SAI Global Privacy and Security Training Review


Nymity's Independent Privacy Solutions Review provides a non-bias assessment of the legal and privacy benefits of SAI Global Privacy and Security online training.

Compliance: Training Employees on Privacy and Security

Privacy Law
A number of Federal and state laws include provisions that create obligations for organizations to train employees.

An example of a federal law containing a requirement for training is the Health Insurance Portability and Accountability Act ("HIPAA"). The HIPAA Security and Privacy Rule § 164.530 (b)(1) requires that "A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart, as necessary and appropriate for the members of the workforce to carry out their function within the covered entity". The Fair Credit Reporting Act in § 1681h(c) requires that "Any consumer reporting agency shall provide trained personnel to explain to the consumer any information furnished to him pursuant to section 1681g of this title".

The Federal Trade Commission can initiate an investigation of a violation of the FTC Act. In ELI LILLY AND COMPANY the FTC ordered the company to"identify(ing) reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of personal information, including any such risks posed by lack of training, and addressing these risks in each relevant area of its operations, whether performed by employees or agents, including: (i) management and training of personnel; (ii) information systems for the processing, storage, transmission, or disposal of personal information; and (iii) prevention and response to attacks, intrusions, unauthorized access, or other information systems failures". For the five years following the Order the company is to make available to the FTC, upon request, a print or electronic copy of all documents relating to compliance with the Order, which includes any training materials.

Example of state laws that contain specific training requirements include:
  • Oregon’s Consumer Identity Theft Protection Act - Section 646A.622(2) - Conduct deemed to comply with requirement includes this training provisions ‘(iv) Trains and manages employees in the security program practices and procedures’;
  • Massachusetts’ 201 CMR 17.00 Standards for The Protection of Personal Information of Residents of the Commonwealth includes training provisions in 17.03(3)(2)(a) "ongoing employee (including temporary and contract employee) training" and in 17.04(8) "Education and training of employees on the proper use of the computer security system and the importance of personal information security";
  • North Carolina's Identity Theft Protection Act in Section 75-64(f) provides that "any damages assessed against a business because of the acts or omissions of its nonmanagerial employees shall not be trebled as provided in G.S. 75‑16 unless the business was negligent in the training, supervision, or monitoring of those employees";
  • California's "Shine the Light Law" s.1798.83(b) requires that all agents and managers who directly supervise employees to instruct employees that customers who inquire about the business's privacy practices or the business's compliance with this section shall be informed of the designated addresses or numbers or the means to obtain the addresses or numbers.
In addition to Federal and state laws other industry codes also contain requirements for training. The Payment Card Industry - Data Security Standard ("PCI-DSS") includes the following requirements:
  • 12.6.1 Educate employees upon hire and at least annually;
  • 12.6.2 Require employees to acknowledge at least annually that they have read and understood the company’s security policy and procedures.
The Generally Accepted Privacy Principles, published the American Institute of Certified Public Accountants, requires in Principle 1.1.1 that companies educate and train internal personnel (initially and periodically) who have access to personal information or are charged with the security of personal information about privacy and security concepts and issues and promote ongoing awareness.
Compliance with Security Codes

Not only do privacy laws mandate training, so does security codes like the Payment Card Industry Data Security Standard (PCI - DSS) which states "All employees should be aware of the sensitivity of data and their responsibilities for protecting it."

Another example, is the Canadian Institute of Chartered Accountants Generally Accepted Privacy Principles (GAPP) requirement to "Educate and train internal personnel (initially and periodically) who have access to personal information or are charged with the security of personal information about privacy and security concepts, and issues; and promotes ongoing awareness".

In Canada, training on privacy and security is a legislative requirement and mandated in security codes.

Training Demonstrates Compliance

Demonstrating effective privacy and security training programs is important when an organization is involved in a complaint investigation. Not just to show compliance, but in incidents related to customer disputes, the training will become part of the companies defense. If an individual files a complaint against your organization regarding one of your employees and makes claims that are counter to the your policy, the Commissioner's office will look at the your training materials and check to see if the employee in question was trained. If employee is trained on the policy and states that he/she followed the policy, the Commissioner's office is likely to side with the your organization over the compliant as there is evidence to back your claims. Privacy and security training demonstrates compliance.

SAI Global Privacy and Security Training Privacy Review

SAI Global provides a suite of information security and privacy training offerings. Each offering is designed to eliminate privacy and security breaches and ensure an organization's compliance. SAI Global was one of the first to recognize the short-comings of training programs based on privacy principles, or focused strictly on compliance with laws. This approach often has unexpected results and can be ineffective in eliminating breaches. For training to work, SAI Global recognized that training must focus on common business practices in which employees are handling personal information, some call this scenario-based training. 		 

Training is a Challenge

“Training is perhaps the single greatest challenge of PIPEDA compliance, particularly with large and varied customer-facing channels – a lot rests on the shoulders of the front lines. Training is never complete – it must be an ongoing process.”

Major Telecommunication Firm

“Training should be the foundation of a company’s entire compliance program. Creating privacy policy is the easy part. The real challenge is ensuring that your company and employees live by it.”

Top 10 Bank

“The key thing is to understand what questions and concerns might be raised by individual when dealing with your organization. Once you identify that, ensure your front line staff is trained to handle these concerns.”

Credit Reporting Agency

Culture of Privacy

In SAI Global scenario-based training employees learn from common scenarios allowing them to easily apply their knowledge to their own area of business operations. This approach creates an understanding of the importance of handling personal information in a secure manner, reporting incidents of privacy breaches and dealing with situations before they escalate into a major problem. SAI Global privacy and security training help organizations build a culture of privacy.

SAI solutions are fully customizable, measurable and already translated into French and English. Courses include:
  • For Your Eyes Only – this core course reflects the latest standards and best practices
  • Investigating Information Security at Work – a scenario-driven course that brings the subject to life through a strong story line
  • Physical Security – stresses the individual’s responsibility in protecting the organization from unauthorized access
  • PCI DSS – communicates the purpose of the Payment Card Industry Data Security Standard
  • InfoSec Moments – high impact, short video vignettes that are easy to deploy and access – available in a variety of topics including Confidential Information via blogging, talking to friends, and talking in public places and Copyright Compliance
  • Handle with Care, reflects global best practices and can be tailored by geography, language and job role
SAI Global - Privacy & Security Training Privacy ROI

To calculate SAI Global's Privacy Return on Investment (Privacy ROI) an organization must calculate the cost of creating and deploying an effective training programs inhouse and compare it to the cost of SAI Global's offering. Also, an organization must assess the risks of creating an inhouse program that does not apply the advance techniques available from SAI Global. Based on this evaluation the Privacy ROI can be established.

Inhouse Training - Costs

If an organization has the web-based infrastructure to deliver online training then the costs would be calculated based on the time to develop, test and deploy an effective training program. It can be difficult for a non-training organization to create content of an effective privacy and security program, because the tendency is to focus on policies and principles. It may seem simple, but in practice it is quite difficult. It takes many years, prototyping and testing to create a program to the calibrate of SAI Global's offering. Also, an organization wants an efficient program to minimize the time employees are completing training. For example, if an organization uses a SAI program that takes five minutes less time then an inhouse program the company will save thousands of dollars.

If the organization doesn't have inhouse webbased training infrastructure the organization would have to use presentations and other mechanisms to deliver the training. Often, organizations find this cost prohibitive and they typically have a scaled back training program which results in a higher probability of a privacy breach and non-compliance.

Risk of not Training

If compliance is a concern, or eliminating privacy breaches a priority, training is not an option for an organization. It must be implemented and maintained. But there is a payback, as training programs:
  • demonstrate due diligence in a investigation
  • provide evidence to support an organization's claims
  • ensure compliance, and
  • most importantly, eliminate costly privacy and security breaches.

Privacy Statement · Legal notice