Privacy is a right, not a privilege. But organizations and leadership often struggle when it comes to adapting their culture toward digital trust and stewardship.

The past year has been critical for Facebook’s reputation, with the tech giant coming under scrutiny following extensive, high-profile data privacy breaches. The failure of Facebook to provide good answers to tough questions about how and why it uses citizens’ data has exposed the cracks in the trust infrastructure that underpins our digital economy. Today, companies can be considered “cybersecure” but still not employ processes that ensure the security of internal data and the integrity of data relations with external stakeholders.

We have entered a critical moment in the evolution of the digital economy where we must question where and how personal data should be used and determine who has the right to gain commercial profits from the insights generated by users’ digital data.1 Organizations must think critically about their own digital trust — an umbrella term we use to describe the behavioral guidelines and cultural principles that include data privacy, security, protection, and stewardship.

Beliefs and behaviors in today’s virtual world blur the definitions and boundaries of responsibility for data privacy, which is reshaping consumers’ expectations of protection. Organizations seeking to adapt their culture toward better digital trust face many challenges. By identifying a topology of behaviors and attitudes of different kinds of companies, we have determined four techniques that organizations can use to map their journey from compliance to trust.

Investigating Digital Trust

When an organization goes through a privacy and breach disclosure effort, actions are typically driven by compliance requirements and regulatory changes, while the underlying culture around digital trust within the organization often remains unchanged. For every interaction where data is shared between a private individual and an organization, there is an implicit zone of trust created between the parties. The fallout from recent data breaches — whether due to apparent disregard for citizens’ data or inadvertent disclosure2 — suggests appraisal of this trust relationship is overdue. The introduction of formal measures may enable organizations to differentiate themselves on a scale for digital trust (similar to the Ponemon Institute trust rankings, promoting and perhaps incentivizing digital trust across the business ecosystem.

In December 2017, we surveyed 83 members of a U.S. consortium of information technology and security executives to understand what goes on in their companies in the context of digital trust and to explore their attitudes toward data privacy and breach disclosure.

References

1. Social relationships and rights to data privacy were first tested in the 19th century, when the camera became widely available. Photographers could use the likenesses of others without permission, often making money through the sale of images to newspapers and advertisements. See S. Warren and L. Brandeis, “The Right to Privacy,” Harvard Law Review 4, no. 5 (Dec. 15, 1890): 193-220.

2. T. Kopan, “Exclusive: Government Transparency Site Revealed Social Security Numbers, Other Personal Info,” Sept. 3, 2018, www.cnn.com; and H. Kelly, “California Passes Strictest Online Privacy Law in the Country,” June 29, 2018, https://money.cnn.com.

3. Adaptation based on qualitative data analysis using organizational culture categories. W.I. Sauser, Jr., “Crafting a Culture of Character: The Role of the Executive Suite,” in Executive Ethics: Ethical Dilemmas in and Challenges for the C-Suite, eds. S. Quatro and R.R. Sims (Charlotte, NC: Information Age Publishing, 2008), 1-17.

4. H. Xu et al., “Information Privacy Concerns: Linking Individual Perceptions With Institutional Privacy Assurances,” Journal of the Association for Information Systems 12, no. 12 (December 2011): 798-824.

5. CCPA, effective Aug. 31, 2018, applies to companies that collect consumers’ personal information (PI), do business in California, and have annual gross revenues in excess of $50 million; annually sell PI relating to 100,000 or more consumers or devices; or derive 50% or more of their annual revenues from selling consumers’ PI. “Consumer” is defined as a natural person who is a California resident (an individual who is in California for other than a temporary or transitory purpose or is domiciled in California who is outside California for a temporary or transitory purpose). More amendments are likely through Jan. 1, 2020. See P.G. Patel, N.D. Taylor, and A.E. Laks, “Less Is Less: California Legislature Amends Limited Aspects of California Consumer Privacy Act,” client alert, Morrison & Foerster, Sept. 4, 2018, www.mofo.com.

6. A. Buff, B.H. Wixom, and P. Tallon, “Foundations for Data Monetization,” working paper 402, MIT Sloan Center for Information Systems Research, Cambridge, Massachusetts, August 2015; B.H. Wixom and J.W. Ross, “How to Monetize Your Data,” MIT Sloan Management Review, Jan. 9, 2017; and H. Kelly, “California Passes Strictest Online Privacy Law in the Country.”

7. Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, Public Law 111-5, Title VIII.

8. “The DoD Cybersecurity Policy Chart,” Cyber Security and Information Systems Information Analysis Center, updated June 12, 2018. The April 2018 update to the NIST Core Functions that “are not intended to form a serial path, or lead to a static desired end state [but should instead] be performed concurrently and continuously to form an operational culture that addresses the dynamic cybersecurity risk”; see M.P. Barrett, “Framework for Improving Critical Infrastructure Cybersecurity,” National Institute for Standards and Technology, April 16, 2018, www.nist.gov.

9. SANS Institute Editorial Board and archived commentaries.

10. H. Kelly, “California Passes Strictest Online Privacy Law in the Country.”

11. Privacy as a right is a sentiment shared by the authors but also documented in D. Lazarus, “FCC Hasn’t Closed Door on Regulating ‘Pay for Privacy’ Internet Pricing Model,” Los Angeles Times, Aug. 11, 2018. FCC rules from 2016 regulate baseline requirements for ISPs regarding data privacy to curb market behavior; see B. Fung and C. Timberg, “The FCC Just Passed Sweeping New Rules to Protect Your Online Privacy,” Washington Post, Oct. 7, 2016.

12. Federal Trade Commission National Do-Not-Call Registry, www.donotcal.gov; Federal Trade Commission “National Do-Not-Email Registry: A Report to Congress,” June 2004.

13. We suggest that Ed Schein’s analysis of trust structures within organizations can be updated for the digital age. E. Schein, “Coming to a New Awareness of Organizational Culture,” Sloan Management Review 25, no. 2 (winter 1984): 3.