If you are looking for reasons to celebrate something with your employees, Data Privacy Day on January 28 is a good excuse.
It is well recognized that employees are a leading cause of data breaches. It often occurs as a relatively innocent email sent to the wrong address, or with the wrong attachment. It could be a lost or stolen USB storage device or laptop without proper security. Sometimes it is casual snooping in electronic files beyond the boundaries of need-to-know. It can also be a criminal act, like the sale of sensitive information to intended fraudsters (as apparently occurred in cases involving CIBC and Desjardins). Employees are also susceptible to phishing scams which can lead to diverted payments and ransomware, which can shut down a whole organization. Hackers are going after small to mid-sized businesses as much as any.
These issues do not just affect privacy of personal information but also protecting sensitive and critical business information.
The development of an appropriately privacy-sensitive workplace culture and regular education are keys to minimizing liability, regulatory and reputational risk. Here are some tips for your “celebrations” (you can adjust these, depending on the maturity of your organization’s privacy culture):
- Privacy quiz with prizes: Hold a contest and give prizes to those who can answer basic questions the fastest, such as: name our contact for the privacy officer/team, rules for use of and security for storage devices and laptops, what to do on receipt of a suspicious email, what to do in the event they suspect there is unauthorized use of information, what are the rules about video or audio recording in the workplace.
- Throw a little party but make sure you tell your employees how important they are in maintaining the privacy and security of the information they hold. Make sure they know they can raise questions and concerns. Privacy and good business principles go together.
- “Hide and Seek the Weak Link” Game:
- USB Alert (if you don’t have an automatic scan of all devices): Place a handful of USB keys around the office in the week before Privacy Day which include a pop up message or a single document advising the reader to return the USB to the IT Department. You should not publicly single out the employees who return the USB keys but you can publicise the fact that you ran this test and what might have happened if the USB keys were designed to disseminate malware.
- Phishing Alert: This game can be played with fake phishing emails as well. Design an email that looks like it might have come from a client or customer with a link or attachment that alerts IT or tracks the click to open.
If your organization does not yet have an acceptable use policy dealing with its employee personal information, you may want to use the example in the link below for employers as a reference. Of course, each policy must appropriately reflect the organization’s particular approach to device and system use, as well as its collection, use, disclosure, security and other relevant processes.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.