Loss of Control
But it's not only your customers who want to control data about themselves. Social media is blurring employees' personal information with business information, which presents a challenge for corporate privacy policies. Companies can't ban employees from using Facebook and Twitter. In many cases, notes Kesner, even though these are technically not work-related sites, they are increasingly critical for engaging with clients and customers. Yet companies want to be able to control information about themselves.
Fenwick has found, for example, that potential clients expect to be able to check out its attorneys on Facebook rather than in traditional sources like the Martindale-Hubbell Law Directory. "If there are pictures of a CEO at a beer bash 20 years ago, it really does change things," says Kesner. "Our job as CIOs is to educate people about how what they're doing today can be searched across the world today or tomorrow."
Furthermore, CIOs face the specter of routine business records leaking out. "We've had whole mergers done via instant messaging," Kesner says. He worries that it's a short step from using corporate instant messaging tools to mistakenly sharing proprietary corporate data on a service like Twitter.
One solution to protecting corporate data may be to broadly adopt encryption technology for e-mail correspondence and other important business data. Encryption won't stop employees from "tweeting" inside information (as New York Times reporters recently did after a staff meeting concerning ideas for charging for online content). But it can give companies legal cover in case of a privacy breach, Kesner notes. Such controls may be much more important now that social media makes it possible to quickly spread information to large groups of people--information that potentially lives online forever.
Then there's cloud computing. While companies may save money and gain efficiency by shifting to cloud environments, they also lose physical control over their data. For example, says the CDT's Cooper, putting data in the cloud makes it much easier for the government to get access to it. "If I have my personal diary, they would need a search warrant to get it in my house," says Al Gidari, chair of the privacy and security practice at the Seattle law firm Perkins Coie. "If it's on Google Docs, they can get it with a subpoena."
Complicating this scenario, however, is a potential upside to the cloud. Kesner's colleague Blum says cloud computing could reduce corporate exposure for maintaining data privacy by shifting that responsibility to the vendors. "It can be a way for CIOs to offload risk," says Blum.
Alex "Sandy" Pentland, an MIT professor and cofounder of Sense Networks, which uses location data to find business trends, argues that in the future, most companies will not gather data directly from customers the way they do now. Instead, they'll access it from the cloud via aggregators who operate much in the way banks do, delivering data to companies only when authorized by individuals. Early examples of this model include Google Health and Microsoft Health--data banks operated by Google and Microsoft, respectively, through which patients can share only such healthcare data they are comfortable disclosing. They can also share different kinds of data with different healthcare professionals.
Much Ado About Nothing?
The contradictions, understandably, make some CIOs skeptical that privacy needs to be an overarching concern. "It's not a nightmare situation," says Gerard McCartney, vice president of information technology and CIO at Purdue University. Not that he ignores privacy--the university spends half a day during orientations discussing privacy and security issues with incoming students. But McCartney thinks most people can and do manage their own privacy fairly well through common sense.
But here again, there are multiple points of view. There are questions, for instance, about how far common sense goes in the online world. "There is a sense of anonymity for people when they sit in front of a computer screen that I don't fully understand," says Leon Goldman, chief compliance and privacy officer at Beth Israel Deaconess Medical Center. "They say things to a computer they wouldn't to a real person."
Gidari, with Perkins Coie, says our values about privacy may be changing: "I wonder whether we are 10 years behind in our views of privacy, and this next generation may not be much concerned about the things this generation is screaming about." He points to behavioral ad targeting, which the U.S. Federal Trade Commission and especially the European Union are attempting to regulate. It's "a joke to kids," who expect targeted advertising, he observes.
Jim M. Swartz, CIO at Sybase, says privacy worries aren't keeping him awake right now. He notes, however, that technology shifts can quickly rewrite the rules for CIOs. More mobile workforces, for instance, create challenges and situations "that we wouldn't even have thought about five or six years ago," he says. For instance, it's easier for people to download attachments on their handheld devices, making it much harder for companies to control where sensitive data goes.
Swartz also notes potential challenges emerging from the way individuals and organizations share information. It's easier than ever to pull together disparate bits of information, develop opinions about it and present those opinions publicly. "Maybe you've lost three jobs, or filed for bankruptcy or have a DUI. Do the pieces of information available about you on the Web over a period of time tell a story you would rather not have told?" he muses. "It could be a concern. We won't know how big of a concern it is until there is a benchmark incident of some sort."