Skip to Content
Logo
Menu
  • About Our Firm
  • Practice Areas
  • Our People
  • Learning Library
  • Corporate Transparency Act
  • Contact
  • Make A Payment

The Role of Personnel in Data Breaches and Cybersecurity Issues

The Role of Personnel in Data Breaches and Cybersecurity Issues

December 5, 2017

Employee error is responsible for most data breaches. Non-malicious mistakes by employees in the form of: failing to lock a door, using the wrong email address, forgetting an electronic device on a plane or train, or forwarding the wrong attachment, lead to a majority of the data breaches that confound employers. Indeed, data breaches are not limited to electronic data. About one in four data breaches involve paper or other non-electronic data.

There is an Illinois Law that Governs Data Breaches.

48 states have data breach laws and Illinois is no exception. Effective January 1, 2017, Illinois amended its Personal Information Protection Act (“PIPA”) which expanded the definition of protected personal information and increased data breach notification requirements. Illinois’ original PIPA statute became effective in 2012, and the Illinois Attorney General published a very useful guide to the statute and its notification requirements here.

Employee Training is the Most Effective Way to Counter Data Breaches.

Employee training is the most effective way to prevent breaches. Indeed, this has been codified into federal law and some state laws. For example, healthcare providers, health plans, and business associates are explicitly required to train their employees on privacy and security under HIPAA Privacy Rules. Financial institutions are required to train their employees under the Gramm-Leach-Bliley Act. Illinois’ amended PIPA requires all employers that collect protected personal information, and nearly all employers do, “[to] implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.” Employee training is one such reasonable security measure.

What Should a Training Program Look Like?

Data breach training should resemble safety training or harassment training. Generally, everyone in an employer’s business should receive customized training based on their level of sophistication. At a minimum, employees should be taught what is confidential or personal information, and what is a data breach. Finally, training should be documented. This means that employers should be able to produce the training curriculum they used and they should record the names and dates of all employees who received training.

Cybersecurity Insurance As a Last Ditch Defense.

Even the best trained workforces will experience a data breach. For most businesses, a data breach may only be embarrassing and inconvenient. For those “black swan” events, however, insurance is a must. Employers should price cybersecurity insurance that is primary, not merely an endorsement on their property and casualty policy. If available, a cybersecurity policy should cover pre-existing problems. Some insurers retain forensic experts for use in cyber investigations and employers should know if they are required to use the carrier’s expert or if they can use their own. “Conduit coverage,” which protects an employer if another entity it does business with suffers damages should also be considered. Data breaches are bound to happen. The damage they do can be mitigated, however, by effective training and a reasonably priced insurance policy.

If you have any questions about the matters addressed in this CCM Alert, please contact the following CCM author or your regular CCM contact.

Related Attorneys

Clingen Callow & McLean, LLC
Lisle Office
2300 Cabot Drive, Suite 500
Lisle, Illinois, 60532
Phone 630.871.2600
Geneva Office
21 North 4th Street
Geneva, Illinois, 60134
Phone 630.938.4769
Fax 630.871.9869
General Inquires [email protected]
  • facebook
  • linkedin

Contact Us

©2025 Clingen Callow & McLean, LLC. All rights reserved.

Law Firm Web Design by NMC

Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}