On 22 September 2003, a group of passengers filed suit against JetBlue Airways for providing data on five million passengers (not credit card or Social Security numbers) to Torch Concepts, a contractor working for the U.S. military. After acquiring further details about these passengers from another source, Torch Concepts then used this information for published research on the security risks of airline passengers. JetBlue's actions apparently violated its own privacy policy. The company has apologized.

This episode shows the danger of handing over customers' personal information without clearly understanding how it will be used or what will happen to it once its primary use has been fulfilled. This situation can easily lead to careless disclosure. JetBlue got into this mess from the best motives. After Sept. 11, businesses were eager to cooperate with government agencies in the pursuit of terrorists. Such cooperation sometimes includes responding quickly to requests for detailed customer information, even when not required by law. Because JetBlue's response violated its written privacy policy, it may be cause for civil action. It should at least concern JetBlue's customers. (The U.S. Transportation Security Administration will soon mandate that airlines provide information on passengers via its Computer-Assisted Passenger Prescreening, or CAPPS 2.)

Companies in JetBlue's position face public embarrassment and possible lawsuits. The potential for lawsuits will increase over time, along with customers' sensitivity. Therefore, companies should take this opportunity to examine their practices and policies on the disclosure of customer information. Regardless of who requests data and for what purposes, businesses should ask the following questions:

• Is the request consistent with the company's privacy policy, regardless of the intended use for the data? JetBlue's policies stated that it would not provide customer data to government agencies except as required by law. (In this case, JetBlue gave the data to a government contractor, which makes the lapse even more embarrassing.)
• What is the immediate intended use for the information, and is that use consistent with the company's policies and values?
• How will the data be handled once the immediate use has taken place? For example, will the enterprise requesting the data avoid secondary uses unless it receives explicit permission?
• What follow-on uses for the data are under consideration, and are those uses consistent with company policy and values?
• What safeguards will the requestor use to ensure that inadvertent disclosure or misuse of the data will not occur?

Analytical Sources: Richard Hunter and Robert Goodwin, Gartner Research

Recommended Reading and Related Research

• "Customer Privacy Is a Strategy, Not a Policy" — Enterprises have already begun facing customer backlash and government intervention regarding consumers' information privacy concerns. The need for privacy management is inevitable. By Gareth Herschel
• "IT Security Directors: Privacy Compliance Best Practices" — International privacy laws have direct implications for business and IT strategy, such as where to build or consolidate data centers, how to proceed with the implementation of global business applications, and the daily management of sales, marketing and call center operations. By Arabella Hallawell

(You may need to sign in or be a Gartner client to access all of this content.)