270 Communications of the Association for Information Systems (Volume 16, 2005)270-298


INFORMATION PRIVACY: MANAGEMENT,
MARKETPLACE, AND LEGAL CHALLENGES



Yolande Chan
Queen’s University
ychan@business.queensu.ca

Mary Culnan
Bentley College

Kathleen Greenaway
Queen’s University

Gary Laden
BBBonline

Toby Levin
Federal Trade Commission

H. Jeff Smith
Wake Forest University

ABSTRACT
A panel at ICIS 2004 in Washington, D.C. explored many of the information privacy issues facing
management in a post 9/11 environment. The panel was composed of privacy scholars,
regulators, and practitioners. The panelists examined privacy disasters as a way of exposing
these management challenges, discussed government and self-regulatory approaches to
information privacy, and raised opportunities for research. This paper extends and deepens the
examination begun at the panel and the discussion of issues raised by the audience during the
question and answer session. In addition, a list of research questions is offered. The panelists
provided key privacy information sources. A privacy bibliography is included.
Keywords – Information privacy, information management, data management, organizational
challenges, privacy disasters

Communications of the Association for Information Systems (Volume 16, 2005)270-298 271
Information Privacy: Management, Marketplace, and Legal Challenges by Y. Chan, M. Culnan,
K. Greenaway, G. Laden, T. Levin, and H.J. Smith

INTRODUCTION
The panelists addressed information privacy as an organizational issue from the perspectives of
scholar (Mary Culnan, Jeff Smith), government regulator (Toby Levin, U.S. Federal Trade
Commission) and industry self-regulation (Gary Laden, Better Business Bureau). Yolande Chan
assembled the panel and was its moderator. The paper is organized as follows. The panelists’
individual commentaries are provided in order of presentation with minor editing for the sake of
clarity (Sections II through V). Following a brief discussion among the panelists (Section VI) the
panelists’ responses to questions from the audience are outlined (Section VII). The paper
concludes with a summary of the presentation’s key points, suggestions for research questions,
and a table of additional privacy resources supplied by the panelists (Section VIII). A privacy
bibliography is included with the References at the end of the paper.
Yolande Chan (Panel Chair): This panel was developed in order to address an under-researched
topic: information privacy as an organizational issue. Much research establishes that consumers
are concerned about privacy1. We also know from studies examining the information posted to
companies’ websites that the range of privacy policies is being implemented is broad.2 What we
are less well informed about is how companies are managing the privacy challenges presented
by the marketplace and the legal environment [Milne and Culnan 2003].
A particularly effective way of approaching this discussion is through an examination of privacy
disasters. Despite our best efforts, privacy failures happen in organizations. For example, a wave
of bad publicity hit a Canadian chartered bank in early December 2004 (just before ICIS) when it
was discovered that faxes containing sensitive, personally identifiable information were sent to a
West Virginia scrap yard for three years [Office of the Canadian Federal Privacy Commissioner].
As this privacy disaster unfolded on the front pages of Canadian newspapers, it became apparent
that other banks had experienced similar failures in their privacy programs. More recently in the
U.S. revelations about questionable privacy policies (e.g., Google DeskTop), mishandling of
personal information (e.g., ChoicePoint) and security breaches (e.g., Lexis-Nexis) were reported
in high profile organizations that put in jeopardy the personal information of thousands of
individuals.3
I recently commissioned a short report from the Institute for the Study of Privacy Issues (Table 5)
on privacy disasters that were reported in the past year in the general media. The report
indicated over 100 privacy failures that were made public in the media. Some of these failures
involved the personal information of tens of thousands of individuals. The negative repercussions
for individuals, and for organizations as media awareness grew, were horrendous. This panel is
designed to explore ways to prevent and mitigate these privacy-related personal and business
losses.
Two constraints to the following presentations should be mentioned.
1. While privacy is an international challenge for firms, our panel discussion was necessarily U.S.-
centric. Given the different approaches to privacy in different jurisdictions, we thought it would be
simpler to assemble a privacy panel that would reflect a single jurisdiction. We attempt to remedy
this limitation by providing additional information on privacy sources and research in other
countries including Australia, Canada and the European Union. Note that Kathleen Greenaway,
who is assisting in the audience, and I are both Canadian. 2. We limited our discussions to the
challenges surrounding customer information privacy. We acknowledge the importance of

1 For example, Culnan and Armstrong [1999]; Culnan and Bies [1999]; Dinev and Hart [2003, 2004];
Hoffman, Novak, and Peralta [1999]; Smith, Milberg, and Burke [1996]
2 For example, Culnan [1999a,b]; Earp, Antón and Jarvinen [2002]; Milne and Culnan [2002]; Miyazaki and
Fernandez [2000]
3 Note that these incidents occurred after the ICIS panel discussion but are current examples of high profile
privacy disasters.