compliance with the Safeguards Rule lists a number of steps financial institutions should take, including “[t]raining employees to take basic steps to maintain the security, confidentiality, and integrity of customer information.”

Red Flags Rule. The Fair and Accurate Credit Transactions Act (“FACT Act”) requires certain federal agencies to direct financial institutions and creditors to do more to detect, prevent, and mitigate identity theft. These rules apply to a broad list of businesses - “financial institutions” and “creditors” with “covered accounts”. For example, a “creditor” is defined non-exhaustively to include “lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies and telecommunications companies”. And, covered accounts include any account for which there is a foreseeable risk of identity theft.

The set of rules that followed became known as the “Red Flags” rule, which requires these covered entities to adopt programs designed to detect, prevent, and mitigate identity theft. To administer the program in compliance with the regulation, the

organization must “[t]rain staff, as necessary, to effectively implement the Program.” See, e.g., 16 CFR § 681.2(e)(3).

FDIC Guidelines. The Federal Deposit Insurance Corporation (FDIC) applies the Interagency Guidelines Establishing Information Security Standards (Guidelines) that provide standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. The Guidelines apply to depository institutions insured by the FDIC, such as banks, state savings associations, insured state branches of foreign banks, and any subsidiaries of such entities (other than brokers, dealers, persons providing insurance, investment companies, and investment advisers). Under these Guidelines, each institution shall, “[t]rain staff to implement the bank’s information security program.”

Regulation S-P. GLBA also directed the Securities and Exchange Commission to establish appropriate standards to protect customer information. These rules, known as Regulation S-P, apply to investment advisers registered with the Commission, brokers, dealers, and investment companies subject to the Commission’s jurisdiction. Under these rules, these entities “must adopt policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information…reasonably designed to:

	Insure the security and confidentiality of customer records and information;
	Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
	Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

In Notice 05-49, the National Association of Securities Dealers (NASD) (now known as the Financial Industry Regulatory Authority, or FINRA) reminded its members about the need to comply with Regulation S-P. It stated in part that although there is no “one-size-fits-all” policy or procedure to comply, members’ policies and procedures should “at a minimum” include: “providing adequate training to employees regarding the use of available technology and the steps employees should take to ensure that customer records and information are kept confidential.”

Federal Contractors. Under the Federal Information Security Management Act (FISMA) certain federal agencies are required to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. Specifically, under 44 U.S.C. § 3544(b)(4):

Each agency shall develop, document, and implement an agency-wide information security program…to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source, that includes…security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency.

Educational Agencies and Institutions. In general, educational agencies and institutions receiving funding by the federal Department of Education must comply with the Family Educational Rights and Privacy Act (FERPA). The law and its implementing regulations address the rights parents and students have to students’ files at covered agencies and institutions. Questions concerning the right to access, modify or disclose student records can be challenging. Thus, training is a critical component for any privacy and security compliance program in this sector to ensure that a school’s administrators, faculty and staff members are complying with FERPA.

State Law Mandates. Although there is not yet a universally applicable federal data security statute in the United States, a number of states have required businesses and other entities operating in the state or maintaining personal information about state residents to have safeguards in place to protect that information. In some cases, training is an express requirement, in others states it is expected as a “reasonable safeguard.”

California. California’s information security statute (California Civil Code § 1798.81.5) provides that businesses that collect personal information on California residents must use “reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification or disclosure.” Many wondered what are those “reasonable security procedures and practices.” A recent report by California’s Attorney General helps

to clarify this standard. In the report, Attorney General Kamala Harris states that the failure to comply with the 20 controls set forth in the Center for Internet Security’s Critical Security Controls “constitutes a lack of reasonable security.” One of those 20 controls is to provide security training to employees and vendors with access to systems containing personal information.

Massachusetts. Under comprehensive data security regulations that apply to businesses that maintain personal information of Massachusetts residents, businesses must maintain a written information security program (WISP). A WISP must include: “[e]ducation and training of employees on the proper use of the computer security system and the importance of personal information security.”¹⁰

Oregon. Oregon also requires certain businesses to maintain a WISP. The WISP must include administrative safeguards under which the business: “[t]rains and manages employees in the security program practices and procedures.”¹¹

Texas. In Texas, certain entities that engage in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information are subject to a set of HIPAA-like rules to protect that protected health information. Under that law, “[e]ach covered entity shall provide training to employees…necessary and appropriate for the employees to carry out the employees’ duties for the covered entity.”¹²

General Safeguard Requirements. Like California, a number of other states impose general requirements on businesses to safeguard the personal information they maintain. In general, those states require businesses to maintain “reasonable safeguards” to protect personal information of state residents. These states include, without limitation, Connecticut, Florida, and Maryland. Based on the express statutory requirements and other data security standards discussed above, any set of reasonable safeguards should include data security training for employees.

Payment Card Industry Data Security Standards (PCI DSS). Businesses that accept credit or debit cards as payment for goods and services will have certain obligations under PCI DSS standards. The major card brands (e.g., Visa, MasterCard, American

Express, Discover) maintain these standards, which are administered by the Payment Card Industry Security Standards Council. In October 2014, the Council published “Best Practices for Implementing a Security Awareness Program Concerning PCI DSS Requirement 12.6” which states:

[A] formal security awareness program must be in place…Security awareness should be conducted as an on-going program to ensure that training and knowledge is not just delivered as an annual activity, rather it is used to maintain a high level of security awareness on a daily basis.

Our Company does not maintain personal information, and our employee data is secure in our HR Department, so training does not seem necessary in our business

What should a privacy and data security training program look like?

Who should design and implement the program? If the organization has a privacy officer, this might be a good choice, but certainly not the only one. However, there should be an individual or department responsible to maintaining the program.

Who should be trained? In general, this should include workforce members with access to the information the organization desires to safeguard. Interns, volunteers, and other non-traditional categories of workers should not be excluded. However, even unauthorized employees may get access to that information, inadvertently perhaps, and may need to be made aware of certain company protocols, such as how to report a data breach.

Who should conduct the training? Organizations may conduct training in-house, outsource it, or a combination of both. When performed in-house, the person selected to deliver the training might depend on the information or safeguards being covered. For example, if the safeguards at issue relate to information obtained by call center representatives, the call center manager might be a good choice to deliver the training. It is not necessary, however, that a member of the IT, HR or Legal departments deliver the training, or that it be a person with technical IT knowledge. But, the ability to convey specific information about company requirements, legal mandates and use of technology to maximize security is certainly helpful.

What should the training cover? Again, the substance of the training will depend on the organization, the data at issue, the audience and other factors. In general, training should cover some basic issues, such as what is confidential or personal information, or what is a data breach. However, training programs can be significantly enhanced when they use real situations that participants in the program can relate to and apply in their jobs.

When and How Often? Basic privacy and security training should be provided before an individual obtains access to confidential or personal information. At a minimum, the principles should be conveyed at least annually thereafter. Training also may be needed after changes in policies; following increases in levels of access or sensitivity of information; to react to changes in technology; following a security incident and other situations, such as a merger or acquisition.

How should training be delivered? There are many ways to deliver a consistent message about data security throughout an organization. These include policies, notices, newsletters, intranet dashboard, in-person sessions, online courses, videos, testing, tabletop exercises, employee resource group (ERGs), or a combination of these. The ability for participants to interact and ask questions can be critically important for them to understand their responsibilities as they relate to the particular business.

Should training be documented? Yes. In some cases, such as under HIPAA, documentation is required. However, an organization will be in a much better position to defend its data privacy and security practices if it can show that it maintains a comprehensive training program. This generally means that the organization tracks the materials covered in the training and those who attended or received the information.

We did training, and employees still send the emails to wrong addresses and make other mistakes!