by Daniel J. Solove
I was recently asked whether I had a list of the various laws, regulations, and industry codes that require privacy and/or data security training. I know about a number of training requirements, but didn’t have a formal list. I realized that such a list would be useful, so I created one with the help of Joe Newman, a former student who now does some work for my company.
The PDF is here. It provides information about each requirement, citations, and quotations of the relevant provisions. Below is a summary. If there are any training requirements we missed, please let me know.
HIPAA Privacy and Security Rules
HIPAA requires a covered entity to train all workforce members on its policies and procedures with respect to PHI. Each new workforce member must be trained within a reasonable period of time after hiring. Thereafter, training must be given whenever there is a material change in policies or procedures. See 45 CFR § 164.530(b)(1).
Covered entities and business associates must provide a security awareness and training program for all workforce members. This program must include periodic security updates. See 45 CFR § 164.308(a)(5).
Gramm-Leach-Bliley Ac (GLBA)
Training under GLBA is required via its Safeguards Rule, 16 CFR 314.4. The training requirement is rather vague, but interagency guidance recommends that organizations should: “Train staff to recognize and respond to schemes to commit fraud or identity theft, such as guarding against pretext calling; Provide staff members responsible for building or maintaining computer systems and local and wide-area networks with adequate training, including instruction about computer security; and Train staff to properly dispose of customer information.”
Payment Card Industry Data Security Standards (PCI-DSS)
PCI-DSS is a code developed by the credit card industry’s PCI council. It has a number of requirements regarding privacy training.
FACTA – FTC Red Flags Rule
Under the FACTA, which amended the Fair Credit Reporting Act, the FTC established the Red Flags Rule, which requires training as part of an Identity Theft Prevention Program. See 16 CFR 681.1(d)-(e). Staff should be trained about the various red flags to look out for, and/or any other relevant aspect of the organization’s Identity Theft Prevention Program.
Texas Health Privacy Law
Texas’s Health Privacy Law, H.B. No. 300 as amended by HB 1609, § 181.101, requires training about both the state’s law and HIPAA. This law is one of the few state health laws that mandates training about the state’s own health privacy law. Additionally, it mandates training about HIPAA. Penalties for violating the Texas law are equivalent to HIPAA’s, so they are quite high.
Massachusetts Data Security Law
Massachusetts’s Data Security Law, at 201 CMR 17.03, requires training as mandatory for maintaining a comprehensive information security program. Training should focus on reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records containing personal information. Training must be “ongoing” and must be given for not only permanent employees but also temporary and contract employees.
Federal Information Security Management Act (FISMA)
FISMA, 4 U.S.C. § 3544, requires federal agencies to establish a security awareness training program. The program must include contractors and “other uses of information systems” that support the agency. The program must address information security risks and each employee’s responsibilities in complying with agency policies and procedures to minimize security risks.
EU-US Safe Harbor Arrangement
Proper training is necessary for a company to self-certify compliance with the Safe Harbor requirements to the Department of Commerce. There isn’t much guidance about the specifics of such training, but it should logically focus on ensuring compliance with the Safe Harbor principles.
The International Standards Organization (ISO)’s Information Security standard ISO/IEC 27002:2005 is one of the most frequently followed standards by organizations throughout the world. The standard provides guidance on information security management in organizations, and it contains a requirement that all employees receive data security awareness training.
Personal Information Protection and Electronic Document Act (PIPEDA)
Principle 4.1.4 of PIPEDA, Canada’s broadly-applicable privacy law, requires training about the “organization’s policies and practices” related to complying with PIPEDA.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 600,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter