CIO

Data privacy: What your employees don’t know but should

Employees tend to have significant gaps in their data privacy awareness, particularly about the data handling requirements of regulations like the GDPR and EU-U.S. Privacy Shield.

What do employees in your organization understand about security, data privacy, and compliance? According to a recent report from Bothell, Wash.-based MediaPro, perhaps not as much as they should. With data privacy fast becoming a hot-button issue, and the European Union's General Data Protection Regulation (GDPR) right around the corner, what your employees don’t know about handling data at your company could burn you.

The news isn’t all bad. In general, U.S.-based employees are proficient at identifying sensitive and private documents, and understand whether such data should be destroyed or securely stored. But they struggle with privacy regulations (particularly the GDPR and the EU-U.S. Privacy Shield), as well as handling sensitive data in their personal and professional lives.

In October of last year, MediaPro, a specialist in security awareness, privacy awareness and compliance training, surveyed 1,007 U.S. residents about data privacy best practices and regulations. MediaPro asked participants what they would do in five real-life scenarios that could play out in nearly any corporate office across the country. MediaPro collected the results in its 2018 Eye on Privacy Report, released earlier this year.

"With these survey results and the surprisingly low levels of privacy and security awareness found in our recent 2017 State of Privacy and Security Awareness Report, companies need to take these topics more seriously leading into 2018," says Steve Conrad, managing director of MediaPro. "The 2018 Eye on Privacy Report shows companies could be doing a better job educating their employees about how to handle sensitive data. It's time to stop playing with fire when it comes to data privacy — before it's too late."

Here’s how employees fared on MediaPro’s survey — and advice on what steps to take to ensure your end users know how to properly address data issues in the workplace.

National and global privacy regulations

One area of concern for many CIOs should be employee knowledge of national and global privacy regulations.

Respondents showed the most awareness of the Health Insurance Portability and Accountability Act (HIPAA), which regulates the security of protected health information of U.S. residents. The report found that HIPAA was "completely new" to 21 percent of respondents. Thirty-four percent knew the basics but didn't consider themselves experts, and 18 percent said they "know a lot." Of course, familiarity varied by industry. Healthcare industry respondents were much more familiar with HIPAA regulations: 54 percent of them said they knew a great deal about HIPAA.

But when it comes to regulations like the GDPR, which the EU will begin to enforce on May 25, the picture is very different. Fully 59 percent of respondents said the GDPR was completely new to them. Twenty-four percent had heard of the regulation but acknowledged there's more to know, 13 percent said they knew the basics and four percent considered themselves experts.

That should be of special concern to CIOs, because the EU has given the GDPR significant teeth: Fines for non-compliance could total 4 percent of your organization's annual global turnover, or $27 million, whichever is greater.

"GDPR in itself, because it's not gone live yet and because there's a lot of pieces of it that are vague, people are having a hard time putting context around it," says Colleen Huber, a product manager at MediaPro. "It requires a cross-functional approach. You really do have to understand on a big scale what you need to do to comply with it."

Among surveyed employees, much less is known about the EU-U.S. Privacy Shield regulation, which is a legal framework for transatlantic data sharing between organizations and companies in the U.S. and the EU. Sixty-three percent of respondents said the Privacy Shield was completely new to them, and only 23 percent said they knew the basics. Respondents working for some form of government were the least likely to be aware of the Privacy Shield: 76 percent said the framework was completely new to them.

Huber stresses that it's essential that organizations seek to contextualize regulations for employees.

"Your policies, procedures, awareness and training programs need to be relevant and direct to the end users," she says. "You need to put these regulations in terms everyone can understand. It's about making sure you're doing the right thing with personal information, abiding by the highest global standards for privacy. In a lot of cases, employees don't really know what that looks like."

Sensitive and private documents

MediaPro asked respondents to take one of three actions — post to social media, destroy in a secure shredder, or secure in a locked drawer — when presented with examples of documents and information commonly found in an office environment.

MediaPro found respondents to have a general grasp of which action to take depending on the information. For instance, most respondents chose to either destroy an old password hint and an ex-employee tax form from three decades ago in a secure shredder (75 percent and 74 percent respectively), or keep them in a locked drawer (22 percent and 24 percent, respectively).

"In general, it's really great to see that people either lock something in a drawer or shred something securely," Huber says. "The only two pieces of information that they chose to post to social media were things that they could post to social media."

Huber says the more context employees have, the better they are at correctly determining how documents and information should be dealt with.

"Make sure your employees know the full context of the information," Huber says. "Make sure they understand the types of documents that are sensitive, but also what information is in that document and what consequence a breach of that information could have to the end user."

Granting access to third-party applications

When it comes to granting third-party applications permissions, the results strongly correlated to age. Respondents age 55 and greater said they answer "never" to an app permission request 59 percent of the time. Respondents in the ages 35-54 group said they answer "never" 52 percent of the time. And respondents in the 18-34 range said they answer "never" 42 percent of the time.

Across all age groups, respondents were most protective of their text messages: 68 percent of respondents said they "never" grant third-party applications permission to read their text messages. Respondents were also protective of their contacts, browser history and their SD card contents (58 percent, 56 percent, and 56 percent, respectively, said they would never give third-party apps permission to read/modify or access).

But respondents were much more comfortable with other permissions:

  • 68 percent said they "sometimes" grant third-party apps permission to report precise location via GPS and/or network data; nine percent said they "always" grant permission
  • 50 percent said they "sometimes" grant permission to access device location even when the app is not running; seven percent said they "always" grant permission.
  • 48 percent said they "sometimes" grant permission to record audio; seven percent said they "always" grant permission
  • 48 percent said they "sometimes" grant permission to add or modify calendar events; seven percent said they "always" do
  • 54 percent said they "sometimes" grant permission to take pictures and record video; 15 percent said they "always" do

Huber notes that understanding the consequences of permissions is especially important because mobile devices invariably contain a blend of personal information and business information.

"When they're giving access to information like, say, their contacts, it's important that your training, best practices, all of that stuff covers all of the ramifications of what would happen if something happens to that device," Huber says.

Huber also suggests profiling employees by age, and giving them training tailored to their needs.

Sensitivity of specific types of information

When asked to rate eight types of information according to their sensitivity on a scale of 0 to 5 (with 5 being most sensitive), respondents agreed that Social Security numbers were the most sensitive: 89 percent ranked them a 5 and six percent ranked them a 4. Credit card information was also held to be sensitive: 76 percent ranked it a 5 and 19 percent ranked it a 4. Similarly, 71 percent of respondents ranked tax information a 5 and 19 percent ranked it a 5. Respondents considered social media information the least sensitive type of information: 58 percent ranked social media posts a 0 or 1.

Respondents were much more sanguine about other types of information:

  • Only 53 percent of respondents rated medical records a 5, while 28 percent rated it a 4.
  • 28 percent of respondents rated work emails a 5, 39 percent rated them a 4.
  • 10 percent rated their browser history a 5, while 31 percent rated it a 4.

Notably, financial sector employees didn't tend to rate tax information as more sensitive than employees of other industries: 57 percent of finance sector employees rated tax information a 5, compared with 73 percent of respondents from all other industries.

Reporting potential privacy incidents

MediaPro presented respondents with eight likely scenarios in an average work environment and asked them if they were reportable privacy incidents that could result in the violation of federal, state, local, or company policies regarding the handling of sensitive or private information. The survey asked respondents if they would report, not report, or were unsure about what to do.

The survey found respondents were generally able to correctly determine which scenarios required reporting and which did not. For instance, 83 percent of respondents correctly determined that finding sensitive information lying in view near a printer was a reportable incident.

Surprisingly, while 91 percent of respondents correctly noted that they should report learning that a cybercriminal had stolen the names, addresses, and birth dates of several clients, eight percent were not sure and two percent chose "do not report."

Notably, after breaking down the responses by industry, MediaPro found that technology sector employees were the least likely to correctly identify reportable incidents. Only 82 percent of technology sector respondents said discovering that a cybercriminal had stolen sensitive client information was a reportable incident.

Related data privacy and security articles: