How Digital Trust Drives Culture Change

1. Social relationships and rights to data privacy were first tested in the 19th century, when the camera became widely available. Photographers could use the likenesses of others without permission, often making money through the sale of images to newspapers and advertisements. See S. Warren and L. Brandeis, “The Right to Privacy,” Harvard Law Review 4, no. 5 (Dec. 15, 1890): 193-220.

2. T. Kopan, “Exclusive: Government Transparency Site Revealed Social Security Numbers, Other Personal Info,” Sept. 3, 2018, www.cnn.com; and H. Kelly, “California Passes Strictest Online Privacy Law in the Country,” June 29, 2018, https://money.cnn.com.

3. Adaptation based on qualitative data analysis using organizational culture categories. W.I. Sauser, Jr., “Crafting a Culture of Character: The Role of the Executive Suite,” in Executive Ethics: Ethical Dilemmas in and Challenges for the C-Suite, eds. S. Quatro and R.R. Sims (Charlotte, NC: Information Age Publishing, 2008), 1-17.

4. H. Xu et al., “Information Privacy Concerns: Linking Individual Perceptions With Institutional Privacy Assurances,” Journal of the Association for Information Systems 12, no. 12 (December 2011): 798-824.

5. CCPA, effective Aug. 31, 2018, applies to companies that collect consumers’ personal information (PI), do business in California, and have annual gross revenues in excess of $50 million; annually sell PI relating to 100,000 or more consumers or devices; or derive 50% or more of their annual revenues from selling consumers’ PI. “Consumer” is defined as a natural person who is a California resident (an individual who is in California for other than a temporary or transitory purpose or is domiciled in California who is outside California for a temporary or transitory purpose). More amendments are likely through Jan. 1, 2020. See P.G. Patel, N.D. Taylor, and A.E. Laks, “Less Is Less: California Legislature Amends Limited Aspects of California Consumer Privacy Act,” client alert, Morrison & Foerster, Sept. 4, 2018, www.mofo.com.

6. A. Buff, B.H. Wixom, and P. Tallon, “Foundations for Data Monetization,” working paper 402, MIT Sloan Center for Information Systems Research, Cambridge, Massachusetts, August 2015; B.H. Wixom and J.W. Ross, “How to Monetize Your Data,” MIT Sloan Management Review, Jan. 9, 2017; and H. Kelly, “California Passes Strictest Online Privacy Law in the Country.”

7. Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, Public Law 111-5, Title VIII.

8. “The DoD Cybersecurity Policy Chart,” Cyber Security and Information Systems Information Analysis Center, updated June 12, 2018. The April 2018 update to the NIST Core Functions that “are not intended to form a serial path, or lead to a static desired end state [but should instead] be performed concurrently and continuously to form an operational culture that addresses the dynamic cybersecurity risk”; see M.P. Barrett, “Framework for Improving Critical Infrastructure Cybersecurity,” National Institute for Standards and Technology, April 16, 2018, www.nist.gov.

9. SANS Institute Editorial Board and archived commentaries.

10. H. Kelly, “California Passes Strictest Online Privacy Law in the Country.”

11. Privacy as a right is a sentiment shared by the authors but also documented in D. Lazarus, “FCC Hasn’t Closed Door on Regulating ‘Pay for Privacy’ Internet Pricing Model,” Los Angeles Times, Aug. 11, 2018. FCC rules from 2016 regulate baseline requirements for ISPs regarding data privacy to curb market behavior; see B. Fung and C. Timberg, “The FCC Just Passed Sweeping New Rules to Protect Your Online Privacy,” Washington Post, Oct. 7, 2016.

12. Federal Trade Commission National Do-Not-Call Registry, www.donotcal.gov; Federal Trade Commission “National Do-Not-Email Registry: A Report to Congress,” June 2004.

13. We suggest that Ed Schein’s analysis of trust structures within organizations can be updated for the digital age. E. Schein, “Coming to a New Awareness of Organizational Culture,” Sloan Management Review 25, no. 2 (winter 1984): 3.