With the impacts and repercussions of the looming California Consumer Privacy Act (CCPA) on the minds of many privacy professionals, new research from MediaPRO shows more work is needed to train U.S. employees of this first-of-its-kind privacy regulation.
MediaPRO’s 2019 Eye on Privacy Report reveals 46% of U.S. employees have never heard of the CCPA, which sets specific requirements for the management of consumer data for companies handling the personal data of California residents.
Passed last year and going into effect in January 2020, the CCPA has been referred to as a U.S. General Data Protection Regulation (GDPR) for its scope and focus on data rights. Privacy experts expect the law to apply to more than 500,000 U.S. companies. The 2019 Eye on Privacy Report findings suggest that raising employee awareness should play a key role in preparing for this new regulation.
Data Privacy and the Public
The CCPA awareness findings come from MediaPRO’s 2019 Eye on Privacy Report, a survey of more than 1,000 U.S.-based employees. The survey tested knowledge on data privacy best practices and privacy regulations in addition to gauging opinions on a variety of different privacy topics.
The survey presented participants with questions concerning when to report potential privacy incidents, what qualifies as sensitive data, how comfortable respondents were with mobile device apps having specific permissions, and the most serious threats to the security of sensitive data.
Additional findings from the report include:
- 58% of employees said they had never heard of the PCI Standard, a global set of payment card industry (PCI) guidelines that govern how credit card information is handled.
- 12% of employees said they were unsure if they should report a cybercriminal stealing sensitive client data while at work.
- Technology sector employees were least likely to identify and prioritize the most sensitive information. For example, 73% of those in the tech sector ranked Social Security numbers as most sensitive, compared to 88% of employees in all other industries ranking this type of data as most sensitive.
- Employees were more comfortable with a mobile device app tracking their device’s location than with an app accessing contact and browser information, being able to take pictures and video, and posting to social media.
- Employees were unsure about whether IT staff installing monitoring software on work computers should be reported as a threat to sensitive data: 35% said yes, 35% said no, 30% were unsure.
- Theft of login credentials was considered the most serious threat to sensitive data, with disgruntled employees stealing data and phishing emails coming next.
The findings give weight to the vital role employees play in a strong data privacy posture and the continuing need for privacy awareness training in protecting sensitive information. Working toward a “business-as-usual” approach to data privacy, with best practices embedded into all employee actions, is increasingly becoming a must for companies of all sizes.
“We’re at a pivotal time in history for privacy, and more people than ever are paying attention to privacy and data protection,” MediaPRO’s Chief Learning Officer Tom Pendergast said. “Some of our survey results might make you think that people are starting to get it—but until everybody gets it, we in the privacy profession really can’t rest. In today’s world, protecting personal information really is everyone’s responsibility, and that’s why it’s up to us to champion year-round privacy awareness training programs that aim to create a risk-aware culture.”
Click here to download the full report.
MediaPRO used an online survey-response-gathering tool to survey 1,004 U.S. employees on their knowledge and opinions concerning data privacy best practices, corporate data protection policies, and both national and global regulations. All respondents were based in the U.S., 18 years or older, and employed. The survey asked both opinion-based and scenario-based questions in which respondents were asked to choose the best option. Each question dealt with a different aspect of data privacy knowledge or a privacy best practice. The survey was conducted in April 2019.