How are corporations handling sensitive personal information today? How are they crafting the policies and practices that govern the use of such information? This article establishes a new foundation for examining information privacy issues process through which information privacy policies and practices are created in corporations and then reviewing corporate approaches to information privacy in light of implied societal expectations.The findings of this study are sobering. Corporations that routinely handle personal information (medical, financial, purchase records) operate without policies in many areas. Even where policies do exist, they often conflict with practices in the organization. New technologies enable applications that were previously impractical, but appropriate behaviors have yet to be clarified [15]. Operating in such a vacuum, executives often face dilemmas about the use of personal information. These dilemmas are resolved within the organizational environment, influenced by the executives' concepts of right and wrong: a process of navigation through a corporate "moral maze" [14].This study suggests that executives rarely take a proactive stance in creating information privacy policies in this ambiguous environment. They wait until some external event-often, a threat of legislative action-forces them to act. For some period, then, the organization is in a "drift by first assessing stage," so that many employees-especially those in information systems (IS) ranks--experience what might be called "emotional dissonance" in dealing with their organization's information handling. These employees are disturbed by many things they see, but are reluctant to confront the organizational mores surrounding information use.A growing concern. Information privacy may prove to be the most important ethical issue of the information age [21]. After a flurry of activity surrounding information privacy in the early and mid-1970s, the topic then garnered little public attention for several years. However, in the early 1990s, information privacy is of renewed interest to legislators and the media. This attention and the increasing impact of information technology (IT) on daily life have resulted in public concern about threats to personal privacy reaching an all-time high. In 1991 surveys of American public opinion, 79% of respondents reported they were "very concerned" or "somewhat concerned" about threats to personal privacy--as compared to a figure of 64% in 1978 [9].It is disconcerting that, when public concern is at a historically high the value-laden level, executives in industries handling personal information (insurance, credit granters, banks and thrifts, and direct marketers) overwhelmingly reported in a 1990 opinion survey sponsored by Equifax Inc. that, rather than take a leadership position, they wanted to adopt privacy policies only when a consensus had developed in their industry or laws had been passed [8]. This suggests a disparity between society's concerns about privacy and industry's response.This ...