Laws & Regulations Require Security & Privacy Training & Awareness

I’m in the final weeks of creating some privacy breach training courses that will not only help personnel to prevent privacy breaches, but also help support compliance with the FACTA Red Flags rule, the at least 45 U.S. privacy breach notice laws, plus many other laws and regulations.
Over the past decade+ there have been a large number of laws, regulations and industry standards that have specifically stated the need for organizations to provide information security and privacy training and awareness to their personnel.

It would seem to be a no-brainer for organizations to provide this type of education to their personnel, but sadly many business leaders error on the side of ignorance for their staff in an effort to save a comparative penny or two. Another significant group of executive leaders just don’t get the importance of providing this education to their personnel, and it doesn’t sink into their heads that you cannot expect workers to know how to safeguard information if you do not tell them how.
Lawmakers have seen these dangerous business-leader tendencies, and thus came the legal requirements for education.
If education was not legally required, a significant portion of business leaders would not provide information security and privacy education.
As I mentioned yesterday, my July issue of “IT Compliance in Realtime” focuses on the importance of information security and privacy training and awareness to not only improve security, but also to meet a very wide range of compliance requirements. The first article in this month’s Journal is, “Information Security and Privacy Education Support Compliance.” Download the PDF of the full Journal issue for the formatted, best-looking version.
Here is the next section from that article…

Laws and Regulations Requiring Education
There are many laws and regulations that require personnel education, which includes training and awareness activities. Table 1 provides a quick reference with the italicized verbatim excerpts of the educational requirements from a few of these laws and regulations. There are many more, but this provides a good example of the many ways in which laws and regulations require information security and privacy education.
Many of the laws and regulations do not explicitly use the words “train” or “aware.” However, when laws and regulations indicate that organizations must “promulgate,” “provide information,” “instruct,” and ensure information is “made known,” this generally means that organizations must effectively provide education.
[Table showing 11 U.S. laws and regulations and each of the corresponding educational directives. Download the PDF to see the full table.]
Training and awareness regulatory and legal requirements are not limited to the U.S.; there are many other data protection laws throughout the world that have similar requirements. The bottom line is that it is best for business and for establishing a culture of information security and privacy to provide regular training and ongoing awareness communications and activities.

Thoughts? Feedback? Let me know!

Tags: , , , , , , , , , ,

Leave a Reply