At the heart of privacy is information: Who owns it? Who controls it? And to what end? One group's insistence that certain information should remain secret might impede another's goals.
"IT is driving the end of secrecy and the means to control how information is distributed and used. The semiconductor eliminated privacy as secrecy," says Richard Hunter, vice president and research director of Gartner executive programs in Stamford, Conn., and author of World Without Secrets: Business, Crime and Privacy in the Age of Ubiquitous Computing.
As IT is changing our notions of privacy, legislators are passing laws that define the control and protection of personal information. The Health Insurance Portability and Accountability Act (HIPAA) is the best-known example of how one law can drive technology policies and spending. But it's not just the feds tossing their hats into the privacy ring. On the leading edge of privacy legislation, California lawmakers have stepped up to the privacy plate after a hack into a state database potentially exposed their personal identifying information.
The result is California's SB 1386, which goes into effect on July 1 and is backed by Gov.Gray Davis. "This is sleeper legislation," says Clara Ruyan Martin, a partner in the Los Angeles law offices of Shaw Pittman. Under this law, if a business maintaining data on California residents experiences a security breach that reasonably could result in a customer's identify theft, that company -- even if it is outside California -- must notify customers. An exception exists for companies that maintain the identifying information in an encrypted form.
"All businesses will be hit by this," Martin says. "The big companies will be hit because they will have to give notice and do so to a broad range of people. Often with a security breach, it's hard to understand what records have been breached."
Gartner's Hunter says IT must be concerned with incident response, role-based access to info and audit trails to be in compliance with the California law.
(For more on identity management and privacy, return to "Does identity management clash with privacy?")