Privacy and Cybersecurity Training: Addressing Regulatory Concerns | Sheppard Mullin Richter & Hampton LLP


As we pass the half-way mark of 2022, many are reflecting on their privacy compliance progress. One area that seems to be a constant battle is training. How much is needed? What kind of training? What are expectations from regulators around training?

Many privacy and security laws require some form of employee training. Under CCPA, for example, organizations need to train individuals who handle consumer inquiries. Most comprehensive privacy laws (like GDPR) expect training to be a part of ensuring privacy compliance, as do regulators who enforce unfair and deceptive trade practice principles. Canada’s privacy law (PIPEDA) requires general privacy training. Under industry-specific laws (GLBA and HIPAA) and certain state insurance law regulations, training is also contemplated. Training has also been recommended as an important compliance step by regulators like the Department of Labor, SEC, OFAC, NYAG, NYDFS, and others.

Training is required under many security laws as well. For example, state security laws (Massachusetts, New York and Oregon ) mandate training. In Kansas, having a training protocol, along with other measures, can serve as an affirmative defense in the event of a breach. Industry standards, like NIST and ISO, require a clear training strategy and that role/risk-based training be provided to employees. Finally, in the aftermath of a breach, regulators often point to lack of training (or lack of alleged effective training) in assessing fines – or make training part of a settlement decree. (See recent NYAG and FTC settlements).

In the face of these legal imperatives, how can companies most effectively implement a training program? One that can show regulators measurable results and address their concerns? Especially in light of some common, practical, refrains?: “the training is too long;” “the training is too boring, I didn’t pay attention;” or the related “I’m too busy, I did the training while I was multitasking.” Borrowing from the education field, here are ideas to consider when designing privacy and cybersecurity training:

  1. Make it appropriate: Training should be substantively relevant to the audience, and the right people and groups need to be trained. These include those who collect and use personal information, as well as those whose activities with respect to that information could put the company at risk. Typically most individuals will need some level of training, but what training it is depends on who they are.
  1. Make the training interactive: People learn best when they are engaged. It may be harder to develop, but an interactive session will result in more learning than putting people in a room or online lecture for the same amount of time.
  1. Keep it short!: The people you are training are busy. This is one more “extra” in their day. Think series of “60 second ad spots,” and deliver training about one key topic rather than trying to get everything covered in one go.
  1. Know your audience: Each constituency in your organization is unique. They have their own culture, communication styles, and needs. Think through not just the appropriate substance for your audience, but also how they learns best. What will make the content you need to communicate most digestible for the group?: Group exercises? “Gamification?”
  1. Be planful: The first four steps will be difficult to implement if you jump in without a plan. Deciding both who to train and how to do so effectively requires thoughtful consideration. Spending planning time can make the difference between successful training outcomes and mediocre ones. Another important piece of any plan is prioritizing. Where are the greatest risks? Who are the people whose actions could result in the largest exposure to the company? Tying the planning into an organization’s overall goals can make a big difference. Demonstrate how effective training can and will support the organization’s goals. Finally, think about measurements when designing your training. How will you measure behavior changes rather than just measuring numbers of people who attend the training? If we want fewer “click throughs” on phishing campaigns, look at click-throughs both before and after the training to demonstrate its effectiveness.

Putting It Into Practice: With about six months remaining in the year, now is a good time to revisit training efforts. Do you have a comprehensive plan that addresses both statutory requirements as well as regulator expectations? These steps may help putting in place a practical program that addresses your highest areas of risk.