Privacy is one of the most critical issues in IT today. The Internet has impacted the way data is collected and disseminated. Cookies track consumer buying patterns and all types of personal information. Now that laws are mandating privacy, expect a plethora of class action suits resulting from the misuse of “personally identifiable information” (PII) for profit. The harbinger of these was the litigation against GeoCities for violation of their privacy policy – a very expense defense and settlement.

The new privacy frontline can be segmented into two major categories:
• Information captured at the browser
• Management of personal data in the enterprise

It is the management of personal, financial, and health-related information inside corporate firewalls that is at ground zero. Legislative mandates are escalating in Europe and class action litigation is on the rise in the US. There are billions of dollars of potential litigious actions against financial institutions and health-care organizations for the misuse of personally identifiable information.

The Gramm-Leach-Bliley Act mandates the way institutions deal with financial information. GLB is an “opt-out” piece of legislation from the federal level that requires notification of the consumer with the presumption that if the consumer does not respond, then the consumer agrees to share information with third-party affiliates of the institution. Despite the simplicity of this mechanism, it is a massively complex permission management task. State laws can supersede the federal GLB act, which means a bank in one state could have a customer in another state that is restricted beyond the federal rulings governing the bank’s home state.

HIPAA (the Health Insurance Portability and Accountability Act) is far more restrictive federal legislation governing the use of personal health-related information by all health-care organizations. It is “opt-in” legislation requiring patient consent prior to use of information. Moreover, the patient may also request an audit report detailing the information that has been shared; the parties provided the information and dates of service.

The cost of implementing this data management challenge is estimated to be in the billions of dollars. Financial institutions are going to pay in excess of $25M each to come into compliance with the first stage of GLB. The cost for health-care organizations supersedes these figures by huge multiples.

Meanwhile, large law firms are gearing up to become experts in all of these areas and, more specifically, their litigation practices are targeting privacy violations globally. Public accounting firms are establishing extensive risk management practices as year-end audits will mandate reconciliation with privacy legislation. PriceWaterhouse Coopers has established a beach head by initiating a global practice in privacy practices. Several of the big technology houses including Oracle, TIBCO, EDS, Merant, among many others are carving out practices focused on the enterprise for all or part of the privacy management solution.

More importantly, Microsoft is pushing the envelope attempting to own all personally identifiable information starting with the browser and extending into e-business infrastructure. With .Net, which targets server infrastructure via Hailstorm, Microsoft is attempting to own nothing less than all personal online data. To this end, Microsoft is building the public relations campaign of the decade directed at both consumers and developers.

The ultimate question for the courts is one of eminent domain – who owns the data? Is it the consumer or the institution supporting the functions? This is the final frontier on which the battle will be fought for control of personal information. Who will win remains to be determined.