- within Intellectual Property and Law Practice Management topic(s)
Oftentimes, organizations view training simply as another obligation; however, tailored and hands-on privacy and cybersecurity training are essential to safeguard data and ensure operations run smoothly in the event of a breach.
Transcript
Damon Silver
Principal, New York City
Welcome to the We get Privacy for work podcast. I'm Damon Silver and I'm joined by my co-host, Joe Lazzarotti. Joe and I co-lead the Privacy, Data, and Cybersecurity Group at Jackson Lewis. In that role, we receive a variety of questions from our clients every day, all of which boil down to the core question of how do we handle our data safely? In other words, how do we leverage all the great things data can do for our organizations without running headfirst into a wall of legal risk, and how can we manage that risk without unnecessarily hindering our business operations?
Joseph Lazzarotti
Principal, Tampa
On each episode of the podcast, Damon and I talk through a common question that we're getting from our clients. We talk it through in the same way that we would with our clients, meaning with a focus on the practical. What are the legal risks? What are the options available to manage those risks, and what should we be mindful of from an execution perspective?
Today is an important one because it's something that raises a lot of different questions and really can be organization specific. Damon, how do we approach privacy and security training? It's an issue that requires a lot of attention and there's a big need for it, so that employees and other members of the workforce are aware of the risks and what steps companies have taken to minimize those risks.
Of course, there's a lot of questions that have to be asked about how to develop and implement the most optimal type of training that we can to protect information, our systems, and operations in a way that makes it interesting. I've been to or given many trainings, especially during COVID where some people started to tilt over. Seriously, you want to try to make it interesting and impactful.
What are some of the key questions when clients approach you about training? What are the first things that come to mind that you want to think about that may help listeners develop a training program that would work for them?
Silver
I 100 % agree with several things that you said, one of which was it really does have to be company or organization specific. You do want it to be interesting because there is some degree to which you're checking the box. There are some express obligations to train, but really what you're hoping your training accomplishes is that people are going to be better stewards of your data, help you avoid data breaches, respond quickly to them, and avoid privacy violations. What I've found is a very helpful way of doing that is to really make the training very hypothetical-focused. What I mean by that is going through specific scenarios with people, almost like in the case of an incident response plan, you might do a tabletop exercise where you go through specific scenarios, like a ransomware attack or a business email compromise and talk through with your team what that would look like.
I try and do the same thing with scenarios that are likely to be relevant to the audience. What scenarios are likely to be relevant is going to depend a lot on one, who are the people in the audience? A lot of times we do different versions of the training. There might be one that's more for people who are sitting in leadership or management. People who are making high level strategic decisions around what the program should look like, how to set up access controls, and manage vendors and instant response planning. Then, there may be others for people who are in a more day-to-day capacity having some responsibility for the program. What those responsibilities look like is going to vary quite a bit depending on things like the client's industry, especially in a heavily regulated industry like healthcare or financial services.Do they have a role that requires them to handle sensitive information? HR and finance are examples. Are they people who deal a lot with outside parties? Someone who's in procurement or certain IT functions where they're dealing a lot with vendors. Those are all the types of questions I like to ask clients as we're preparing to do the training and deciding what the training should look like, because that's going to inform the scenarios that I develop for us to work through with the various members of the audience.
Joe, when you're thinking about doing these types of trainings, what are some of the buckets of areas of risk or types of policies that you find are most effective to work through in a training environment?
Lazzarotti
It depends on the client and who you're talking to. One of the things that we do, for example, if we do HIPAA training, the first question is who should be trained? Generally, it's whoever will have access to, be processing, or be handling protected health information. That could be a lot of different people. If you're in a healthcare provider setting, it could be the billing folks, the providers, IT, administration, and the people who are credentialing. They all may have a hand to one degree or another, but they may be using different systems, or their access may be limited. You don't want to have people at the training who are going to sit there for 45 minutes until they finally hear something that is relevant to them. In terms of thinking about the policies that they have to be mindful of, it also will tie into what their job is.
Sometimes what we've done, and it may or may not be helpful in every situation, but you might start out at training where everybody's there and you talk about the general policies and things that are applicable to that whole group. Something like talking about where to report an incident. That's usually going to be a central place, so everybody gets that information, since it applies to everybody. What is a breach; that might be something that you talk about. If you're going to start talking about uses and disclosures and what exceptions there are, then you might want to narrow that group a little bit. So, cover some general stuff like certain policies that are generally applicable. Then, you think about what are the policies that are really going to be more important to certain other roles? Providers or the nurse practitioners come to mind because they're the ones that are going to be doing the day-to-day with patients. They'll have to recognize when they need to get an authorization, how much should they disclose, and do they have to document disclosures under HIPAA? Those are all questions that might come up that may not be relevant to folks in some departments, like IT. It's really thinking about those questions.
Nowadays, well, it's not that recent. I mean, it's been for a while that online, larger companies put together training programs. Those training programs can be very instrumental in conveying key points; however, they're not tailored to the organization oftentimes. It's good information, but it's not really tailored to that particular organization's policy. There is this divide in saying, I satisfied my training obligations by giving my team a boilerplate training as opposed to a training that really speaks to the policies and procedures that you've prepared based upon the risk assessment that you've performed, so that people know what to do in your organization, not what XYZ Training Company told you to do in a training. Some of that can be important as well in terms of maybe you need a combination of both where you are conveying some general principles, but you're also doingan in-person training where you're conveying this is what we want to do and these are the policies we need to cover for this particular group.
Damon, if that's an approach that makes sense, how are you looking at what topics you need to cover, who is in the room, and how often do you present? Those are some of the questions that I know when we sit down with a client and think about it, just the logistics of it, how are you looking at those issues?
Silver
In terms of cadence, I would say, and again, this is going to vary depending on issues like what industry you're in and what contractual obligations you've assumed. Generally speaking, you're going to want to train people at least annually. For some people in higher risk positions or if there are changes made in your technology or business practices, maybe you do it even more often than that. Some regular cadence to reinforce what you're doing. Under some laws you do have specific requirements, like you mentioned HIPAA or the CCPA is another one that specifically calls out doing annual training. That's one piece.
In terms of some of the topics that I like to focus on with the training, regardless of who the group is that we're working with, although specifics are going to vary, are things like data minimization. What's interesting about that topic is, one, it has big implications from a data security and data privacy perspective. It means different things to different groups based on what type of data they're working with and what types of technologies they're working with. I've also found probably more than any other topic, that is one that leads to a lot of questions from the people participating in the training. As we work through some of the hypotheticals that I was alluding to earlier, it makes them think of other scenarios that either they have encountered, or they have thought about in the course of doing their work. I find that it can be extremely helpful as I try to get an understanding of our clients' operations before the training. I'm never going to be as in the weeds as the people who are actually working there, so when people bring up scenarios that really have happened to them that are relevant likely to other people in the room it leads to some very interesting discussions. We can really do a post-mortem of how they handled it, how they could have handled it if it happened, or we can do some scenario planning if it's something that hasn't yet happened, but they could see happening. That's definitely a big part of it, and that is something to think through as well.
You mentioned doing video training and that is an option. For some clients, that's what's going to make the most sense from a cost or a logistics perspective. They have people all over the place, but you are losing that interactive component. The same is true as if you have 200 people participating in the training versus a group of 20. With a 200-person group, it's a lot harder. It's possible, but a lot harder to have it be an interactive session. I would say the sessions I find are most impactful are the ones with a somewhat smaller group. Even up to 20 is probably fine, beyond that, it gets a little unwieldy.
Right from the beginning, I will encourage all participants to share questions in the chat or raise their hand if we're in person or using the little icon on Microsoft Teams. I oftentimes will just take the question right then and there. If I feel like it's really taking us off track, I might push it to a later segment of the presentation or the training session or even afterwards, if that makes sense. I find that's a really good way to get people engaged and to help people really see how this applies to them.
Lazzarotti
To that point though, Damon, how do you approach who does the training? You're talking about you doing it; however, have you come across a question of who should do the training? Obviously, you want a good presenter and interesting person but are there some issues and dynamics that you've come across where clients have expressed, we want counsel or the head of the department to do it, or we don't want to have the head of department do it. Any issues with that that have come up?
Silver
There definitely are scenarios where the client's preference, at least on a longer-term basis, is to have the training done internally. Then, there's discussion of who that person should be. It's an interesting question. There are different ways to approach it. A lot of it does come down to having someone who really understands what's relevant to the audience and also having someone who will be received in the right way by the audience. Someone that the audience is going to trust as an authority, but also not someone who the audience views as the person who always says no and is overly conservative. You do want the training, because obviously we'd like everyone to do everything perfectly and be completely buttoned up, but there are limits to what people are realistically going to do. If people feel like the bar is being set unreasonably high and the message comes from a messenger who is always telling them to wait to cross the street, even if there's zero cars around, that could impact the efficacy of the message. It could leave people rolling their eyes a little bit and saying, yeah, that would be nice, but I'm not going to do that. Those are some of the things I think about. Having someone who really understands the group and also having someone who is the right messenger for the message.
What are some of things you think about?
Lazzarotti
I think about the same things. I just am curious because I've had some clients who have asked, we've done training, but we're reaching out to you because we feel like if we bring our lawyer in, the group will take it more seriously. In some cases, we've talked through who at the company should do the training because exactly to your point. Some people are more formulaic. They'll go through the rule book, and they'll read off the rules chapter and verse and that's it. Whereas sometimes you want a storyteller, or someone who's going to really engage people, tease out the real important points, and convey it in a way that people get it and can apply it. It's one thing to know the rules, but another thing to apply them in circumstances and to teach people judgment around what does compliance mean as a practical matter. Particularly in a dynamic setting where the situations aren't always going to be clear. There's some real importance to obviously knowing who has to be trained and what we want to convey to them, so they're not wasting their time. Also, who is delivering the message and doing it in a way that really can get people excited about it or at least listen and say, I think I need to understand that?The person should have some respect in the sense that they maybe have some institutional knowledge, and people are going to say, well, if they're saying it, then that makes some sense. Sometimes it's as important as anything else.
One other thing I'm curious about, I know we've handled a lot of enforcement actions, switching gears a little bit, but one of the things that I know in following a data incident, if there's an investigation, there's a question about have you done training? Sometimes there's not a lot of evidence of that training. Then, even if there is, sometimes clients may not always recognize the things they are doing can be considered training or awareness. It's not always sitting in a classroom and listening to someone with a PowerPoint that constitutes training. In terms of thinking about how do we design our training program so that we're in a position to document and be able to tell a good story about what we've done, what things do you see around that so that companies are prepared?
Silver
It's a great question. It ties into a question I was going to put out there for us to discuss as well about what types of PowerPoint or other visual tools you use in your training. That's going to be one piece of your evidence is your deck or the document you distribute at the training. You do want to think about what should be in there, and you do want it to be somewhat tailored to you. We've talked in the context of a WISP, working with clients, they'll say, yes, I have a WISP. Then, they will pull it out and it still has brackets around company in every location. It's very clear it has not been tailored to them in any way. If you have, say, a PowerPoint deck that refers to policies and those are the policies you actually have and they're in your WISP, that is going to present much better to a government agency than if the training deck is clearly very generic and does not relate specifically to what you're doing. That's one piece of it.
Another, obviously, is just the logistical thing of maintaining a training log. Definitely worked with clients who claimed to have done training every year for years, but there's no evidence that that has happened. It can be people physically sign in if you're doing it in person, or it can be maintaining a log of each person who participated in the Microsoft Teams meeting. I recently did a training and then sent it to the client afterwards. You can pull a log from Microsoft Teams of each person who attended the meeting and when they entered and left. Those are some of the things that can be helpful.
To your point, Joe, you really do want to think broadly about what qualifies as training. You may have your formal annual sit-down training, but there's also stuff you do in smaller groups, like the leader of a team talking to their team about what their protocols are going to be for this particular project.I work a lot with an EdTech company and they have various clients and oftentimes they're getting access to the client systems and to student and teacher data. For each of those engagements, they have an SOP or similar document that lays out how they are going to handle data and the meetings they have to set up those projects. Those are trainings too. You can and probably should think broadly about what you are doing to make sure people remain up to speed on what their responsibilities are from a data privacy and security compliance perspective.
Lazzarotti
There's a lot there, just in terms of all the kinds of training that companies go through and we like to think privacy and security is the most important. It is absolutely. We did a white paper on that, so if anyone's interested, we're happy to share. It's on the blog, as well and it covers a lot of this. It's really an important thing.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
