Privacy and Security Training Requirements
by Daniel J. Solove
Many laws, regulations, and industry codes require privacy awareness training and/or data security awareness training. Here is a list of a number of these requirements:
FEDERAL LAWS AND REGULATIONS
• HIPAA
• GLBA
• FISMA
• FTC Red Flags Rule
STATE LAWS AND REGULATIONS
• Texas Health Privacy Law
• Massachusetts Data Security Law
INDUSTRY CODES
• PCI DSS
STANDARDS
• NIST 800-53
• ISO/IEC 27002
INTERNATIONAL LAWS
• US-EU Safe Harbor Arrangement
• Canada’s PIPEDA
Below is a brief description of each requirement with excerpts of the relevant provisions:
HIPAA Privacy and Security Rules
HIPAA’s Privacy and Security Rules have extensive training requirements. HIPAA requires a covered entity to train all workforce members on its policies and procedures with respect to PHI. Each new workforce member must be trained within a reasonable period of time after hiring. Thereafter, training must be given whenever there is a material change in policies or procedures. Covered entities and business associates must provide a security awareness and training program for all workforce members. This program must include periodic security updates.
Policies and Procedures Training Requirements
45 CFR § 164.530(b)(1)
45 CFR § 164.530 Administrative requirements.
(b) (1) Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.
(2) Implementation specifications: Training.
(i) A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows:
(A) To each member of the covered entity’s workforce by no later than the compliance date for the covered entity;
(B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce; and
(C) To each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section.
(ii) A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section.
Security Awareness Training Requirements
45 CFR § 164.308(a)(5)
45 CFR § 164.308 Administrative safeguards
(a) A covered entity or business associate must, in accordance with § 164.306:
(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. . . .
(5)(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).
(ii) Implementation specifications. Implement . . . (A) Security reminders (Addressable). Periodic security updates.
Gramm-Leach-Bliley Act (GLBA)
Training under GLBA is required via its Safeguards Rule, 16 CFR 314.4. The training requirement is rather vague, but interagency guidance recommends that organizations should: “Train staff to recognize and respond to schemes to commit fraud or identity theft, such as guarding against pretext calling; Provide staff members responsible for building or maintaining computer systems and local and wide-area networks with adequate training, including instruction about computer security; and Train staff to properly dispose of customer information.”
GLBA Safeguards Rule, 16 CFR 314.4
(b) Identify reasonably foreseeable internal and external risks . . . including (1) Employee training and management.
Payment Card Industry Data Security Standard (PCI-DSS)
PCI-DSS is a code developed by the credit card industry’s PCI council. It has a number of requirements regarding privacy training.
PCI-DSS 12.6 – Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.
PCI-DSS 12.6.1 – Educate personnel upon hire and at least annually.
PCI-DSS 12.6.1.a – Verify that the security awareness program provides multiple methods of communicating awareness and educating personnel (for example, posters, letters, memos, web based training, meetings, and promotions).
PCI-DSS 12.6.1.b – Verify that personnel attend awareness training upon hire and at least annually.
PCI-DSS 12.6.2 – Verify that the security awareness program requires personnel to acknowledge, in writing or electronically, at least annually that they have read and understand the information security policy.
PCI-DSS 12.9.4 – Verify through observation and review of policies that staff with responsibilities for security breach response are periodically trained.
FACTA – FTC Red Flags Rule
Under the FACTA, which amended the Fair Credit Reporting Act, the FTC established the Red Flags Rule, which requires training as part of an Identity Theft Prevention Program. See 16 CFR 681.1(d)-(e). Staff should be trained about the various red flags to look out for, and/or any other relevant aspect of the organization’s Identity Theft Prevention Program.
16 CFR 681.1 – Duties regarding the detection, prevention, and mitigation of identity theft
(d) Establishment of an Identity Theft Prevention Program—
(1) Program requirement. Each financial institution or creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.
(e) Administration of the Program. Each financial institution or creditor that is required to implement a Program must provide for the continued administration of the Program and must:
. . .
(3) Train staff, as necessary, to effectively implement the Program . . . .
Texas Health Privacy Law
Section 181.101 of the Health and Safety Code, as amended by HB 1609 and effective June 14, 2013, requires training about both the state’s law and HIPAA. This law is one of the few state health laws that mandates training about the state’s own health privacy law. Additionally, it mandates training about HIPAA. Penalties for violating the Texas law are equivalent to HIPAA’s, so they are quite high.
Section 181.101. Training Required
(a) Each covered entity shall provide training to employees of the covered entity regarding the state and federal law concerning protected health information as necessary and appropriate for the employees to carry out their duties for the covered entity.
(b) An employee of a covered entity must complete training described by Subsection (a) not later than the 180th day after the date the employee is hired by the covered entity.
(c) If the duties of an employee of a covered entity are affected by a material change in state or federal law concerning protected health information, the employee shall receive training described by Subsection (a) within a reasonable period, not to exceed one year, after the material change becomes effective.
(d) A covered entity shall require an employee of the entity who is trained as described by Subsection (a) to sign, electronically or in writing, a statement verifying the employee’s completion of training. The covered entity shall maintain the signed statement for six years.
Massachusetts Data Security Law
Massachusetts’s Data Security Law, at 201 CMR 17.03, requires training as mandatory for maintaining a comprehensive information security program. Training should focus on reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records containing personal information. Training must be “ongoing” and must be given for not only permanent employees but also temporary and contract employees.
201 CMR 17.03: Duty to Protect and Standards for Protecting Personal Information
(1) Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program. . . .
(2) Without limiting the generality of the foregoing, every comprehensive information security program shall include, but shall not be limited to:
(b) Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to: 1. ongoing employee (including temporary and contract employee) training . . . .
17.04: Computer System Security Requirements
Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements: . . .
(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.
Federal Information Security Management Act (FISMA)
FISMA, 4 U.S.C. § 3544, requires federal agencies to establish a security awareness training program. The program must include contractors and “other uses of information systems” that support the agency. The program must address information security risks and each employee’s responsibilities in complying with agency policies and procedures to minimize security risks.
(b) Agency program.–Each agency shall develop, document, and implement an agencywide information security program . . . to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source, that includes—
(4) security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of—
(A) information security risks associated with their activities; and
(B) their responsibilities in complying with agency policies and procedures designed to reduce these risks;
EU-US Safe Harbor Arrangement
Proper training is necessary for a company to self-certify compliance with the Safe Harbor requirements to the Department of Commerce. There isn’t much guidance about the specifics of such training, but it should logically focus on ensuring compliance with the Safe Harbor principles.
The US DOC states in its Safe Harbor Workbook that:
Under the self-assessment approach, verification would indicate that an organization’s published Safe Harbor privacy policy is accurate, comprehensive, prominently displayed, completely implemented, accessible, and conforms to the Safe Harbor Privacy Principles. It would also need to indicate that appropriate employee training, as well as internal procedures for periodic, objective reviews of compliance are in place.
The DOC guide to self-certification echoes this requirement:
Under the self-assessment approach, such verification would have to indicate that an organization’s published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It would also need to indicate that its privacy policy conforms to the Safe Harbor Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above.
ISO/IEC 27002
The International Standards Organization (ISO)’s Information Security standard ISO/IEC 27002:2005 is one of the most frequently followed standards by organizations throughout the world. The standard provides guidance on information security management in organizations, and it contains a requirement that all employees receive data security awareness training.
Section 8.2.2 Information Security Awareness, Education, and Training
All employees of the organization and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.
NIST Special Publication 800-53
(Revision 4)
NIST 800-53 is one of the most relied-upon security standards. Many federal agencies look to NIST 800-53 to guide their rulemaking and enforcement.
AT-1 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES
Control: The organization:
- Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
- A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
- Reviews and updates the current:
- Security awareness and training policy [Assignment: organization-defined frequency]; and
- Security awareness and training procedures [Assignment: organization-defined frequency].
Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.
Control Enhancements: None.
References: NIST Special Publications 800-12, 800-16, 800-50, 800-100.
Priority and Baseline Allocation:
P1 | LOW AT-1 | MOD AT-1 | HIGH AT-1 |
AT-2 SECURITY AWARENESS TRAINING
Control: The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):
- As part of initial training for new users;
- When required by information system changes; and
- [Assignment: organization-defined frequency] thereafter.
Supplemental Guidance: Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events. Related controls: AT-3, AT-4, PL-4.
Control Enhancements:
- security awareness | practical exercises
The organization includes practical exercises in security awareness training that simulate actual cyber attacks.
Supplemental Guidance: Practical exercises may include, for example, no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links. Related controls: CA-2, CA-7, CP-4, IR-3.
- security awareness | insider threat
The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.
Supplemental Guidance: Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction, attempts to gain access to information not required for job performance, unexplained access to financial resources, bullying or sexual harassment of fellow employees, workplace violence, and other serious violations of organizational policies, procedures, directives, rules, or practices. Security awareness training includes how to communicate employee and management concerns regarding potential indicators of insider threat through appropriate organizational channels in accordance with established organizational policies and procedures. Related controls: PL-4, PM-12, PS-3, PS-6.
References: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301); Executive Order 13587; NIST Special Publication 800-50.
Priority and Baseline Allocation:
P1 | LOW AT-2 | MOD AT-2 (2) | HIGH AT-2 (2) |
AT-3 ROLE-BASED SECURITY TRAINING
Control: The organization provides role-based security training to personnel with assigned security roles and responsibilities:
- Before authorizing access to the information system or performing assigned duties;
- When required by information system changes; and
- [Assignment: organization-defined frequency] thereafter.
Supplemental Guidance: Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies. Related controls: AT-2, AT-4, PL-4, PS-7, SA-3, SA-12, SA-16.
Control Enhancements:
- security training | environmental controls
The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls.
Supplemental Guidance: Environmental controls include, for example, fire suppression and detection devices/systems, sprinkler systems, handheld fire extinguishers, fixed fire hoses, smoke detectors, temperature/humidity, HVAC, and power within the facility. Organizations identify personnel with specific roles and responsibilities associated with environmental controls requiring specialized training. Related controls: PE-1, PE-13, PE-14, PE-15.
- security training | physical security controls
The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls.
Supplemental Guidance: Physical security controls include, for example, physical access control devices, physical intrusion alarms, monitoring/surveillance equipment, and security guards (deployment and operating procedures). Organizations identify personnel with specific roles and responsibilities associated with physical security controls requiring specialized training. Related controls: PE-2, PE-3, PE-4, PE-5.
- security training | practical exercises
The organization includes practical exercises in security training that reinforce training objectives.
Supplemental Guidance: Practical exercises may include, for example, security training for software developers that includes simulated cyber attacks exploiting common software vulnerabilities (e.g., buffer overflows), or spear/whale phishing attacks targeted at senior leaders/executives. These types of practical exercises help developers better understand the effects of such vulnerabilities and appreciate the need for security coding standards and processes.
- security training | suspicious communications and anomalous system behavior
The organization provides training to its personnel on [Assignment: organization-defined indicators of malicious code] to recognize suspicious communications and anomalous behavior in organizational information systems.
Supplemental Guidance: A well-trained workforce provides another organizational safeguard that can be employed as part of a defense-in-depth strategy to protect organizations against malicious code coming in to organizations via email or the web applications. Personnel are trained to look for indications of potentially suspicious email (e.g., receiving an unexpected email, receiving an email containing strange or poor grammar, or receiving an email from an unfamiliar sender but who appears to be from a known sponsor or contractor). Personnel are also trained on how to respond to such suspicious email or web communications (e.g., not opening attachments, not clicking on embedded web links, and checking the source of email addresses). For this process to work effectively, all organizational personnel are trained and made aware of what constitutes suspicious communications. Training personnel on how to recognize anomalous behaviors in organizational information systems can potentially provide early warning for the presence of malicious code. Recognition of such anomalous behavior by organizational personnel can supplement automated malicious code detection and protection tools and systems employed by organizations.
References: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301); NIST Special Publications 800-16, 800-50.
Priority and Baseline Allocation:
P1 | LOW AT-3 | MOD AT-3 | HIGH AT-3 |
AT-4 SECURITY TRAINING RECORDS
Control: The organization:
- Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and
- Retains individual training records for [Assignment: organization-defined time period].
Supplemental Guidance: Documentation for specialized training may be maintained by individual supervisors at the option of the organization. Related controls: AT-2, AT-3, PM-14.
Control Enhancements: None.
References: None.
Priority and Baseline Allocation:
P3 | LOW AT-4 | MOD AT-4 | HIGH AT-4 |
NIST Special Publication 800-53
(Revision 4) Appendix J — Privacy Awareness Training
NIST 800-53 Appendix J specifies privacy controls. Among these is one regarding privacy training.
AR-5 PRIVACY AWARENESS AND TRAINING
Control: The organization:
- Develops, implements, and updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures;
- Administers basic privacy training [Assignment: organization-defined frequency, at least annually] and targeted, role-based privacy training for personnel having responsibility for personally identifiable information (PII) or for activities that involve PII [Assignment: organization-defined frequency, at least annually]; and
- Ensures that personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements [Assignment: organization-defined frequency, at least annually].
Supplemental Guidance: Through implementation of a privacy training and awareness strategy, the organization promotes a culture of privacy. Privacy training and awareness programs typically focus on broad topics, such as responsibilities under the Privacy Act of 1974 and E-Government Act of 2002 and the consequences of failing to carry out those responsibilities, how to identify new privacy risks, how to mitigate privacy risks, and how and when to report privacy incidents. Privacy training may also target data collection and use requirements identified in public notices, such as Privacy Impact Assessments (PIAs) or System of Records Notices (SORNs) for a program or information system. Specific training methods may include: (i) mandatory annual privacy awareness training; (ii) targeted, role-based training; (iii) internal privacy program websites; (iv) manuals, guides, and handbooks; (v) slide presentations; (vi) events (e.g., privacy awareness week, privacy clean-up day); (vii) posters and brochures; and (viii) email messages to all employees and contractors. Organizations update training based on changing statutory, regulatory, mission, program, business process, and information system requirements, or on the results of compliance monitoring and auditing. Where appropriate, organizations may provide privacy training as part of existing information security training. Related controls: AR-3, AT-2, AT-3, TR-1.
Control Enhancements: None.
References: The Privacy Act of 1974, 5 U.S.C. § 552a(e); Section 208, E-Government Act of 2002 (P.L. 107-347); OMB Memoranda 03-22, 07-16.
Canada’s Personal Information Protection and Electronic Document Act (PIPEDA)
Principle 4.1.4 of PIPEDA, Canada’s broadly-applicable privacy law, requires training about the “organization’s policies and practices” related to complying with PIPEDA.
Principle 4.1.4
Organizations shall implement policies and practices to give effect to the principles, including . . . (c) Training staff and communicating to staff information about the organization’s policies and practices.
About Professor Solove and TeachPrivacy
This resource page was written by Professor Daniel J. Solove. Professor Solove is a law professor at George Washington University Law School and the leading expert on privacy and data security law. He has taught for 15 years, has published 10 books and more than 50 articles, including the leading textbook on information privacy law and a short guidebook on the subject. His LinkedIn blog has more than 900,000 followers. Click here for more information about Professor Solove.
TeachPrivacy provides privacy awareness training, information security awareness training, phishing training, HIPAA training, FERPA training, PCI training, as well as training on many other privacy and security topics. TeachPrivacy was founded by Professor Solove, who is deeply involved in the creation of all training programs because he believes that training works best when made by subject-matter experts and by people with extensive teaching experience.
Please Contact Us If You Are Interested In Privacy and Data Security Training
We can provide you with a login so you can evaluate the programs. Click here for our catalog.