Furthermore, CIOs face the specter of routine business records leaking out. "We've had whole mergers done via instant messaging," Kesner says. He worries that it's a short step from using corporate instant messaging tools to mistakenly sharing proprietary corporate data on a service like Twitter.

One solution to protecting corporate data may be to broadly adopt encryption technology for e-mail correspondence and other important business data. Encryption won't stop employees from "tweeting" inside information (as New York Times reporters recently did after a staff meeting concerning ideas for charging for online content). But it can give companies legal cover in case of a privacy breach, Kesner notes. Such controls may be much more important now that social media makes it possible to quickly spread information to large groups of people--information that potentially lives online forever.

Then there's cloud computing. While companies may save money and gain efficiency by shifting to cloud environments, they also lose physical control over their data. For example, says the CDT's Cooper, putting data in the cloud makes it much easier for the government to get access to it. "If I have my personal diary, they would need a search warrant to get it in my house," says Al Gidari, chair of the privacy and security practice at the Seattle law firm Perkins Coie. "If it's on Google Docs, they can get it with a subpoena."

Complicating this scenario, however, is a potential upside to the cloud. Kesner's colleague Blum says cloud computing could reduce corporate exposure for maintaining data privacy by shifting that responsibility to the vendors. "It can be a way for CIOs to offload risk," says Blum.

Alex "Sandy" Pentland, an MIT professor and cofounder of Sense Networks, which uses location data to find business trends, argues that in the future, most companies will not gather data directly from customers the way they do now. Instead, they'll access it from the cloud via aggregators who operate much in the way banks do, delivering data to companies only when authorized by individuals. Early examples of this model include Google Health and Microsoft Health--data banks operated by Google and Microsoft, respectively, through which patients can share only such healthcare data they are comfortable disclosing. They can also share different kinds of data with different healthcare professionals.