Today managers are faced with the challenge of ascertaining consumer preferences for privacy, protecting sensitive customer data, and complying with an evolving maze of regulations while avoiding the threat of costly litigation. As society becomes increasingly reliant upon computing, it is imperative that we better comprehend consumer attitudes toward the handling of personal data and the role that technology can play in enhancing rather than diminishing privacy.
My research is aimed at advancing our understanding of information privacy and security in a networked environment. The goal is to contribute to the formulation of sound privacy and security practices, and to the development of enabling technologies for implementing these practices. To this end, my research has taken two related streams:

(1) Privacy and Security: Aligning Technology with Policy

IT organizations need improved methods and tools to design, develop and maintain systems that reflect customer privacy values and protect personal data in the face of escalating threats to data security. My research is focused on understanding how societal values, law, and organizational policies can be integrated technically into operational functioning of web-based systems. The goal is to help organizations bring policies and systems into better alignment. An early paper from this research stream is forthcoming in Information and Software Technology and presents strategies and techniques to ensure security/privacy compliance with system requirements.

One outcome of my work (in collaboration with Drs. Annie Antón and Colin Potts) has been to develop a statistically valid instrument for measuring the privacy values of individuals. The research entailed a large scale study of over 1,000 individuals that analyzes perceptions of stakeholder privacy values, as well as a content analysis of 80 website privacy policies. The analysis led us to codify a set of heuristics for analyzing privacy policy content and resulted in a paper in the Requirements Engineering Journal. The heuristics were later used in our analysis of financial privacy policies and compliance with the Gramm-Leach-Bliley Act; this work is under peer review at IEEE Security and Privacy. The stakeholder values dimension of the study gained international recognition as the best paper awarded by the Organizational and Communication Information Systems (OCIS) division of the Academy of Management in 2003. An extended version of this award winning paper is currently under peer review at IEEE Transactions on Engineering Management.

(2) Privacy Technology and the Law: Creating a Symbiotic Relationship

The rapid expansion of the Internet has heightened awareness of the widespread collection, transfer and storage of personal and sensitive data. As a result, legislatures and courthouses worldwide have had to come to grips with a technological reality that is no longer necessarily compatible with the legal and regulatory system designed to oversee it. By working in collaboration with legal and technical scholars, my research is aimed at reconciling the gap between legislative efforts that seek to control the flow of private data-the Health Information and Portability Accountability Act, the Gramm-Leach-Bliley Act, the recently proposed U.S. Online Privacy Protection Act, and European Union Privacy Directives of 1995 and 2002-and what technology makes possible.

This work has allowed us to analyze consumer privacy values and corresponding technology implications within the context of the current legal environment. It has also produced a functional analysis that compares current privacy law in the European Union with that in the United States. The analysis confirms that privacy is more heavily protected in the EU than in the U.S. and provides a foundation for an empirical investigation that compares commercial privacy practices in the EU with those in the U.S. as they relate to the legal environment. The practical relevance of this work is noteworthy as organizations involved in international business endeavors encounter conflicting expectations of privacy, as well as inconsistent regulations across countries.