"How should we now balance a trio of public values—security, privacy, and responsible public access to information?"

Policies about information sharing, records management, and information security influenced the ability of organizations to use information as an asset in both traditional operations and in emergency response.

"We need to have a methodology so we can share verifications, we can share basic client information, so that we can really work better with clients."

Confidential treatment of personal information was a major issue for both public and nonprofit agencies engaged in serving the families of victims. Nonprofit organizations quickly recognized both the value and the difficulty of sharing information about the people they were serving. While they could clearly see that services could be more streamlined and less stressful for clients, strong professional values and organizational restrictions about confidentiality prevented them from sharing information about individuals, which led to frustration for the people being served. In addition, for the first time, many people seeking assistance were middle- and upper-income families who had never encountered the fragmented social service system before. They had never before revealed intimate details of their lives, been subjected to multiple requests for the same information, or needed to verify the truth of their statements, as the welfare system requires.

Nonprofit organizations began to deal with the confidentiality issue with the assistance of IBM, which helped develop applications for social and income assistance to victims. They began to compare the details of their individual confidentiality policies in order to collectively understand how their various policies worked and whether they could be depended on to protect confidentiality if personal information was shared. Eventually, many nonprofits jointly supported the creation of a data management and sharing consortium, the United Services Group, which would help them communicate and coordinate information and services in the future. A number of respondents suggested that a standard emergency confidentiality agreement could help to remove unnecessary barriers to citizen services while preserving essential principles of confidentiality of personal information.

"We didn’t know what information was in there [NYC.gov] that could be used against us, so we put up just a generic page with emergency information."

Shortly after the attacks, public officials recognized that the wealth of information on government Web sites could create new security problems. The City's Web site, NYC.gov, was quickly examined for these risks, but the need to be online immediately prompted City officials to simply replace the regular site with one that solely addressed the emergency until time was available to review and bring the full site back into operation. Similarly, some federal agency Web sites were taken off line and later restored with some information removed. At the state level, all agencies were directed to review their Web sites for information that could risk national, state, or community safety. The State's GIS clearinghouse was closed to the public for several weeks for a thorough examination and was restored to the Internet after a small number of data sets and references were removed.

New agencies were created to deal specifically with these newly recognized security threats. At the state level, the Office of Public Security was created as an immediate response to the State’s security needs. The new US Department of Homeland Security has significant information security programs and a broad portfolio of activities that depend on new sources and uses of information to identify terrorists and terrorist activity, which are themselves raising important policy questions associated with personal privacy and civil liberties.

Across the whole spectrum of organizations, and despite well-known barriers, new information sharing and integration goals have emerged, raising some new perspectives on information security. One private sector executive described them in this way: "[This experience] changed to some degree the perception that you can have a physically secure facility and that would be adequate. What you really need is [attention to] the people and their intelligence and their information wherever they may be and they may need to be. . . You think now of that command and control as being a network of communications."