How Data Security Training Mandates Impact Private Companies

In the wake of the WannaCry incident where the National Security Administration (N.S.A.) was hacked and exploited, both public and private companies recognize the crucial need to continue evaluating their cybersecurity programs. Incidentally, state governments are passing laws that require data security training, sending a signal to private companies that they should do the same.

Current Cybersecurity Threats Out There

Many data security risks arise from the hands of insiders, which include employees, contractors, and third parties. Verizon’s 2017 Data Breach Investigations Report shows that social engineering attacks, such as phishing and pretexting scams, are the most common data security risks created by insiders. The data suggests that only 20% of insiders who do fall prey to social engineering attacks would report them to their employer.

Human data security risks also implicate ransomware, which Wired explains as “malware that locks your keyboard or computer to prevent you from accessing your data until you pay a ransom.” According to the Verizon Report, social engineering scams were found in 21% of all recorded ransomware attacks. Even worse, ransomware attacks have steadily risen from the 22nd most common attack to 2014 to the fifth most common attack in 2016.

Finally, gaining unauthorized access to sensitive information is a data security risk created by insider actions, especially employees. “The insider threat, while not as common in breaches as external actors, is still very significant, accounting for 15% of breaches,” the Report maintained.

Regardless of intention, employees are getting access or allowing others to access sensitive information, leading the Report to recommend security awareness training as an essential control.

Cybersecurity Awareness Training Mandates

Perhaps as a result of the risk of insiders, states are mandating cybersecurity awareness training for state government employees. For example, three states—Oregon, Illinois and Nevada—passed laws that require the employees and staff of each state’s agencies to take cybersecurity awareness training, among other requirements. As will be explained, private-sector businesses should do the same.

Oregon – S.B. 90

Oregon law now requires the state’s executive agencies “[c]onduct and document the completion of annual information technology security awareness training for all agency employees.” The law is part of a large effort to overhaul the entire information technology program of Oregon agencies and became effective on July 1, 2017 as an “emergency” measure.

Illinois – H.B. 2371

Illinois law directs the Illinois Department of Innovation and Technology to provide employees of the executive branch to take cybersecurity training at least once a year. The training content must include (1) detecting phishing scams, (2) preventing spyware, infections, and identity theft, and (3) preventing and responding to data breaches. The bill expressly mentions that the training may be delivered online. The law is effective on January 1, 2018.

Nevada – A.B. 471

The bill creates the Nevada Office of Cyber Defense Coordination and requires it to coordinate cybersecurity awareness and training for state agency employees. The law has been in effect since July 2017 and requires the Office to publish its report by January 1, 2018.

Why State Data Security Training Mandates Impact Companies

While the laws do not affect private employers, they may affect them in the near future. The New York State Department of Financial Services is requiring all banks under its stead to provide cybersecurity awareness training to bank employees by March 2018.

The cybersecurity regulation impacts a large portion of the banking industry that is already under considerable data security regulation given the Gramm-Leach-Bliley Act, FFIEC examination protocol, and international laws such as the General Data Protection Regulation and the UK Privacy Shield.

Following the law is necessary. However, laws and policies do not always regulate human actions. As my colleague Steve Treagus explains,

Insider negligence is the leading cause of data loss or theft, and unauthorized data sharing can undermine your best efforts at data security — even if employees are otherwise trained in cybersafety protocols. Training in cybersecurity awareness is extremely important — but no training can stand alone. Employers need to also shore up cybersecurity policy, balance security with productivity needs, and bolster their security infrastructure to secure data in whatever form it takes and wherever it’s stored and used.

Data security awareness training is a critical facet of a company’s cybersecurity program. While many companies are not required to provide cybersecurity training, new laws and data security trends show the benefits of doing so regardless of requirement.

Learn More About Our Data Security Training

EVERFI can help support your managers with online compliance and ethics training for employees and supervisors. Additionally, EVERFI will deliver a robust, cloud-based learning management system to help you easily deploy and track our growing library of compliance training courses, including code of conduct and ethics, anti-harassment, data security, and much more. Contact us today for a free demo.

What Data Says About Ethical Behavior in the Workplace

Ethisphere and Convercent recently collaborated to release a survey about aligning business goals with ethics and compliance programs. The report provides many insights about ethical behavior at work.

The two most interesting include the different kinds of data metrics companies are using to measure compliance program effectiveness and the role managers play in creating successful ethics and compliance programs.

Different Types of Compliance Data Metrics

“Activity” Data Versus “Performance” Data

Companies are sitting on enormous mounds of data, much of which can help “to detect and anticipate ethical issues in real time before they become a real problem.” According to the report, the most common data companies collect is:

  • Training Completion Rates (78%)
  • Hotline Statistics (74%)
  • Investigation Statistics (70%)
  • Likelihood and Severity of Top Risks (60%)

However, while important, the report calls this data more or less “activity” data, which is less valuable than “performance” data. Performance data is an “excellent measure” of ethical behavior and culture, is tracked marginally well, and comes in the form of:

  • Audit Results
  • Risk Assessment Results
  • Third-Party Due Diligence
  • Conflicts of Interest Disclosures
  • Culture Surveys

Difficult to Track “Desired” Metrics

The report also identifies “desired metrics” that chief ethics and compliance officers (“CECOs”) want to track, but find doing so difficult:

  • Open-Door Reporting
  • Behavioral Root Cause Analysis (behavioral factors that lead to an incident, such as the effect of incentives on an unethical sales decision)
  • Campaign and Engagement Effectiveness
  • Benchmarking
  • Ethics and Compliance Value

Additionally, even if compliance and ethics professionals have this data, they may not use it:

  • 65% of CECOs struggle to aggregate and analyze data due to lack of time and resources
  • 55% indicate that data are housed in disconnected and unintegrated systems
  • 44% say the data simply isn’t available to them.

Apparently, many CECOs feel are not properly equipped to measure the effectiveness of their compliance programs. But one major resource CECOs have for information is their managers.

How Managers Help Ethics Programs Succeed

Managers hold a lot of power over people in an organization. According to the report, 73% of employees indicate they raise concerns primarily with their manager, their manager’s manager, or human resources.

On one hand, this is good news — the vast majority of employee survey respondents are comfortable addressing at least some issues with management (known as “Open-Door Reporting”).

On the other hand, it puts a lot of responsibility on managers, some of whom may not know it’s their responsibility to collect and capture data from their teams. They may be given lukewarm instruction to keep track of complaints or issues, or not given any instruction at all.

According to the report, gathering data begins with good policies. Employers must hold their managers accountable to company policies and values. Accountability is one sign of an ethical manager.

Academic research and experts agree that examples set by senior and local management are strongly influential on the actions and attitudes of employees. The stakes are high.

Second, managers should receive training on best practices to not only address real problems, but work with ethics and compliance teams to fully use data and information that’s reported to them.


The report concludes with the observation that successful companies are built not only on financial goals, but also on fundamental values and ethics. In other words, good ethics are good for business. Utilizing real data, and supporting managers, are important ways that companies can improve their ethics and compliance programs.

EVERFI can help support your managers with online compliance and ethics training for employees and supervisors. Additionally, EVERFI will deliver a robust, cloud-based learning management system to help you easily deploy and track our growing library of compliance training courses, including code of conduct and ethics, anti-harassment, data security, and much more. Contact us today for a free demo.

Why CEOs with Personal Integrity Are Better for Business (Ethical Leadership Series, Pt. II)

In the era of 24/7 news coverage, viral social media posts, exposure to global compliance risks, and an increasingly skeptical public make it hard to hide serious leadership misconduct.

As Part I of this series discussed, CEOs face termination more frequently than ever for ethical lapses ranging from shady business dealings to personal indiscretions.

Global companies are increasingly penalizing leaders for reported misconduct:

  • Interest rate manipulation and money laundering
  • Abusive sales practices
  • Sexual harassment
  • Improper relations with employees
  • Résumé fraud

Sometimes it’s hard to draw the line between personal and business-related misconduct. For example, an inflated (but not fraudulent) résumé, or a relationship between a supervisor and their employee.

But when the line is clear, does a leader’s personal misconduct have a detrimental effect on business?

Researchers at three U.S. universities asked this same question, and, after reviewing a sample of 219 unique instances of personal indiscretions, concluded that it does.

How Does a CEO’s Personal Integrity Impact Business Integrity?

The resulting study, published in the Journal of Financial Economics (JEF) (and summarized in the Harvard Law School Forum on Corporate Governance and Financial Regulation) crunches the numbers to determine whether leadership misconduct is also bad for business.

Specifically, the authors wanted to know whether a CEO’s personal indiscretions (as opposed to wrongdoing directly connected with the company) negatively impacted businesses in a measurable way.

The underlying assumption was that personal indiscretions signaled a lack of personal integrity. Building from there, the study sought to discover whether there’s a link between a CEO’s personal integrity and a firm’s value.

How Researchers Defined Personal Indiscretions

The study defined personal indiscretions to include “allegations of dishonesty, substance abuse, sexual misadventure, or violence.” Because personal indiscretions don’t generally expose firms to the same level of legal liability that firm-related misconduct does, some scholars have claimed that personal indiscretions have no significant economic impact on corporations.

But the scholars who conducted the JEF study thought that personal indiscretions could cause significant enough reputational harm to the firm that market forces would “discipline personal misconduct.”

Ethical Indiscretions Cost Millions of Dollars

It turns out that when an incident of CEO personal indiscretion comes to light, shareholder value declines $266 million (4.1 percent). These indiscretions also resulted in:

  • The acquisition of fewer customers and joint partnerships
  • A decline in profit margins and return on assets
  • An increase in CEO malfeasance related to the business, such as manipulating earnings.

Following an indiscretion, CEOs are 41 percent more likely to be fired; those who still hold the reins face an average cut of $400,000 in salary and bonuses as punishment.

But it’s not just the CEO who suffers. When a manager other than the CEO commits an ethical indiscretion, shareholder value declines 1.6 percent ($110 million). The study also found that corporate directors at firms with unethical managers lose shareholder votes at a comparable magnitude to votes lost at firms targeted by litigation. The damage increases when the wrongdoer is a board member.

Unethical Leadership Negatively Affects Company Culture

Not only does unethical leadership cost millions of dollars, but it also signifies a dysfunctional corporate culture. This increases the risk of litigation and enforcement actions as well as loss of reputation and trust in the business community.

The study’s authors observe that a leader’s “indiscretion could signal a shift in the firm’s culture to one that now implicitly condones opportunistic behavior.” Business partners, they continue, “might infer from a managerial indiscretion that the firm does not penalize opportunistic behavior as strictly as previously anticipated and re-evaluate their business relationship with the company.”

Firms are Holding Leaders Accountable for Ethics

CEOs are often evaluated on hard data, such as the economic performance of the business and shareholder value. But some firms have also begun to pay CEOs based on “soft factors” related to ethics, according to the Harvard Business Review.

Some skepticism may come from a belief that ethical conduct cannot be measured by hard data. But as my colleague Karen Peterson observes, the effectiveness of ethics and compliance programs can be measured by triangulating multiple data sources, including:

  • Culture surveys
  • Internal audits
  • Ethics hotline use and response data
  • Investigations completed
  • Outcomes of ethics complaints

Many firms are learning that profit is inextricably linked with ethical conduct, and that there’s no need to sacrifice the bottom line for an ethical CEO and business. In fact, studies show that good ethics are good for business.

On the flip side, the most recent studies show that CEO misconduct is in no one’s interest (for example, see Part I of this series). Companies that fail to see the link between ethically bad and economically bad business decisions need only look to the data.

Note: This is Part II of a three-part series on the consequences of leadership misconduct. Part I discussed the implications of research showing that the world’s largest publicly held companies have been terminating CEOs more frequently for ethical lapses. Part III will wrap up by looking at situations in which leaders and workers are more likely to cheat, through the lens of recent enforcement actions and empirical data.

Ethics and Compliance Training for Leadership

EVERFI delivers online training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, EVERFI delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of compliance training courses, including code of conduct and ethics, anti-harassment, data security, and much more.

CEOs Increasingly Scrutinized for Ethical Lapses

A study by PwC business consulting firm Strategy & found that the world’s largest publicly held companies have been terminating CEOs more frequently for ethical lapses. Globally, the years 2012-2016 saw a 36% increase over 2007-2011 in CEO misconduct-related terminations.

The larger the company, the more likely a CEO would be fired for ethical lapses (from a rate of 7.8% of all dismissals in the largest quartile of market share, to a rate of 3.2% in the smallest, in 2012-2016).

Examples of Ethical Lapses

Ethical lapses don’t necessarily signal that leaders or companies lack integrity as whole, but they do indicate serious and harmful errors in ethical judgment. Examples of ethical lapses include business-related misconduct such as fraud, bribery, insider trading, and environmental disasters involving negligence or recklessness.

They also include personal ethical misconduct, such as inflated résumés and sexual indiscretions. (We’ll zero-in on the economic consequences of personal misconduct in Part II of this series.)

Increased Accountability for CEOs

As the study’s authors are quick to point out, this does not necessarily mean that CEOs are less ethical now than they were in the past:

Our data cannot show — and perhaps no data could — whether there’s more wrongdoing at large corporations today than in the past. However, we doubt that’s the case . . . our data shows that companies are continuing to improve both their processes for choosing and replacing CEOs and their leadership governance practices — especially in developed countries.

What it does mean is that boards of directors hold CEOs more accountable now, largely due to these 21st century factors:

  • Increased public suspicion of corporate behavior;
  • The amplifying effects of the 24/7 news cycle and of wrongdoing’s digital footprint on social media;
  • Increased legislative, regulatory, and enforcement actions; and
  • Greater global exposure to supply chain and emerging market-related risks.

All of this points to what the study’s authors call “a sea change in accountability” over the last 15 years. In the late 20th century, by contrast, corporate misconduct almost never resulted in CEO turnover: “criminal prosecutions of corporate officers were extremely rare . . . financial penalties tended to be modest . . . and media attention was often limited to the business press,” the study’s authors observe.

Systemic Recommendations for Ethical Leadership

The study concludes with systemic recommendations for ethical leadership. After all, CEOs don’t turn “bad” in a vacuum. They are both influencers in, and influenced by, the social and corporate cultural circles they are part of.

So, the recommendations focus on what leaders can do on a company-wide level to avoid unethical behavior by any employee and by the corporation itself:

1. “Organizational and external influences.”

Social pressures such as unrealistic performance targets create bigger problems than financial incentives. Leaders should make sure that they have appropriate structural checks on misconduct. This includes an open-door policy that encourages employee dialogue about both good and bad news (such as difficulty meeting targets). That way, problems can come to light before they turn into ethical lapses.

2. “Business processes.”

Minimize opportunities for bad behavior by assessing your company’s risk exposure, by shoring up compliance programs for effectiveness, and by ensuring that employees have ways to report misconduct and know how to do so. [Our research shows that employers should give workers multiple avenues for internal reporting, not just a whistleblower hotline.]

3. “Individual ethical decision making.”

People convince themselves to act unethically by telling themselves that it’s okay to break the rules (rationalization). Leaders who seem to implicitly or explicitly condone rule-breaking influence company culture and make it easier for employees to rationalize cutting corners themselves.

Ethical leaders should clearly and effectively communicate their company’s ethics and compliance policies through employee training. They should drive ethical engagement from the top by example (including by holding themselves accountable and admitting mistakes) and seek out expert guidance when facing ethical dilemmas.

In addition to these recommendations, I would add that ethical managers value evidence over opinion (expert or otherwise) in assessing whether their company’s ethics and compliance program is working. Although it’s human nature to hold our own opinions in high esteem, doing so often leads to ethical lapses. Ethical leaders rely on the facts first.

Note: This is Part I of a three-part series on the consequences of leadership misconduct. Part II will examine the economic impact of personal indiscretions by corporate leaders. Part III will wrap up by looking at situations in which leaders and workers are more likely to cheat, through the lens of recent enforcement actions and empirical data.

Ethics and Compliance Training for Leadership

EVERFI delivers online training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, EVERFI delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of compliance training courses, including code of conduct and ethics, anti-harassment, data security, and much more.

Why Is Your Sexual Harassment Policy Failing?

Harassment is one of the top complaints that employees make to the Equal Employment Opportunity Commission (EEOC). Of the approximately 90,000 charges employees filed with the agency in the last three years, harassment charges made up nearly a third—and close to half of these involved sexual harassment.

For every sexual harassment complaint, many more incidents go unreported, as the Equal Employment Opportunity Commission (EEOC) reported in June of 2016. Litigation risk is one reason why these days, nearly every employer has a sexual harassment policy. Even companies that have made a splash in the headlines for sexual harassment have sexual harassment policies, at least on paper.

But that’s the problem. If everyone has a policy, why is sexual harassment so prevalent? A recent study co-authored by University of Missouri Communication Professor Debbie S. Dougherty explores why.

Employees Misinterpret Sexual Harassment Policies

In the study, 24 employees of large government organizations were asked to read their employer’s sexual harassment policy, gather in groups to discuss it, then answer questions about what they thought it meant. Unfortunately, the study’s authors concluded that “the actual words of the sexual harassment policy bore little resemblance to the employees’ interpretations of the policy.”

Perceptions vs. Behavior

Employees believed the policies focused on perceptions of harassment, whereas the policies actually focused on preventing sexually harassing behavior. They also missed that policies prohibited sexual harassment regardless of the gender of the harasser or the target.

These misinterpretations led to the misperception that heterosexual males could be targeted as sexual harassers based on subjective perceptions of female co-workers. Under this interpretation, innocent comments about a co-worker’s appearance or incidental nonsexual touching could be considered sexual harassment.

Dougherty explains:

“As a result, the organization’s sexual harassment policy was perceived as both highly irrational and as targeting heterosexual male employees. The employees shifted the meaning of the policy such that female targets of sexual harassment were framed as the perpetrators and male perpetrators were framed as innocent victims.”

To accomplish this shift in meaning, the employees drew on the assumptions of women being irrational and highly emotional and on assumptions of men are being rational and competent. Through this intertwining of organizational policy, organizational culture, and national culture, the employees inverted the meaning of the sexual harassment policy, making it an ineffective tool in the fight against predatory sexual behavior in the workplace.”

Stereotypes and Discrimination

These assumptions point to sexual stereotypes that may be embedded in company culture, which in turn are deeply rooted in the larger culture. Company culture is hard enough to change, and corporate leaders are rarely in a position to make big changes in society at large. While policy alone won’t change culture at the level of the company or of the country, employers can fight sex discrimination and be part of the solution.

Effective Sexual Harassment Policies

An effective policy is a step in the right direction. To be effective, policy needs to live and breathe in practice. It shouldn’t reinforce or appear to reinforce negative cultural mores or, worse, create new ones in the minds of employees.

So, what can policy-makers and compliance personnel do to keep workers from figuratively tearing their well-drafted sexual harassment policies to shreds?

How to Improve Your Sexual Harassment Policies

The study makes two surprising recommendations:

  1. Include emotion-laden language in your sexual harassment policy
  2. Mandate that bystanders intervene to stop harassment

Use Clear, Emotion-Laden Language

The first recommendation requires a bit of explanation. Of course, sexual harassment policies don’t make for the most scintillating reading. But that’s Dougherty’s point. Since most policies are quite dry, employees tend to insert their own emotions and (wrong) ideas into them.

To help frame the behavior in clear, emotion-laden language, Dougherty suggests characterizing sexual harassment as “predatory” and harassed employees as “targets” rather than “victims.”

But Dougherty doesn’t assume that reframing sexual harassment policies in this way is easy:

“Although policies tend to be stripped of emotions, it is essential for policy creators to recognize that policy creation is one of the most emotion-laden activities that organizational leaders are asked to accomplish. Because sexual harassment is such an emotionally laden topic, the creation of sexual harassment policies becomes even more emotionally challenging.”

Mandate Bystander Intervention

The second recommendation is more straightforward, but not widely practiced. Most sexual harassment policies, Daugherty observes, require only the target of harassment to take action (specifically, by reporting).

By calling on employers to mandate bystander intervention, Dougherty hopes to mitigate the stigma of reporting (and the organizational harm that results from not reporting) when the sole duty is placed on the target’s shoulders. “Mandated bystander intervention,” writes Dougherty, “rightly puts the responsibility of creating a healthier organizational culture on all members of the organization.”

In this sentiment, she echoes the EEOC’s proclamation that “it’s on us”—every employee at every organizational level—to prevent harassment. Presumably because witnesses to sexual harassment aren’t born with the tools to determine an appropriate response in any given situation, the EEOC recommends that employers implement bystander intervention training.

Train Employees on Your Policies

A well-crafted policy also needs to be communicated to employees. That’s where training comes in. But having ineffective training for a well-written policy is just as bad as having an ineffective (or no) policy. Bad training can even backfire, like poorly crafted sexual harassment policies.

That’s probably why Dougherty concludes that:

“No policy, no matter how well crafted, will prevent sexual harassment on its own, nor will it change a culture of sexual harassment. A policy is a first step that needs to be followed by persistent training, a willingness to listen to targets, and a readiness to fire employees who prey sexually on other employees — regardless of how important the predator may be in the organization.”

Note the effective use of emotion-laden language.

Effective Sexual Harassment Training for Your Organization

EVERFI delivers online compliance training courses to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, EVERFI delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of harassment prevention, ethics, data security and employee conduct courses.

What Happens When Workplace Policies Are Written with Legalese?

While your workplace policies are necessary, they may not be as effective as they could be. Effective development and implementation of company policies best helps employees to align with company goals and expectations.

At a minimum, companies should avoid legalese when writing corporate policies, but they should also use clear language, include useful content, and implement policies through the actions of employees.

What is Legalese? And Why is It Bad?

Legalese is the formal and technical language of legal documents. For example, phrases like “and/or,” “herein,” “provided that,” “pursuant to,” and “shall” are common legalese used by attorneys that often confuse everyday readers, according to the ABA Journal. Confusion arises because these words have either unknown or multiple meanings.

In Above the Law, attorney Stefan Savic explains: “Just as a Game of Thrones fan cannot really explain what an episode in season 6 is about to someone who does not watch it, explaining the intricacies of the rule against perpetuities to a non-lawyer (or in that example even to a lawyer) can be very challenging.”

How Does Legalese Impact Employee Conduct?

Imagine the effect of an unreadable code that explains how a target of sexual harassment can report and resolve their concerns. The Harvard Business Review analyzed a study of employees presented with a typical sexual harassment policy.

Results showed that the actual words of the sexual harassment policy bore little resemblance to the employees’ interpretations of the policy. Employees twisted the words of the sexual harassment policy, revealing their underlying biases—like women being “irrational”—and gross legal misinterpretation.

The author warned: “Remember that sexual harassment policies are not just legal documents. They are also culturally important, meaning-making documents that should play a role in defining, preventing, and stopping sexual harassment in an organization.”

The fact that a document is “legal” in nature doesn’t mean that the language in it must be “legal” as well.

Best Practices for Writing Workplace Policies

Optimally, your corporate policies should positively employ effective communication. Research on code development found that employees, managers, and ethics officers consider codes more effective when they are readable, relevant, and have a positive tone.

In addition to being clear and concise, the most effective codes are accessible to employees as well as to agents and consultants. My colleague Karen Peterson offers many tips for developing a code of conduct, such as:

  • Obtaining buy-in across the organization with input from a multidisciplinary team
  • Including the organization’s mission statement, vision, and values that reflect its commitment to ethics, integrity, and quality
  • Clarifying that the organization expects individuals to act with honesty and integrity in addition to complying with legal requirements
  • Describing expected behaviors rather than stating prohibitions
  • Covering relevant risks, employment practices, protecting corporate assets, and managing third-party relationships
  • Making it user friendly and applicable to all individuals covered by the code
  • Using simple, concise, and easily understood language (and providing translated versions as needed)
  • Describing enforcement and disciplinary procedures
  • Soliciting feedback on the code from all levels of the organization
  • Updating to improve content and address new issues or risk areas

An obvious solution is axing legalese from legal documents like policies. But as Peterson emphasizes, this is insufficient. A lot more goes into effective workplace policies and communications.

Beyond Workplace Policies and Procedures

Just as policies and procedures need to be accessible and informative, a company must implement them effectively. In addition to developing the content of a policy, human resources, compliance officers, and ethical managers must know all workplace policies and make themselves available to explain, clarify, and exemplify workplace policies in everyday actions. Legalese in workplace policies alienates employees, but so can unthoughtful content and a lack of follow up.

Training on Your Policies and Procedures

EVERFI delivers online compliance training courses to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, EVERFI delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.

The Importance of Education Technology in the Workplace

Despite Progress, Compliance Problems Still Exist

Most companies are making progress with compliance — they have codes of conduct, are working to improve their cultures, and are hiring staff including compliance, diversity, privacy and ethics officers. These companies should be credited for laying down necessary, ethical infrastructures.

Yet, despite these efforts, terrible things happen in the workplace. Fraud and conflicts of interest continue to plague organizations and governments.  Sexual harassment continues to be a problem, devastating its victims and demoralizing the workplace, according to a recent report by the EEOC. Discrimination, diversity, hiring bias:  these are not just buzzwords, but real problems that exist across the globe.

We believe that almost all organizations care about their employees’ well-being, but sometimes the link between attitude and action gets lost in the shuffle. The potential is there, it just needs to be unlocked. Education technology can help unlock that potential.

Using Technology to Educate, Not Regulate, Humans

Technology for Managing Ethics and Compliance

Employers now have access to powerful technological tools to help manage their ethics and compliance programs. A 2017 report by KPMG finds technology, like automation and data analytics, to be “necessary investments” for compliance to conduct risk assessments, monitor, and report data points. Fast Company highlights many companies throughout the US that are using artificial intelligence to “spot nuanced biases in workplace language and behavior” to improve human behavior that favors certain groups of people over others. Technology has no boundaries, and it’s easy to rely on it to help solve real workplace issues.

We cannot forget, however, that people are, and must continue to be, the focus of technology. We are not going so far as saying that technology is going to overtake the human race but we do believe that companies should think deeply about who they are ultimately serving with technology and not just use technology for technology’s sake.

Education in the Corporate Workplace

Education has been called the “social continuity of life” and an overall social good. Education also happens in the workplace through skill-building programs, mentorships, and of course, training. We can’t forget, however, that humans are at the center of it. Employees are both the perpetrators and victims of harassment.  Employees make decisions.  Employees are responsible for driving diversity and inclusion, refusing bribes and reporting violations. We can monitor, track and report all we want. If employees do not have the necessary knowledge to do what’s right, a concept that reaches well beyond the corporate cloister, we place our companies at greater risk of harm.

Not all education is equal. Research shows that merely understanding a code of conduct does little to change unethical or illegal behavior. Words on a page do not translate into action. Instead, focus should be on how and what an employee can learn. For example, knowing that bribery is illegal and to “stop it” is much less valuable than a case study prompting an employee to watch out for red flags in everyday actions, then reinforcing that learning with post-training assessments and additional training. True learning leads to impact, because it develops real world skills that help stamp out social ills like corruption, cultural tone deafness, and discrimination. In this way, it can be said that workplace education, or training, fulfills a greater social good.

When implemented thoughtfully, workplace education is a way to help organizations, each other, and society. And when combined with technology and a focus on our roles as humans, it can scale to reach people regardless of the borders we constrain ourselves with.

The Solution: Education Technology

National problems need a national solution. Education is necessary, but by no means a silver bullet. And while some companies may balk at being responsible for social problems in addition to shareholder value, that attitude is dying fast.

It is estimated that Millennials will make up 75% of the workforce by 2025. They, unlike any other generation before, support private business but also expect companies to represent something bigger, and truer, than just corporate profits, according to a 2017 Deloitte survey. Millennials want to work for and consume from ethical and diverse companies. Incorporating these concepts into a company’s everyday business strategy and operations can help them achieve long-term sustainability. Combining technology with education about intractable issues like discrimination and abuses of power can help build a sustainable company, if not society.


It’s about time that private and public organizations come together. That is why EVERFI is bringing together regulators, prevention experts, educators, legal/compliance professionals and scientists to tackle some of the most intractable social issues through education technology. The acquisition of online compliance training leader Workplace Answers makes us “the world’s largest company committed to empowering learners at every stage of their lives, from the classroom to the boardroom.” Make no mistake, we are a for-profit company. But we believe we can do both. And we believe that every other company can too.

EVERFI delivers online training to help your business meet compliance requirements both dynamically and scalably.

Note: This post was previously published by Corporate Compliance Insights.

Does Data Validate Online Compliance Training?

Many large enterprises provide compliance training to their employees. A 2017 report by KPMG provides survey data and analysis of compliance best practices, including employee communication and training. This post pulls out data points that allow us to better evaluate the value of effective online compliance training.

KPMG’s The Compliance Journey (“the Survey”) surveyed organizations across seven industries with compliance teams that run the gamut between fewer than 25 professionals to more than 250. While the survey did not indicate the number of respondents, which impacts the sample size, the range of organizations and departments surveyed indicates a good amount of validity.

Summary of Results

The Survey found that organizations are making “substantial progress” in their ethics and compliance programs, particularly in governance, culture, policies and procedures, and communication and training. But, organizations can do better in compliance monitoring and testing. In addition, CEOs can instill accountability across their organizations by considering adherence to compliance policies and procedures as a factor in employees’ performance ratings and compensation.

And sure, compliance scandals have rocked sophisticated companies over the past couple of years. But these setbacks shouldn’t prevent companies from trying to do better to ensure that their compliance programs are fulfilling their goals of keeping companies and, most importantly, employees safe.

Compliance Training is Used, But Not Maximized

The report provided specific stats on training and communication in particular. Virtually all organizations (98%) require employees to take compliance training on key compliance policies and procedures and most (84%) train about applicable key laws, rules, and regulations. Companies have realized the importance of training, and implement it consistently across the board.

Yet, it is apparent that companies are not fully utilizing training. Many survey results provide opportunities that good training can accomplish. For example, only

  • 31% of Chief Compliance Officers (CCOs) do not know, or do not communicate, lessons of conduct and culture across their organizations
  • 29% of organizations report that they assess compliance skills of their staff on an ongoing basis
  • 23% do not engage in open communication about compliance issues, lessons, and practices (or do not know if they have such an approach)
  • 69% say their organization leverages technology to support its compliance initiatives

Training is a vehicle to communicate lessons of conduct, culture, compliance, and to assess skill building. Online compliance training allows it to be implemented across the entire company and leveraged for data.

Compliance Training Best Practices

If training was as simple as just providing it, we would see immediate results. It doesn’t work that way. Understanding does not signify learning or action. In the land of compliance, research shows that merely presenting a law or policy to a learner is ineffective. In fact, it can make people more likely to violate compliance standards. This may be why “CCOs recognize that adult cognitive learning theories support offering shorter trainings that are more memorable, engaging, and that contain real-life vignettes.” Engagement is important to learning, but again, it’s not enough. To learn more about effective adult learning theory, check out EverFi’s white paper, Value of Conduct Training.

Fortunately, the Survey provides many examples of how companies, or their training vendors, can make compliance training more effective. Here are some highlights.

  • Identify what needs to be trained on based on internal risk assessments
  • Use storytelling, “refreshers,” and real examples from the company’s workplace
  • Train middle managers to “enhance accountability” and “develop ethical leadership skills”
  • Deliver “compliance training content to employees who may historically only been
    reachable via live/in-person training using advances in technology”
  • Leverage technology to monitor and follow up on the results of regulatory testing
  • Utilize technology to “track training results and content distributed to employees, as well as to enable more targeted training for employees based upon their roles and responsibilities”

Top Compliance Challenges for CCOs

Indeed, when asked about their top compliance challenges, CCOs responded that enhancing accountability in compliance, improving data quality, and making compliance effective and sustainable were the top three. Online compliance training, when developed effectively and rolled out to a willing audience, can help organizations meet their biggest compliance challenges.

LawRoom (powered by EverFi) delivers online training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.

Data Security Risks: The Bad News and The Good News

The Bad News. 

Data breaches are on the rise. The Identity Theft Resource Center (ITRC), which has been tracking data security risks since 2005, released a report in which it counted 430 data breaches between April 2016 and April 2017. This shows a 37% increase from 2015-2016, according to Credit Union Times. This is a scary thought when we consider that ITRC found 2016 to be a record year for data breaches, according to Bloomberg.

It gets worse. A cybersecurity survey conducted by EiQ found that small to medium-sized businesses (SMB) were not prepared for a cybersecurity breach. Out of approximately 150 IT security personnel, 86% responded that their company has underfunded security initiatives, and 56% said their organizations are unprepared to identify and respond to cyberattacks. EiQ states that cybersecurity is a small fraction of many companies’ IT budgets, indicating that cybersecurity isn’t as big a priority as other technological initiatives. The National Center for the Middle Market, out of Ohio State University, has a Cybersecurity Resource Center tailor-made for midsize companies, which may feel the harm of inadequate resources to counter data security breaches.

It would appear that larger organizations fare better, as they tend to have more resources to maintain effective data security programs. However, data security breaches constantly spatter news headlines, like the ones at Yahoo and the US Internal Revenue Service. Additionally, laws like the GDPR, UK Privacy Shield, and New York’s Cybersecurity Regulations require adequate third-party data security management, including vendors and outside law firms. The Association of Corporate Counsel’s Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information is a guide that can help companies prepare.

Ultimately, companies of all sizes and resources should be investing in enhanced cybersecurity.

The Not-so-Bad News. 

Some industries did better than others. In fact, the ITRC survey found that healthcare and financial services experienced declines in data breaches compared to the prior year. Meanwhile the educational industry, the government/military, and the “business” industry (which includes all other industries, like retail and professional services) experienced more. This should not be surprising to some folks, as both the financial services and healthcare industries are highly regulated by federal data privacy laws like the Gramm-Leach-Bliley Act and HIPAA, respectively.

Even though financial services’ data breaches dropped by more than 50% (4.1% to 1.9%), a global study by Capgemini showed that only 21% of 183 surveyed senior data privacy and security professionals at financial services companies were “highly confident” in their organization’s ability to detect a data breach, creating data security risks. This uncertainty wasn’t relegated to the SMB group, either. Forty percent of the surveyed professionals came from companies with revenues of $10 billion or more. To help with these issues, the Federal Financial Institutions Examination Council (FFIEC) offers a variety of cybersecurity resources for financial institutions.

Further, the lower occurrence of data breaches in healthcare does not mean that they don’t occur. The US Department of Health and Human Services fined a hospital that ignored the security risk to patients’ ePHI. It had knowledge of data breaches, but did little, if anything, to counter them over a course of many years. Data breaches can have unforeseen consequences for healthcare companies’ business and customers, such as botched business deals and vendor pull outs in addition to decreased consumer confidence in an affected company’s reputation.

The Good News. 

Nonetheless, many companies should be applauded for their efforts at minimizing data security risks. Many have chosen to invest in training.

Conduct training can be an effective way to mitigate data breaches, as human error is a huge risk to cybersecurity. A Ponemon Institute report on closing data security gaps shows that insider negligence is the leading cause of data loss or theft. The National Center for the Middle Market explains:

Employees are your biggest cybersecurity risk–and also, potentially, your biggest asset. Cybersecurity is everybody’s job and mistakes by employees, contractors, and vendors – using weak passwords, opening attachments from an unfamiliar source, misconfigured settings – lead to the overwhelming majority of successful attacks.

Scams are becoming more sophisticated; common sense isn’t enough to protect employees anymore. As long as employees have access to personal or sensitive information, they can be a risk even in the most sophisticated data security program. They need training to teach them to recognize the more subtle forms of persuasion, like phishing scams. Attacks like these are known as social engineering — trying to trick people into doing something that they would never do if fully cognizant of their actions. Data security training can mitigate these real data security risks.  

Reduce Your Data Security Risks.

Learn more about Online Data Security training or read a white paper on what makes effective data security training.

LawRoom (powered by EverFi) delivers online training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.

Anti-Bribery Law Basics: FCPA and the UK Bribery Act

The Foreign Corrupt Practices Act and the UK Bribery Act are two of the most important anti-bribery laws that seek to prevent corruption globally. Their broad scope and long reach mean that organizations of all sizes that do business overseas or have foreign partners should consider offering online FCPA training to their employees as well as their agents and partners when appropriate.

Brief History of the FCPA & UK Bribery Act

In the early 1970s, with public trust already shaken by the Watergate Scandals, investigations conducted by the Securities and Exchange Commission revealed that many US corporations were maintaining special cash slush funds for bribing foreign officials. According to a Congressional report, over 400 corporations admitted to making illegal or questionable payments to foreign officials, totaling more than $300 million (or $1.2 billion in 2015 dollars).

In response to these shocking revelations, Congress passed The Foreign Corrupt Practices Act (FCPA) in 1977, prohibiting US businesses or persons from bribing foreign officials to get, keep, or direct business. In its report on the FCPA, Congress explained:

The payment of bribes to influence the acts or decisions of foreign officials, foreign political parties or candidates for foreign political office is unethical. It is counter to the moral expectations and values of the American public. But not only is it unethical, it is bad business as well. It erodes public confidence in the integrity of the free market system.

Today the Securities and Exchange Commission (SEC) and Department of Justice (DOJ) jointly enforce the FCPA. Together, they have brought an increasing number of FCPA enforcement actions charging violators with both civil and criminal offenses. The year 2016 “produced what arguably is the most significant year of enforcement in the statute’s 39-year history” according to attorney F. Joseph Warin. The SEC and DOJ brought 53 enforcement actions against companies and levied more than $2 billion in corporate fines against companies.

Since the passage of the FCPA in 1977, the global marketplace has become governed by an increasing number of laws and regulations that aim to prevent corruption. In addition to the FCPA, organizations doing business overseas may find themselves governed by other nations’ laws.

Of particular note is the UK Bribery Act 2010, applying to UK businesses and persons. The UK Bribery Act imposes more severe penalties and is broader in scope than the FCPA, covering bribes to private parties as well to foreign officials. The UK Bribery Act also prohibits being bribed, not just giving bribes. Because of the close ties between the United States and the United Kingdom, US businesses should pay special attention to all forms of potential bribery abroad, regardless of jurisdictional technicalities.

Penalties for Breaking Anti-Bribery Laws

The penalties for violating either the FCPA or the UK Bribery Act are significant. Both individuals and corporations can be held liable. While this shouldn’t form the basis of prevention, it highlights the enforcement bite of legal noncompliance.

Individuals who violate the anti-bribery provisions of the FCPA may face criminal and civil fines, up to five years in prison, and ineligibility for future activities such as doing business with the federal government or the securities business, according to the FCPA Resource Guide.

Businesses may face criminal fines up to $2,000,000, civil penalties, and ineligibility for future activities such as doing business with the government, securities activities, or export licenses as well. There are additional hefty penalties for violating the FCPA’s accounting provisions. It’s worth noting that under the Alternative Fines Act individuals and businesses may face fines much higher than those suggested by the FCPA: up to twice what the defendant gained by making the corrupt payment.

Under the UK Bribery Act, individuals or businesses may face up to 10 years in prison or unlimited unlimited fines.

The Importance of Training on Anti-Bribery Laws

Given the intricacy and potential consequences of violating anti-bribery laws, it is crucial that your organization has compliance programs in place to prevent corruption whenever it has dealings overseas. This is why companies should invest in FCPA Training. It’s more than avoiding legal liability. It’s really about doing what’s right.

Both the DOJ and SEC take into consideration an organization’s compliance program when deciding whether to open an investigation or bring charges under the FCPA.

According to the FCPA Resource Guide, “In appropriate circumstances, the DOJ and SEC may decline to pursue charges against a company based on the company’s effective compliance program, or may otherwise seek to reward a company for its program, even when that program did not prevent the particular underlying FCPA violation that gave rise to the investigation.” Similarly, companies can defend themselves against charges related to the UK Bribery Act if they can show that they had adequate procedures in place to prevent bribery.

Further, the DOJ’s Fraud Section issued the “Evaluation of Corporate Compliance Programs” (ECCP), a litany of “important topics and sample questions” to help companies evaluate their compliance programs. My colleague Karen Peterson correctly points out that measuring compliance program effectiveness goes beyond checking a box. Data, culture, and ethical managers are critical facets that companies must validate, support, and foment.

Training is a hallmark of an effective compliance program. It helps reinforce an organization’s values, distribute its anti-corruption policies, inform the organization’s workers of the relevant laws and best practices, and ensure that workers understand how to act on those values, policies, and practices.

This post was informed by considerable research and analysis by my former colleague, Pax Hehmeyer.

LawRoom (powered by EverFi) delivers online training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.