The success of an organization is often dependent on the trust of its clients and customers. Consumer trust usually revolves around issues of securing information that consumers provide and maintaining privacy protection. Privacy has the potential to be violated any time that personal information is provided to an organization. This potential for violation is amplified when that information is sent over the World Wide Web, where it may be maintained indefinitely in electronic forms. Once the personal information is provided, the individual user has no control over who within the organization has access to the information, how that information will be secured from attacks by unauthorized parties, and whether it will be shared with other organizations.
Organizations that collect personally identifiable information often share the consumers' personal information with affiliates and third parties. Most consumers prefer that their personal information not be distributed in this manner [1], and an organization would be wise to have a privacy policy that precludes sharing of information. Regardless of the privacy policy adopted, though, many organizations do not provide sufficient security measures to ensure that the personal information is protected. As a consequence, breaches in security are common that result in personal information such as Social Security numbers, driver license numbers, and credit card numbers being compromised. For example, Privacy Rights Clearinghouse (http://www.privacyrights. org/ar/ChronDataBreaches.htm#1) provides a chronology of data breaches from January 2005, to the present, which is updated biweekly. As of January 19, 2009, the chronology listed 251,164,141 entries for the U.S. alone.
Two examples from this site are as follows. A listing dated August 5, 2008, indicates that a former employee of Countrywide Financial Corporation, in Calabasas, California, was arrested and charged with stealing and selling personal information, including Social Security numbers, over a 2-year period ending in July. The names of 2,000,000 people and their personal information were sold to other individuals in the mortgage industry for marketing purposes. An August 12, 2008, listing states that Wells Fargo bank notified 5000 customers that hackers illegally accessed their personal data, which included names, addresses, dates of birth, Social Security numbers, and driver's license numbers. In the first example the security breach occurred from within the organization, and in the second it occurred from outside. Regardless, in both cases, there was unauthorized access of personal data. Unauthorized access can have negative consequences for the individual through such activities as identity theft and unauthorized charges to a credit card, as well as for the organization and industry it represents (in these examples, financial institutions) by creating consumer distrust.
Web-based services are a growing industry due to the wide availability of the Internet and the convenience of being able to make online transactions. Because many web sites collect personally identifiable information of the type described above, either by necessity or choice, questions concerning how privacy will be handled and protected should be salient to both the Computers in Industry 61 (2010) 311-317