Businesses focusing less on data security training, despite increased risk in 2020: Shred-it report

In-house counsel must take lead role in enforcing data security measures and training

Businesses focusing less on data security training, despite increased risk in 2020: Shred-it report

Employee training in data protection measures has declined in many businesses this year, despite an increased risk of data breaches resulting from remote work, according to a new report by Shred-it.

Shred-it’s 10th anniversary edition 2020 Data Protection Report also found that businesses – and legal departments in particular – still use vast quantities of paper, which signals a need for careful oversight of physical information and its protection.

In-house counsel have a vital role to play in implementing and enforcing data protection policies and training programs, and in ensuring that a robust plan is in place to securely destroy sensitive physical documents, according to Michael Borromeo, vice president of data protection at Stericycle, the provider of Shred-it information security solutions. With COVID-19 forcing many businesses to switch to a remote working environment this year, data protection is more critical than ever, so prioritizing employee training for the protection of data is essential, together with ensuring that employees have the resources and tools they need to safeguard information, Borromeo says.

While many people believe that data protection is the domain of IT and HR departments, it should really be regarded as a shared responsibility, according to Borromeo.

“With privacy frequently falling within the orbit of an organization’s legal department, in-house legal counsel often needs to take a leadership role in ensuring that the right security measures and training programs are in place, and that they are adhered to,” he says. “In-house counsel should lead by example. Are you putting confidential documents in the garbage or blue bin without having them professionally shredded first?…Be an advocate for protecting confidential information. Your organization will be better off because of it.”

Alarmingly, almost a quarter of C-suite executives and more than half of small business owners have no regular training on information security procedures and policies, the report indicates.

“What’s most troubling to see this year is the decline in employee training and policies against the backdrop of diminishing consumer trust and a higher frequency of data breaches,” says Borromeo. “Now, more than ever, organizations need to be taking greater steps to protect their data as a majority of consumers [86%] agree that physical and digital data security is a top priority when choosing who to do business with.” Moreover, only six per cent of C-suites and 14 per cent of small business owners operate in a paperless environment, the report found, indicating a need for stringent policies surrounding disposal of paper documents.

Compliance is another area of responsibility for legal departments, and astute in-house counsel will be closely monitoring expected changes to Canada’s Personal Information and Protection of Information Act.

External threats and physical property loss are the biggest information security threats to Canadian businesses, Shred-it’s report found. Only 41 per cent of organizations have a strictly enforced policy in place for storing and disposing of confidential information when employees work off-site. In fact, 45 per cent of small business owners have no such policy at all. 

Consumer trust is another major concern as 83 per cent of consumers fear that private, personal information about them may be available on the internet, and 66 per cent are concerned that their private, personal information exists somewhere in paper format. Borromeo suggests that businesses can help to ease these consumer concerns by providing transparency on the collection of data, being proactive in taking data protection measures, and being honest in the case of a breach.

“On a day-to-day basis, provide transparency on what data is collected and retained, how it is stored and for how long, and how committed the organization is to protect is,” says Borromeo.

Shred-it commissioned Ipsos to conduct a quantitative online survey of 900 small business owners in Canada with fewer than 100 employees, and 157 C-suite executives in Canada with a minimum of 100 employees. The fieldwork was conducted between February 27 and March 9, 2020.

Recent articles & video

Live and Learn: reflections on life and the law from retired Osler M&A king Clay Horner

Ontario Superior Court certifies class action against CIBC for duplicate fees

BC Court of Appeal rejects speculative testimony on potential earnings in personal injury case

Ontario Superior Court rules wife and mother share ownership of disputed property in divorce case

BC Supreme Court denies special costs in dismissed workplace sexual harassment case

Ontario Superior Court dismisses bid to quash unpaid wage orders issued by the Ministry of Labour

Most Read Articles

Ontario Superior Court rules wife and mother share ownership of disputed property in divorce case

Kirkland & Ellis faces lawsuit over data breach involving MOVEit software

'Go, Mom!' How a divorce prompted this USask law grad to travel the long road to becoming a lawyer

Roundup of law firm hires, promotions, departures: June 17, 2024 update