Leadership in Organizational Change | Social Business | Trust | Privacy | Security 

Twitter LinkedIn E-mail RSS
formats

When Why Matters in Privacy Law – Use Questions To Create Business Opportunity

Published on May 16, 2012 by in Change, Law, Leadership, Organizational Change, Privacy, Regulation, Social Business, Social CRM, Social Media

When discussing privacy with clients, it is important to realize that many consumers, companies and legislators have become sensitized to information privacy solely as it relates to online activities.

The flurry of discussions in social media, proposed and passed legislation or regulations related to the collection and use of consumers’ personally identifiable information (PII) on the Internet can divert attention away from equally important privacy issues in the physical world. One example is the collection of PII by merchants at the point of sale (POS).

Collection may occur at a cash register , kiosk or gas pump.

Last year, Pineda v. Williams-Sonoma Stores brought attention to the practice of requesting or collecting a customer’s zip code, for marketing purposes. The CA Supreme Court ruled that a ZIP code constitutes “personal identification information” and requiring collection of ZIP codes was in violation of section 1747.08 of the Song-Beverly Credit Card Act of 1971 (Credit Card Act).

For purposes of this section “personal identification information,” means information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.

The Court ruled that since a ZIP code is a component of a cardholder’s address, it is protected under section 1747.08.

There are important exceptions to this rule. Merchants are allowed to require and record PII in the following instances:

  1. If the credit card is being used as a deposit to secure payment in the event of default, loss, damage, or other similar occurrence.
  2. Cash advance transactions.
  3. If any of the following applies: The person, firm, partnership, association, or corporation accepting the credit card is

(A) contractually obligated to provide personal identification information in order to complete the credit card transaction.
(B) a sales transaction at a retail motor fuel dispenser or retail motor fuel payment island automated cashier uses the Zip Code information solely for prevention of fraud, theft, or identity theft.
(C) is obligated to collect and record the personal identification information by federal or state law or regulation.

Other exceptions include instances when:

  • personal identification information is required for a special purpose that is incidental, but related to the individual credit card transaction, including, but not limited to, information relating to shipping, delivery, servicing, or installation of the purchased merchandise, or for special orders.
  • the cardholder pays for the transaction with a credit card number and does not make the credit card available upon request to verify the number, the cardholder’s driver’s license number or identification card number may be recorded on the credit card transaction form or otherwise.

When Why Matters

After the Pineda v. Williams-Sonoma Stores ruling, there was a rush of lawsuits brought against merchants that required a zip code at the POS. Many gas stations require that a customer provide their zip code when paying for gasoline or other services. In Flores v. Chevron, a customer alleged that the practice at gas stations of asking for the billing ZIP Code of the credit card being used to purchase gas violated the Song-Beverly Credit Card Act.

On March 14, 2012 a California district court ruled that gas stations gathering ZIP Codes for fraud prevention did not violate the Song-Beverly Credit Card Act. As noted above, a gas station collecting PII solely for prevention of fraud, theft, or identity theft is exempt from section 1747.08.

Secondary Use

Had Williams-Sonoma Stores stated that they collected PII solely for fraud prevention they may have been able to make a case for an exception even though they are not a retail motor fuel dispenser. This argument may not have held up in court, but it would have been more defensible than collecting personal data for marketing purposes.

If a merchant states that PII is collected solely for fraud prevention, but then utilizes the collected data for marketing without advising consumers – and obtaining permission – for such secondary uses, the merchant may be exposing itself to liability for violation of the Choice / Consent section of the Fair Information Practice Principles, enforced by the Federal Trade Commission (FTC).

Specifically, choice relates to secondary uses of information – i.e., uses beyond those necessary to complete the contemplated transaction. Such secondary uses can be internal, such as placing the consumer on the collecting company’s mailing list in order to market additional products or promotions, or external, such as the transfer of information to third parties.

Business Opportunity

Viewing this situation solely as a matter of compliance misses the opportunity to change a potentially negative or neutral engagement with consumers into an opportunity to promote your organization in a positive way.

Compliance should not be an end in itself. There is much more that can be gained by understanding the spirit of the regulation! Consumer Privacy is really about Consumer Trust.

Customers who take the time to voice concerns over your company’s practices are likely sensitive to potential misuse of their data, interested in causing embarrassment or fishing for grounds for a lawsuit.

Leaving such a customer frustrated or angry and potentially negatively affecting others in proximity when they vent those frustrations at your place of business risks damage to reputation and a positive  customer experience. You want to inspire loyalty, not generate doubts in others within earshot of such questions – or at least not discourage repeat commerce.

This ruling illustrates why a merchant should have a policy stating why PII is being recorded. Such a policy will clearly state the purpose for collecting personal data. It may be wise to educate employees about why the cardholders’ ZIP code is required so they can answer queries by customers.

Given that business owners may be uncomfortable entrusting explanation of corporate policy and regulations to cashiers or attendants, merchants can post a short explanation with an easily recalled URL or toll-free phone number where consumer’s can obtain a friendly explanation of the rule and your desire to provide answers about your practices.

Further, encourage consumers to participate! Provide them an opportunity to comment on the response they received to their question. There is potential for an additional benefit  - to gauge employee performance, drive organizational change and to reinforce expected behaviors by your staff. Make sure to take advantage of the opportunity to pass along praise, or another tangible reward, when a customer gives positive feedback in these interactions. This makes it a win-win situation.

Again, this is an opportunity for merchants to deepen their relationship with consumers by reinforcing the customer care message. Instead of simply presenting the customer with a legal disclaimer, use the opportunity to engage the customer in a dialogue.

Consider links to best practices for consumer protection, other corporate social responsibility programs and the opportunity to leave comments. Give the customer the opportunity to voluntarily provide contact information to receive a reply or additional information. Do not, however, let information become outdated or requests for interaction go unanswered.

 

 

 
Tags: , , , , , , , ,
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn
No Comments  comments 
formats

Changes to Corporate Security – NIST vs. ISO 27000

Published on May 11, 2012 by in Asset Management, Change, International Standard, ISO, Leadership, Organizational Change, Privacy, Security, Social Business

Today’s post provides an example of an organizational change being discussed in many firms contemplating the use of social media, and its evolution to social business in a global economy. Adoption of “social” introduces new risks and opportunities to US corporations. The likelihood of doing business in, having shareholders in, outsourcing to, or partnering in international markets continues to increase.

Adoption of International standards for technology, privacy and security should not be left to IT. Information Security Governance is a business decision. Boards of Directors and Senior Management must be involved to effectively lead the cultural change, commit capital and human resources, make appropriate changes to HR metrics, policy and job descriptions.

When it comes to technology, too often company executives cede decision making to the IT department…It would be reasonable to assume that the CRM and ERP fiascoes were the result of technological snafus in getting the complex systems up and running. But in fact the problems generally occurred because senior executives failed to realize that adopting the systems posed a business—not just a technological—challenge. Consequently, they didn’t take responsibility for the organizational and business process changes the systems required. - Six IT Decisions Your IT People Shouldn’t Make – Who Decides How Much to Spend on IT?

Benefits of Standardization

Adopting an international security standard protects firms in new markets and demonstrates due diligence and understanding of international customer expectations. Developing a common understanding of opportunity and risk facilitates discussion of due care in the implementation of appropriate controls. Use of an internationally-vetted framework also facilitates corporate activities such as merger and acquisition (M&A), joint ventures (JV), partnerships or, marketing commercial offerings to other businesses.

Two businesses contemplating a joint venture or use of a service will find it easier to compare and contrast compatibility and resource needs when both are based on a common standard. In the case of a potential or actual merger, it is easier for companies to assess the monetary value of each parties’ data. It is not unusual for the value of data resources to be a factor or even driving force in a merger today. Other non-trivial considerations include potential on-boarding training, annual security awareness training and audit savings.

Which standard is right for your organization?

NIST 800 Risk Management Framework (RMF)

One of the well-known security frameworks considered by organizations is the NIST Information Security Risk Management Framework (SP-800 used for Certification & Accreditation of Federal Information Systems or FISMA). NIST incorporates controls from ISO 27002 with other government and non-government frameworks. See NIST SP800-53 for a control mapping table. While the NIST Risk Management Framework provides the pieces and parts for an effective security program, it is aimed at government agencies.

One major issue corporate security teams will encounter when trying to base a program on the NIST SP-800 Risk Management Framework is that publicly traded organizations are not bound to the same security assumptions and requirements as government agencies. Government organizations are established to fulfill legislated missions, and are required to collect, store, manipulate and report sensitive data.

To gain an appreciation of the intricate links between the NIST RMF components, take a look at the course “Applying the Risk Management Framework to Federal Information Systems.” This course  provides those new to risk management an overview of a methodology for managing organizational risk. Some or all of these activities in a publicly traded organization are governed by cost-benefit analysis, Boards of Directors, and shareholder opinion.

The complexity of the NIST framework is another factor that effects uptake in the for profit space. I see security teams attempt to take one or two components of the NIST framework without understanding the linkages between activities at the front-end (e.g. FIPS 199 Security Classification or FIPS 200 Minimum Security Requirements that mandate the use of SP 800-53) and successful implementation of the RMF.

The FIPS standards provide the raw materials to make later components  of the NIST RMF effective. Data and Systems classification, and a set of mandated minimum security requirements and detailed inventories of where sensitive data is stored, used and shared are not undertaken by the majority of corporations. At best, there may be a limited set of data flow diagrams used to comply with SOX or PCI. These are rarely comprehensive or updated.

ISO 27000

One of the most widely known standards for information security is the ISO 27002 Code of Practice, included in the information security management system (ISMS) family of standards published by the International Standards Organization (ISO). Many US organizations use ISO 27002 as a basis for their security programs.

The ISO 27000 family is much friendlier to commercial businesses and does not require security managers to translate government-speak for Sr. Management and there are multiple documents included to address different components and applications, for example:

  • ISO 27000: Overview and vocabulary
  • ISO 27001: Specification of requirements for the certified implementation of security controls customized to the needs of individual organizations.
  • ISO 27002: Code of Practice provides recommendations and general principles for initiating, implementing, maintaining, and improving information security management in an organization.
  • ISO 27003: Implementation Guidance focuses on the critical aspects needed for successful design, implementation and certification by ISO of an Information Security Management System (ISMS)- used with ISO 27001.
  • ISO 27004: Provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an implemented information security management system (ISMS).
  • ISO 27005: Provides guidelines for information security risk management.
  • ISO 27006: Specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS).
  • ISO 27011: Defines guidelines supporting the implementation of information security management in telecommunications organizations.
  • ISO 27031: Guidelines for information and communications technology readiness for business continuity
  • ISO 27033-1: Network security overview and concepts
  • ISO 27035: Security incident management
  • ISO 27799: Information security management in health using ISO/IEC 27002

Note:Some of you may have heard of ISO 17799. This document was renumbered by the ISO as ISO 27002. The technical information in ISO 27002 is the same as that in ISO 17799.

Take a look at Treat Data As Dollars for additional thoughts on security classification.

 
Tags: , , , , , , ,
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn
No Comments  comments 
KWabst - How to watch the 'ring of fire' solar eclipse online | Fox News http://t.co/WxlOvq2e 4 hours ago
© All Rights Reserved
credit