The flurry of discussions in social media, proposed and passed legislation or regulations related to the collection and use of consumers’ personally identifiable information (PII) on the Internet can divert attention away from equally important privacy issues in the physical world. One example is the collection of PII by merchants at the point of sale (POS).

Collection may occur at a cash register , kiosk or gas pump.

Last year, Pineda v. Williams-Sonoma Stores brought attention to the practice of requesting or collecting a customer’s zip code, for marketing purposes. The CA Supreme Court ruled that a ZIP code constitutes “personal identification information” and requiring collection of ZIP codes was in violation of section 1747.08 of the Song-Beverly Credit Card Act of 1971 (Credit Card Act).

For purposes of this section “personal identification information,” means information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.

The Court ruled that since a ZIP code is a component of a cardholder’s address, it is protected under section 1747.08.

There are important exceptions to this rule. Merchants are allowed to require and record PII in the following instances:

1. If the credit card is being used as a deposit to secure payment in the event of default, loss, damage, or other similar occurrence.
2. Cash advance transactions.
3. If any of the following applies: The person, firm, partnership, association, or corporation accepting the credit card is

(A) contractually obligated to provide personal identification information in order to complete the credit card transaction.
(B) a sales transaction at a retail motor fuel dispenser or retail motor fuel payment island automated cashier uses the Zip Code information solely for prevention of fraud, theft, or identity theft.
(C) is obligated to collect and record the personal identification information by federal or state law or regulation.

Other exceptions include instances when:

• personal identification information is required for a special purpose that is incidental, but related to the individual credit card transaction, including, but not limited to, information relating to shipping, delivery, servicing, or installation of the purchased merchandise, or for special orders.
• the cardholder pays for the transaction with a credit card number and does not make the credit card available upon request to verify the number, the cardholder’s driver’s license number or identification card number may be recorded on the credit card transaction form or otherwise.

When Why Matters

After the Pineda v. Williams-Sonoma Stores ruling, there was a rush of lawsuits brought against merchants that required a zip code at the POS. Many gas stations require that a customer provide their zip code when paying for gasoline or other services. In Flores v. Chevron, a customer alleged that the practice at gas stations of asking for the billing ZIP Code of the credit card being used to purchase gas violated the Song-Beverly Credit Card Act.

On March 14, 2012 a California district court ruled that gas stations gathering ZIP Codes for fraud prevention did not violate the Song-Beverly Credit Card Act. As noted above, a gas station collecting PII solely for prevention of fraud, theft, or identity theft is exempt from section 1747.08.

Secondary Use

Had Williams-Sonoma Stores stated that they collected PII solely for fraud prevention they may have been able to make a case for an exception even though they are not a retail motor fuel dispenser. This argument may not have held up in court, but it would have been more defensible than collecting personal data for marketing purposes.

If a merchant states that PII is collected solely for fraud prevention, but then utilizes the collected data for marketing without advising consumers – and obtaining permission – for such secondary uses, the merchant may be exposing itself to liability for violation of the Choice / Consent section of the Fair Information Practice Principles, enforced by the Federal Trade Commission (FTC).

Specifically, choice relates to secondary uses of information – i.e., uses beyond those necessary to complete the contemplated transaction. Such secondary uses can be internal, such as placing the consumer on the collecting company’s mailing list in order to market additional products or promotions, or external, such as the transfer of information to third parties.

Business Opportunity

Viewing this situation solely as a matter of compliance misses the opportunity to change a potentially negative or neutral engagement with consumers into an opportunity to promote your organization in a positive way.

Compliance should not be an end in itself. There is much more that can be gained by understanding the spirit of the regulation! Consumer Privacy is really about Consumer Trust.

Customers who take the time to voice concerns over your company’s practices are likely sensitive to potential misuse of their data, interested in causing embarrassment or fishing for grounds for a lawsuit.

Leaving such a customer frustrated or angry and potentially negatively affecting others in proximity when they vent those frustrations at your place of business risks damage to reputation and a positive  customer experience. You want to inspire loyalty, not generate doubts in others within earshot of such questions – or at least not discourage repeat commerce.

This ruling illustrates why a merchant should have a policy stating why PII is being recorded. Such a policy will clearly state the purpose for collecting personal data. It may be wise to educate employees about why the cardholders’ ZIP code is required so they can answer queries by customers.

Given that business owners may be uncomfortable entrusting explanation of corporate policy and regulations to cashiers or attendants, merchants can post a short explanation with an easily recalled URL or toll-free phone number where consumer’s can obtain a friendly explanation of the rule and your desire to provide answers about your practices.

Further, encourage consumers to participate! Provide them an opportunity to comment on the response they received to their question. There is potential for an additional benefit  - to gauge employee performance, drive organizational change and to reinforce expected behaviors by your staff. Make sure to take advantage of the opportunity to pass along praise, or another tangible reward, when a customer gives positive feedback in these interactions. This makes it a win-win situation.

Again, this is an opportunity for merchants to deepen their relationship with consumers by reinforcing the customer care message. Instead of simply presenting the customer with a legal disclaimer, use the opportunity to engage the customer in a dialogue.

Consider links to best practices for consumer protection, other corporate social responsibility programs and the opportunity to leave comments. Give the customer the opportunity to voluntarily provide contact information to receive a reply or additional information. Do not, however, let information become outdated or requests for interaction go unanswered.

Adoption of International standards for technology, privacy and security should not be left to IT. Information Security Governance is a business decision. Boards of Directors and Senior Management must be involved to effectively lead the cultural change, commit capital and human resources, make appropriate changes to HR metrics, policy and job descriptions.

When it comes to technology, too often company executives cede decision making to the IT department…It would be reasonable to assume that the CRM and ERP fiascoes were the result of technological snafus in getting the complex systems up and running. But in fact the problems generally occurred because senior executives failed to realize that adopting the systems posed a business—not just a technological—challenge. Consequently, they didn’t take responsibility for the organizational and business process changes the systems required. - Six IT Decisions Your IT People Shouldn’t Make – Who Decides How Much to Spend on IT?

Benefits of Standardization

Adopting an international security standard protects firms in new markets and demonstrates due diligence and understanding of international customer expectations. Developing a common understanding of opportunity and risk facilitates discussion of due care in the implementation of appropriate controls. Use of an internationally-vetted framework also facilitates corporate activities such as merger and acquisition (M&A), joint ventures (JV), partnerships or, marketing commercial offerings to other businesses.

Two businesses contemplating a joint venture or use of a service will find it easier to compare and contrast compatibility and resource needs when both are based on a common standard. In the case of a potential or actual merger, it is easier for companies to assess the monetary value of each parties’ data. It is not unusual for the value of data resources to be a factor or even driving force in a merger today. Other non-trivial considerations include potential on-boarding training, annual security awareness training and audit savings.

Which standard is right for your organization?

NIST 800 Risk Management Framework (RMF)

One of the well-known security frameworks considered by organizations is the NIST Information Security Risk Management Framework (SP-800 used for Certification & Accreditation of Federal Information Systems or FISMA). NIST incorporates controls from ISO 27002 with other government and non-government frameworks. See NIST SP800-53 for a control mapping table. While the NIST Risk Management Framework provides the pieces and parts for an effective security program, it is aimed at government agencies.

One major issue corporate security teams will encounter when trying to base a program on the NIST SP-800 Risk Management Framework is that publicly traded organizations are not bound to the same security assumptions and requirements as government agencies. Government organizations are established to fulfill legislated missions, and are required to collect, store, manipulate and report sensitive data.

To gain an appreciation of the intricate links between the NIST RMF components, take a look at the course “Applying the Risk Management Framework to Federal Information Systems.” This course  provides those new to risk management an overview of a methodology for managing organizational risk. Some or all of these activities in a publicly traded organization are governed by cost-benefit analysis, Boards of Directors, and shareholder opinion.

The complexity of the NIST framework is another factor that effects uptake in the for profit space. I see security teams attempt to take one or two components of the NIST framework without understanding the linkages between activities at the front-end (e.g. FIPS 199 Security Classification or FIPS 200 Minimum Security Requirements that mandate the use of SP 800-53) and successful implementation of the RMF.

The FIPS standards provide the raw materials to make later components  of the NIST RMF effective. Data and Systems classification, and a set of mandated minimum security requirements and detailed inventories of where sensitive data is stored, used and shared are not undertaken by the majority of corporations. At best, there may be a limited set of data flow diagrams used to comply with SOX or PCI. These are rarely comprehensive or updated.

ISO 27000

One of the most widely known standards for information security is the ISO 27002 Code of Practice, included in the information security management system (ISMS) family of standards published by the International Standards Organization (ISO). Many US organizations use ISO 27002 as a basis for their security programs.

The ISO 27000 family is much friendlier to commercial businesses and does not require security managers to translate government-speak for Sr. Management and there are multiple documents included to address different components and applications, for example:

• ISO 27000: Overview and vocabulary
• ISO 27001: Specification of requirements for the certified implementation of security controls customized to the needs of individual organizations.
• ISO 27002: Code of Practice provides recommendations and general principles for initiating, implementing, maintaining, and improving information security management in an organization.
• ISO 27003: Implementation Guidance focuses on the critical aspects needed for successful design, implementation and certification by ISO of an Information Security Management System (ISMS)- used with ISO 27001.
• ISO 27004: Provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an implemented information security management system (ISMS).
• ISO 27005: Provides guidelines for information security risk management.
• ISO 27006: Specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS).
• ISO 27011: Defines guidelines supporting the implementation of information security management in telecommunications organizations.
• ISO 27031: Guidelines for information and communications technology readiness for business continuity
• ISO 27033-1: Network security overview and concepts
• ISO 27035: Security incident management
• ISO 27799: Information security management in health using ISO/IEC 27002

Note:Some of you may have heard of ISO 17799. This document was renumbered by the ISO as ISO 27002. The technical information in ISO 27002 is the same as that in ISO 17799.

Take a look at Treat Data As Dollars for additional thoughts on security classification.

Anyone with a thousand or more employees will likely have over 170, mostly unmanaged, social media accounts. With each new tool introduced, like Pinterest, companies rush to get onboard without thinking about how it fits into their business strategy or customer expectations.   Too bad all that time has been wasted. - Rob Tarkoff, CEO of Lithium speaking in Keynote 

If R. Tarkoff’s assertion is correct, many companies are missing the point of social as a way to connect with their customers. Said companies are also missing fundamental governance of employees’ and / or communications channels. As more American firms become service providers, can we really afford to offer a hand to customers, and then ignore customer’s response?

Imagine if all of these unmanaged social channels were phone lines listed as Customer Care on web sites or in print ads – yet no one checked for messages. Any customer reaching out to the company through that number would go unanswered and eventually doubt their trust and willingness to continue buying the company’s product or service.

Such a notion seems antithetical to the idea that so many companies claim to be customer-centric or social businesses. In response to this phenomenon Lithium announced a new product designed to “show companies a path forward to delivering a holistic customer experience, as defined by their customers.”

I am left wondering how a new product line will cure this sort of mismanagement of customer’s trust. Without a fundamental shift in the mindset of these companies it’s easy to imagine that the situation will not effectively change. I don’t question Tarkoff or Lithium’s intent here. The problem seems to be with companies that still see social media as a one-way communications path.

To me, it looks like a change leadership problem more than a technology problem. Some companies / people fail to change even when opportunities or threats stare them in the face, they fail to see the need to change.

Is R. Tarkoff’s assertion correct?

A relatively small number of individuals within most organizations carry out the processes of setting corporate direction, developing and changing organizational strategy. Whether or not most employees get to participate in setting corporate direction, each employee accepts some responsibility for attaining that vision.

Empowered employees want to participate, rather than simply accepting delegated responsibilities without understanding how the pieces fit together. For those empowered employees who want to break through the brain barriers that hold them back, the following sections describe the interrelationship between strategy, leadership, and vision, three high-level business concepts.

An understanding of these processes is necessary to allow leaders and managers to interact and devise methods that allow managers to translate corporate vision into actionable behaviors required of employees, who embody the vision when dealing with customers, other employees, partners, and vendors.

Vision

Vision may be likened to a goal or destination that the company hopes to attain in the distant future. Unfortunately, discussions about Vision are often framed in mystical terms, implying a journey ill-advised for mere mortals. This obfuscation is likely due to a lack of understanding of the process.

When developing the corporate Vision, leaders often spend considerable time collecting and analyzing large amounts of historical data, learning about competitors, observing business and political trends and looking for patterns, relationships, and linkages that help explain recent events in an attempt to anticipate future changes.

Kotter described vision, in his 1996 book Leading Change, as a word that often connotes something grand or even mystical.   The article “Building Your Company’s Vision“, by J. C. Collins & J.I Porras in Harvard Business Review similarly explains that “Vision is one of the most overused and least understood words in the language, conjuring up different images for different people: of deeply held values, outstanding achievement, societal bonds, exhilarating goals, motivating forces, or raisons d’être.” If you were wondering - Raison d’être is a French phrase meaning “reason for existence.”

Vision, in more mundane terms, lays out the broad, theoretical destination of an organization. It embodies the hopes, dreams, and aspirations that guide strategy, which in turn chooses actions taken to move the organization from its current location toward the envisioned destination (Give Your Organization Serious Traction: Part 1 by Stever Robbins, Harvard Business School – Working Knowledge, 2005). A well-conceived vision consists of two major components, a core ideology, and the envisioned future.

The core ideology defines enduring concepts or a code of ethics that exist within and guides the leadership of an organization. These concepts are not to be confused with core competencies or business goals. The core ideology is a set of guiding principles to inspire those with a long-term commitment to the organization; similar, conceptually, to the orientation purpose that the North Star serves for maritime navigation.

The vision is expressed as a descriptive narrative of a time ten, thirty, or more years away. This view includes an idealized outcome resulting from the organization’s contribution to its clients or the World resulting from the dedicated adherence to its core values. The vision is meant to inspire workers to connect with larger goals and to feel part of creating a better future.

Strategy

Strategy links the destination described in the Vision with the organization’s current location relative to market conditions, competitive landscape, and regulatory environment. Strategy is akin to answering the question of how we might trek from one location to another point, using a compass instead of a road map. Knowing the current location and the envisioned destination the organization plots a general course toward the goal. Since companies rarely occupy any market without competition for resources, consideration must be given to efficiently serving customer needs and desires by devising an effective route that is likely to allow the company to attain the short-term goal before its competitors.

On any journey, encountering unforeseen obstacles may require plotting an alternate course toward the Vision. In business terms, this obstacle might include such circumstances as a recession, failure to obtain government approval or lack of efficient technology to perform a production task effectively for manufacturing a new product.

When faced with some constraint on pursuing a direct path to the envisioned goal, strategy provides alternative routes to achieve the original short-term goal or recognition of an alternative solution such as hiring new personnel to develop the required technology in-house, merging or partnering with another firm that has the required capability to bring the product to market before competitors.

Leadership

Leaders are responsible for developing actionable strategy, and to recommend course changes aligned with the firms’ ideology to reach the envisioned future. While the task is arduous, it is hardly mystical.

Leadership is the process through which organizations cope with the changes required along the trek toward the envisioned destination. In a 2001 Harvard Business Review article What Leaders Really Do, Kotter states “Leading an organization to constructive change begins by setting a direction developing a vision of the future (often the distant future) along with strategies for producing the changes needed to achieve that vision.”

Leaders are responsible for motivation and inspiration that keeps people in the organization moving toward attainment of the vision “by appealing to basic but often untapped human needs, values, and emotions.” The leadership does not provide tactical plans; it creates vision and strategies. These describe a business, technology, or corporate culture in terms of what it should become over the long term and articulate a feasible way of achieving this goal (Kotter, 2001).

Managers  bear responsibility for coping with the complexities of daily operations. This includes imposing a semblance of order and consistency by “organizing and staffing-creating an organizational structure and set of jobs for accomplishing plan requirements, staffing the jobs with qualified individuals, communicating the plan to those people, delegating responsibility for carrying out the plan, and devising systems to monitor implementation” (Kotter, 2001).

This includes interacting with organizational leadership to ensure the vision is clear. After the destination is clearly understood by employees, managers must work with leadership to develop and implement tools necessary to translate the organization’s vision into actionable behaviors.

Why This Matters

You may recall the 8 common errors found in change initiatives, listed in the post Individual and Organizational Social Transformations. The third error that Kotter lists is failure to communicate the value of the desired change in a way that can successfully “direct, align, and inspire actions on the part of large numbers of people.” A bit more about the importance of communication from Prof. John Kotter

Social Media To The Rescue

If you believe that the myriad social media channels in evidence today negates that need for change managers to concern  themselves with communication strategy to ensure that information about what leadership is doing to reach a new vision for their organization, consider these Findings on the use of social media from Prosci’s 2012 edition of Best Practices in Change Management:

“With all the ‘buzz’ around social media in today’s world, change practitioners wanted to know if social networking tools were being used to facilitate the management of change, or as a supplementary communication vehicle. If so, what tools were being used?” The result? 76% of respondents were not using social networking tools, and another 5% did not know.

 Social Media and Web 2.0 Tools In Use

Of the 4 type of social tools in use, by the 19% who reported using such tools, internal group information sharing and discussion media were used twice as often as any other response.

1. Internal group information sharing and discussion media 
2. Public web-based tools 
3. Outward communication tools
4. Collaboration tools

Conclusion

So, Vision is the Goal or Destination. Strategy links the Starting Point to the Destination. Leaders are responsible for guiding us along the change journey. Seems pretty clear, right? You have each of those bases covered. The few who may wonder about readiness of their change leaders may want to check out this tutorial from Prosci: Executives and senior leaders: importance and role.

But, lack of communication is one of the biggest errors that cause changes to fail. Okay, we have a multitude of social media tools and communications channels available! You probably have Yammer, IBM /Lotus Connections, Jive or another type of Enterprise social media software deployed with an active user-base that discusses the issues that affect them. Check out Smart Business, Social Business: A Playbook for Social Media in Your Organization by Michael Brito for more on this.

You have designated change leaders who listen on social media channels and respond to user queries. It’s not like you just blast out summaries of changes and hope the right people are listening. Check out CRM at the Speed of Light, Fourth Edition: Social CRM 2.0 Strategies, Tools, and Techniques for Engaging Your Customers for more.

But, if we believe this study from one of the most-commonly used change management methodologies, the vast majority of change managers do not use social media tools to communicate changes to their audiences.

Sounds like there is a lot of opportunity out there!

To start off the week, I dive a bit deeper into these theories, and repeat myself a bit, just to emphasize the importance of the shift from the old Command & Control school of thought that reinforced the idea of a hero that drives change forward despite seemingly insurmountable odds. For organizations that retain remnants of the obsolete heroic leadership culture, recognizing the value of the individual requires adoption of different attitudes, strategies and tactics . See this article - The Problem with Heroic Leaders for a discussion of why heroic leaders may not be a blessing.

Motivating individuals to adapt and adopt new ways of working requires leadership, in addition to management. Both are required, however, of the two skills leadership provides the catalyst to move and management provides the measurement and maintenance components to maintain either the old order or the desired, new order.

Kotter on Leading Change

In this video, John Kotter discusses the difference between “change management” and “change leadership,” and whether it’s just a matter of semantics.

Kotter offers an 8-step methodology for leading change that connects individual attitudes, management actions, corporate culture and customer value. Kotter describes the eight errors that lead to the failure of change initiatives. The errors cited are allowing too much complacency, failing to create a sufficiently powerful guiding coalition, underestimating the power of vision, under communicating the vision, permitting obstacles to block the new vision, failure to create short-term wins, declaring victory too soon, and neglecting to anchor changes firmly into the corporate culture.

The eight most common mistakes, in a world in which the frequency and magnitude of changes required is increasing, leads to the following consequences:

“New strategies aren’t implemented well; Acquisitions don’t achieve expected synergies; Reengineering takes too long and costs too much; Downsizing doesn’t get costs under control; Quality programs don’t deliver hoped-for results” (Leading Change).

Kotter emphasized the effect of globalized markets and competition on the increased pace of change and its consequences in our lives. An eight-stage process was introduced to successfully drive change. The eight stages correlate to the list of eight errors introduced last week. Kotter stresses the importance of the correct sequence of the eight stages for successful change. The importance of leadership was emphasized to establish direction, and then communicate that direction to align, motivate and inspire change to produce new products and processes that make firms more productive.

It Starts With One

Black and Gregersen explain their premise of “changing individuals first; then the organization follows.” Black and Gregersen present a simplified approach to change leadership that complements Kotter’s widely recognized eight-stage model. The three-stage method that can be easily remembered and applied under pressure is believed to be more effective, allowing a practitioner to focus upon the critical 20 percent of factors that account for 80 percent of results (Pareto’s Rule).

Black and Gregersen equate barriers to change, that must be overcome by individuals in an organization, to the unseen and misunderstood sound barrier. Mental maps are an “ancient biological coding of hanging on to what works until undeniable evidence mounts to prove that the old map no longer fits the new environment.”

Three barriers, referred to as the “see, move, and finish barriers” are explained.  I like visuals, don’t you?  This video captures an F-18 Super Hornet as it hits Mach I – the speed of sound. Similar to the barriers that Black & Gregersen discuss, sound waves are invisible to the naked eye. The reason that you can see the plane in this video break through the sound barrier is that shock waves compress moisture in the air to form a temporary cloud.

“Interesting, but what does this have to do with leading change?” you might ask. As we interviewed and observed managers, we consistently found that there seemed to be a natural barrier to change—a brain barrier. Like the sound barrier, the faster a leader tried to push change, the more shock waves of resistance compacted together, forming a massive barrier to change (It Starts With One).

To break through the first barrier, the inability to see the need for change, individuals must see past prior successes that cause retention of old mental maps used to guide individual’s current and future behaviors.

Based upon research and experience spanning twenty years of work, with more than 10,000 managers, Black and Gregersen cite the failure rate for change initiatives as being close to 80 percent. The importance of adopting an effective method to lead change in today’s organizations was illustrated using examples of past business change, plus evidence of increasing change rate, magnitude, and unpredictability.

The implications of leading change are naturally affected by the increase in pace, size, unpredictability and globalization of world markets. To successfully affect change in corporations, frequently requires changes from individuals, both employees and leadership. Leading by example is expected by employees who watch management behaviors, however the individual’s ability to overcome mental maps developed during previously successful experiences proves much more difficult than many anticipate.

Why Does It Matter?

Modern organizations are too complex to be transformed by a single person. Leadership and collaboration are keys to producing successful change. Management provides planning, budgeting, organizing and staffing, controlling and problem solving necessary to produce a sense of predictability and order.

I have found these concepts pertinent for driving organizational change and, in line with experiences from my career. Modern organizations are complex, and the rate and complexity of change is increasing but individuals’ ability to see, move toward and accept change remain key to running adaptable and effective enterprises into the 21st Century.