Keeping data under lock & key: corporations are wrestling with the manifold issues raised by new privacy laws, including the costs, confusing rules and consumer wariness. Even those with dedicated privacy officers have their hands full.

• Author: Millman, Gregory J.
• Position: Privacy

In the fall of 2003, discount airline JetBlue hit heavy weather when a group of passengers filed a class action suit charging breach of contract, invasion of privacy and fraudulent misrepresentation. The reason? The airline had shared passenger information with a government contractor who was preparing a risk assessment study for the Department of Homeland Security.

"In the wake of the Sept. 11 attacks, and as New York's hometown airline, all of us at JetBlue were very anxious to support our government's efforts to improve security," JetBlue CEO David Neeleman said in an apology posted on the company's Web site. But JetBlue wasn't alone--Northwest Airlines and American Airlines faced similar lawsuits. "There are some indications that the law may not treat handing over that information as a violation of privacy, but these companies have already suffered a fair amount of loss of brand value from the flap," says Stewart Baker, a Washington, D.C.-based partner in the law firm Steptoe & Johnson.

Only in America, perhaps, can a company get in trouble for sharing information with the government itself. But as the memory of 9/11 recedes, privacy rights and suspicion of the government once again seem to trump security concerns in the minds of many Americans. And companies are finding that privacy laws are confusing, frequently costly and ripe for misinterpretation.

A 2003 Privacy Trust Survey by The CIO Institute of Carnegie Mellon University and the Ponemon Institute asked Americans to rank various institutions, companies and professions in terms of their trustworthiness with personal information. Respondents ranked the Department of Homeland Security second from the bottom--just ahead of grocery stores, but behind other retailers. What's more, hundreds of lawsuits have been filed against companies that allegedly violated privacy rights while obtaining, using or sharing information. "The latest figure is $125 million recovered in lawsuits from companies," says Dr. Alan Westin, Professor of Public Law & Government Emeritus at Columbia University and President and Publisher of Privacy & American Business.

Many companies are struggling just to keep up with the proliferation of privacy-protection measures. "We have scores, maybe thousands, of laws in the United States on the federal and state level, as well as millions of contracts and as many if not more informal or administrative requirements based on letters from government agencies," notes Alan S. Goldberg, a Washington-based attorney and former president of the National Health Lawyers Association. A study by IBM and the Ponemon Institute found that some companies spend over $22 million annually on privacy.

Sometimes the effort to tighten privacy controls backfires, as it did in the case of a company that, for security purposes, decided to change email passwords every 90 days. People forgot their ever-changing passwords, and it could take hours to get a response from the...