CIOs have a good reason to rethink their company’s privacy policy. The antiterrorism law President Bush signed in late October makes it easier for officials investigating potential terrorist activity to get court orders to search companies’ business records. Having the right privacy policy in place can save executives from bad PR or lawsuits by customers or business partners whose data they may have to turn over if the feds come knocking.

Michael Arruda, chair of the Privacy and Security Practice Group of McCutchen, Doyle, Brown & Enersen in San Francisco, says many privacy policies promise customers that the company won’t share their data without their permission. Under the new law, however, the feds can actually prohibit companies from telling people when they share data with law enforcement.

In the past, companies didn’t have to worry about compromising privacy when they cooperated with investigators because the feds could get court orders to seize only specific data they could prove would implicate a suspect. Now investigators can go fishing and subpoena data they merely think might help their case. For instance, if they believe a suspected terrorist is using his employer’s e-mail system to plot attacks, they can get his entire address book, not just the addresses of suspected coconspirators. From there, it’s easy for them to get a warrant to read any of the suspect’s e-mail.

Companies can protect themselves with a privacy policy that clearly states any information could be turned over to the government during a criminal investigation, Arruda says. He says such a clause gives customers and business partners fair warning that their data isn’t completely confidential.

Other privacy experts see this differently. Cindy Cohn, legal director for the Electronic Frontier Foundation, a San Francisco-based civil liberties group, argues that using a privacy policy as a shield against lawsuits when cooperating with the government violates the intent of having the policy in the first place. A privacy policy that says executives will turn anything over to the government becomes "an explanation of how and when they’re going to violate your privacy," she says, rather than a statement of how they’ll protect it.

The public wants law enforcement to have information valuable to a terrorism investigation, Cohn says, but people "aren’t ready to embrace a world where the government can look at everything they do." With consumer confidence falling and dotcoms failing, Cohn thinks making a statement saying the company can no longer protect a customer’s data will create a backlash against doing business online.