by Daniel J. Solove
I recently presented at the ABA Antitrust Spring Meeting about privacy and data security training on a panel called “Compliance Tools for In-House Chief Privacy Officers.” I discussed why all organizations should have privacy training and what makes privacy training effective. I thought I’d share with you the gist of my talk.
The short answer – an ounce of prevention is worth a pound of cure. Privacy and security incidents can leave gaping wounds, and training can reduce the risk.
There are several types of harm that emerge from a privacy or security incident: damage to the organization’s reputation, financial harms (costly litigation, large damage awards, and expensive and burdensome notification requirements), lost time and resources, harm to clients, customers, and employees, soured relationships and lost trust, and regulatory consequences. According to a Ponemon Institute study, the average cost of a data security incident is more than $7 million. Agencies such as HHS and the FTC are stepping up enforcement, and penalties can be big. Fines for HIPAA violations can go up to $1.5 million per provision of HIPAA violated, and FTC settlements can require auditing of companies for 20 years!
Training reduces the risk of an incident because many incidents are the product of a human mishap. A review of the thousands of reported privacy and security incidents across many industries has revealed a common theme. A sizeable majority of incidents happen because of a lack of guidance and awareness about privacy and security. An article in the Wall Street Journal aptly said that an organization’s biggest data security risk is “you.” Data security is not just a technical problem but a human problem.
What Makes Training Effective?
Corporate training is typically a moribund process of clicking dull slideshows on a computer screen. It often consists of telling people a bunch of rules which they promptly forget. Training often doesn’t focus on what people need to know to do their jobs. Information is thrown at learners, such as statute titles and dates of passage, but this has little value.
So what does work? Training should be short and memorable. People have short attention spans – even the smartest of learners can only retain a few key points.
Key points must be emphasized and reinforced. A common mistake is for training programs to get bogged down in minor details that aren’t essential. The most effective teaching gets learners to realize and learn the most important information.
Training should use the time-tested tools of effective education: stories and interaction. Merely stating rules in the abstract doesn’t work at all. Interaction is also key, because people learn better when they are active rather than passive. Of course, information must be conveyed, and so there must be some lecture component, but there should also be some interactivity.
People learn in different ways. Some people learn well by listening. Others need visual stimulation. For example, I’m a visual learner. I remember concepts better when combined with images. Images linked to concepts stick better in my mind.
Some degree of variation can enhance learning. I’ve seen training materials where everything looks the same. It is great for consistency, but not for learning, because everything blends together. We remember most what is distinctive. For example, think of what you remember most from your classes in school? Was it the common day that you experienced day-in day-out? Or was it the special classes such as field trips or where special things were brought into class?
Training should make you think and make you care. People should not just be told what to do and what not to do. Good education demonstrates why it all matters and why people should care. As a law professor, I know that reciting rules to students is not really teaching them. They need to learn why the rules matter. They need to learn the purpose of the rules and see how they work in real situations. They need to care about the rules.
Standard multiple choice questions do not need to be boring and unmemorable. Frequently, a pedagogical mistake made by most training is to fail to utilize the questions as teaching tools. The questions should do more than just test knowledge. They should teach and reinforce knowledge. Questions thus need to be engaging and distinctive. They need to teach not just test.
Consider the two methods below of asking a question about passwords.
Here’s the first. The regular question is dull and forgettable and forgoes any opportunity to reinforce knowledge.
Here’s the question re-designed. The drag-and-drop question is distinctive. It has a unique style, a vividness that people should remember.
Regardless of whether the learner gets the question right or wrong, short feedback should be provided to reinforce the knowledge. The information should be reinforced in visual and auditory ways, and some degree of repetition is important. Where possible, lessons should be embodied in characters and stories.
Below is another example of how training can be made to be more active and memorable. This is a true/false question about whether PHI can be used for marketing without a patient’s consent under HPAA. Instead of asking this in the abstract, the question tells a story. The learner must drag the correct syringe to the arm, and when the user does so, the person says “ouch.” This more engaging design is more memorable than a mere question.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 600,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter