Privacy Hostages

I've recently gotten hooked on a BBC America TV program called What Not to Wear, in which two witty, quintessentially British "style journalists" single out some walking fashion disaster for a wardrobe update and makeover. In the first scene, the show's hosts merrily pounce on their startled sartorial slob, presenting her with a big check for an upcoming shopping spree and explaining how friends or relations helped arrange the whole ambush. Lots of shrieking and laughter ensues.

And then the hosts drop the big bomb: Hidden cameras have been tracking the hapless victim in her most unsuitable and unflattering outfits, for all the world to see. As that realization sinks in, the makeover subject suddenly stops laughing. Invariably, the same horrified question comes next: "You've been secretly filming me?"

That invasion-of-privacy moment passes quickly, and the show marches delightfully onward. But I wonder how long it will be before such candid-camera entertainment becomes flatly illegal, plowed under the mountain of new privacy rules and regulations enclosing us and all the data generated about us (streaming video of our wardrobes included). I realize that data privacy is vying for a place alongside motherhood and apple pie in the public sentiment these days, but I wonder if we aren't slipping over into paranoia as we try to build a fortress of legal and technical protections around every bit of personal information that gets loose in the world.

Not that there's much choice anymore. The sheer enormity of what IT departments are facing at this intersection of mandated regulatory compliance, customer data protection and risk management was starkly evident in our special report on privacy last week ["Compliance Headaches," QuickLink 45078]. Big companies can expect to spend millions on privacy compliance programs and activities in the coming years, just to keep pace with existing federal laws such as HIPAA and Sarbanes-Oxley. Yet legal precedents are few, implementation procedures are largely experimental, and vaguely written guidelines vary from state to state. The infamous California Senate Bill 1386, which requires notification of any unauthorized disclosures of personal information, calls for customer data to be encrypted but doesn't specify to what level.

"Over the past two years, we've had over 1,000 new privacy laws that have affected us," said Joel Tietz, chief privacy officer at AXA Financial Services in New York, who was quoted in our "Privacy Potholes" story . Like many companies, AXA is using a CRM system to dig into its customer data for useful trends and potential revenue opportunities. But unlike many companies, the financial firm is being aggressively attentive to mapping customer privacy preferences against a database that consolidates multiple applications and production systems.

Monitoring privacy compliance inside your own business is no longer enough, however. Your partners, supply chain vendors and any other suppliers that access your data -- particularly those offshore and operating under looser legal strictures -- are part of the risk that senior IT managers now must protect against.

So prepare to be held hostage to privacy compliance. Spending in this realm will gobble up increasingly bigger portions of IT corporate budgets in the years to come. Larger companies will have to set up privacy compliance offices, which will run up additional bills for data protection staffers, expert consultants and specialized training.

The only effective strategy the experts all agree upon is this: Make sure you're meeting the maximum requirements of the strictest privacy laws affecting your industry.

If you don't, you'd better update your own wardrobe. Your next appearance might be on Court TV.

Maryfran Johnson is editor in chief of Computerworld. You can contact her at

See more editorials by Maryfran Johnson.

Copyright © 2004 IDG Communications, Inc.

Shop Tech Products at Amazon