At the end of 2017, the OCR logged just under $20 million in fines for HIPAA violations from 10 enforcement actions with monetary penalties. In 2016, the total in penalties was roughly the same amount but from 15 organizations.
Quite a number of cases involved failure to implement safeguards for PHI on mobile devices. The best fix is to superglue devices to staff. Short of doing that, organizations should recognize that mobile devices frequently get lost or stolen, so there should be heightened security controls when PHI is accessible on these devices.
Several cases involved failing to provide timely notice or to act promptly after problems were discovered. In politics, it’s often not the scandal, but the coverup that fells politicians. In the world of HIPAA, it’s often not the incident, but the response that leads to organizations being penalized.
The General Data Protection Regulation (GDPR) is one of the world’s strictest data privacy laws and requires privacy professionals around the globe to design and implement comprehensive compliance programs. In the past year, I developed a series of resources and training courses to assist privacy professionals with this complex task.
200+ pages of the GDPR summarized into 1 page! Download it for free here. This one page visual summary of GDPR will help you and your workforce understand many of the key elements associated with this law including Territorial Scope, Lawful Processing, Rights of Data Subjects, Enforcement and more.
I created a new highly-interactive version of the GDPR Whiteboard (~5 mins) — a computer-based module that can readily be used on internal websites to raise awareness and teach basic information about GDPR. It can also be used in a learning management system (LMS)
The GDPR Interactive Whiteboard adds a new level of engagement to the analog GDPR Whiteboard. and can be used in tandem with the analog version or in lieu of it.
A Guide to GDPR Training will answer many of your questions about implementing workforce privacy awareness training.
The GDPR mandates that all staff “involved in the processing operations” receive privacy awareness training. In general, the Data Protection Officer (DPO) is tasked with ensuring that all training requirements have been fulfilled. A comprehensive GDPR training program should include:
basic privacy awareness training for your general workforce
advanced training for personnel who need more detailed knowledge of GDPR
role-based training specific to an individual’s job function.
I have several training courses to help organizations meet the GDPR requirements, such as the ones below plus courses on Privacy by Design, vendor management, risk and trust, and other important privacy topics.
This course provides an overview of the GDPR. It also explains the importance of GDPR compliance and the severe penalties that may be imposed for non-compliance. It is suitable for both lawyers and non-lawyers . This course can also be offered in conjunction with other courses in our series – Privacy Shield and European Union Privacy Law.
Data Controllers and Data Processors
Rights and Responsibilities
International Data Transfer
Rights and Responsibilities Transparency
Purpose Specification and Minimization
Right to Erasure
Right to Data Portability
Data Protection by Design
Data Protection Impact Assessments
Record of Data Processing Activities
Data Breach Notification
This course (~20 minutes or 30 minutes) is designed to provide basic privacy awareness to the workforce of global organizations. I updated this program for GDPR. The course focuses on three main issues:
Why is privacy important?
What is personal data?
How do we protect privacy?
The Purpose of this Training Personal Data
People Care About Privacy
Why We Protect Personal Data Respect
What is Personal Data? Identifying Personal Data or PII
Data Collection Lawful Basis
Data Collection Limitation
Data Handling and Processing Limited Access
Use of Personal Data Purpose Specification
Individual Knowledge and Participation Notice
Access and Correction
Right to Erasure
Right to Data Portability
Transfer and Sharing of Data International Transfers of Data
Sharing Data with Third Parties
Accountability Privacy by Design
Ask the Privacy Office
For multinational organizations in an increasingly global economy, privacy law compliance can be bewildering these days. There is a tangle of international privacy laws of all shapes and sizes, with strict new laws popping up at a staggering speed. Federal US law continues to fade in its influence, with laws and regulators from abroad taking the lead role in guiding the practices of multinational organizations. These days, it is the new General Data Protection Regulation (GDPR) from the EU that has been the focus of privacy professionals’ days and nights . . . and even dreams.
As formidable as the GDPR is, only aiming to comply with the GDPR will be insufficient for a worldwide privacy compliance strategy. True, the GDPR is one of the strictest privacy laws in the world, but countries around the world have other very strict laws. The bottom line is that international privacy compliance is incredibly hard.
This is what Lothar Determann focuses on. For nearly 20 years, Determann has combined scholarship and legal practice. In addition to being a partner at Baker & McKenzie, Lothar has taught data privacy law at many schools including Freie Universität Berlin, UC Berkeley School of Law, Hastings College of the Law, Stanford Law School, and University of San Francisco School of Law. He has written more than 100 articles and 5 books, including a treatise about California Privacy Law.
Hot off the press is the new third edition of Lothar Determann’s terrific guide, Determann’s Field Guide to Data Privacy Law: International Corporate Compliance. Determann has produced an incredibly useful synthesis of privacy law from around the globe. Covering so many divergent international privacy laws could take thousands of pages, but Determann’s guide is remarkably concise and practical. With great command of the laws and decades of seasoned experience, Determann finds the common ground and the wisest approaches to compliance. This is definitely an essential reference for anyone who must navigate privacy challenges in the global economy.
According to a recent Ponemon Institute study, the odds of an organization having a data breach are 1 in 4. The study also found that the average cost of a data breach is $3.62 million in 2017. That’s a drop of 10%, but the size of data breaches has increased.
The Human Problem
The vast majority of information security incidents and data breaches occur because of human mistakes. Information security is only in small part a technology problem; it is largely a human problem. The biggest risks to security are human errors — people putting data where it doesn’t belong, people not following policies, people losing portable electronic devices with data on them, people falling for phishing and social engineering schemes.
Having a robust technical cybersecurity infrastructure is very important, but it alone isn’t enough. A recent Harvard Business Review article by Dante Disparte and Chris Furlow reinforces this point quite well. “Firms can be lulled into a dangerous state of complacency by their defensive technologies, firewalls, and assurances of perfect cyber hygiene. The danger is in thinking that these risks can be perfectly ‘managed’ through some sort of comprehensive defense system. It’s better to assume your defenses will be breached and to train your people in what to do when that happens.”
The Human Answer
In addition to technology, effectively preventing and dealing with data breaches involves humans. The problem is the humans, but so is the answer.
According to the Ponemon study, there were significant data breach cost reductions for having an incident response team, extensively using encryption, and engaging in workforce training.