Disclosure Risk vs. Data Utility through the R-U Confidentiality Map in Multivariate Settings George T. Duncan . Professor of Statistics Heinz School of Public Policy and Management, Carnegie Mellon University, Pittsburgh, Pennsylvania 15213 gd17@andrew.cmu.edu Sallie A. Keller-McNulty Dean and Professor of Statistics School of Engineering, Rice University, Houston, Texas, 77005 sallie@rice.edu S. Lynne Stokes Professor of Statistics Department of Statistics, Southern Methodist University, Dallas, Texas, 75275 slstokes@mail.smu.edu Information organizations, such as statistical agencies, must ensure that data access does not compromise the confidentiality afforded data providers, whether individuals or establishments. Recognizing that deidentification of data is generally inadequate to protect confidentiality against attack by a data snooper, information organizations (IOs)—such as statistical agencies, data archives, and trade associations—can implement a variety of disclosure limitation (DL) techniques—such as topcoding, noise addition and data swapping—in developing data products. Desirably, the resulting restricted data have both high data utility U to data users and low disclosure risk R from data snoopers. IOs lack a framework for examining tradeoffs between R and U under a specific DL procedure. They also lack systematic ways of comparing the performance of distinct DL procedures. To provide this framework and facilitate comparisons, the R-U confidentiality map is introduced to trace the joint impact on R and U to changes in the parameters of a DL procedure. Implementation of an R-U confidentiality map is illustrated in the case of multivariate noise addition. Analysis is provided for two important multivariate 1