In several recent posts I have described the emerging privacy risk, detailed one state’s statutory and regulatory regimen for addressing this risk and discussed an insurance coverage case which demonstrated the need for specialized privacy insurance. This post will address the analogy between these new statutes and regulations which seek to regulate “Private Information” (e.g. Massachusetts General Laws Ch. 93H and 201 CMR 17 et seq), and statutes regulating toxic waste, such as the landmark federal Resource Conservation and Recovery Act (“RCRA”). Briefly stated, the new privacy regulations in Massachusetts and elsewhere require a new way of thinking about Personal Information, the same way that RCRA required a new way of thinking about hazardous waste- the so called “Cradle to Grave” approach. The private data-toxic waste analogy is helpful because it allows businesses to focus on the sources of privacy risk, which is the first step in risk management.
RCRA as a Risk Management Tool
Before RCRA, the hazardous waste risk was largely governed by a consequences mentality. Businesses did what they did-transform raw material into salable products without substantial interference, but they could be held responsible for the consequences of their production through civil suits for property damage, products liability, and nuisance. As a general matter it was believed that the costs of such consequences would influence corporate behavior to reduce the risk.
In the environmental context, however, the costs of such post production consequences were found to be inadequate or too remote to address the harm caused by toxic chemicals. Such chemicals once released could migrate, making it difficult to trace the source of the release and to identify the responsible parties. Once released, it may be difficult or impossible to contain or neutralize toxic substances. The time from release to discovery and clean up might be too long to influence corporate behavior which was focused on quarterly or yearly results.
In 1976 the passage of RCRA changed all that by requiring every business that used hazardous chemicals anywhere in its operations to identify, quantify, track, and report its use of such chemicals from “cradle to grave,” or more aptly, from input to output. This statute and its accompanying regulatory regime and the costs associated with it resulted in businesses taking a hard look at whether such toxic chemicals were necessary to the production of goods, how they were used and stored, and disposed of, and even the ability of the Company’s vendors, from suppliers to waste haulers, to properly handle and dispose of such substances. As a result, businesses reduced the quantities of such materials they used, upgraded their own storage, handling, disposal, tracking and reporting capabilities and insisted that their vendors do the same. With this regime in place, for the first time, insurers were willing to intentionally assume such risks and specialized environmental insurance products were created and became more affordable over time. RCRA compliance costs and the environmental insurance market are now well matured, and few would doubt their effectiveness in reducing and managing the risk of environmental harm.
Cradle to Grave Applied to Personal Information
The statutes enacted by Massachusetts and other states begin by defining “Personal Information,” and then require companies doing business in the state to develop a written information security plan (“WISP”) to identify and mitigate the risks of disclosure. If you think about it, such statutes, like RCRA, represent an effort to change from a consequences approach to a risk management approach, and it is helpful to think about Personal Information the same way RCRA forces companies to think about hazardous chemicals. Indeed the risks of release of Personal Information may in many respects be analogized with the release of hazardous waste. Once released, personal information can cause substantial harm, is difficult to contain and it may be difficult to trace the release back to its source.
The cradle to grave approach applied to Personal Information leads to several pertinent questions: How does Personal Information come in to the company? How is it used by the company? How is it stored by the company? What measures does the company take to prevent its release? What measures does the company require of its vendors? The answers to these questions, and indeed the requirements of a WISP and reporting under the Massachusetts statute and similar statutes impose costs and require action, and such costs may, like the costs associated with RCRA compliance, lead companies to ask the fundamental questions about the regulated substance (hazardous waste or Personal Information): Do I really need it for my business? How can I use less of it?
Beneficial Impacts Of The Cradle to Grave Privacy Risk Management Process
The change from a consequences mentality to a risk management mentality is not easy. Some may view the new requirements as an unnecessary expense, and a government mandated intrusion into an area previously occupied by self-regulation. Others may consider the new costs warranted by the risks of harm presented by the unauthorized release and mis-use of Personal Information. In any event, the new statutes and regulatory requirements are here, and companies will adapt. New opportunities will arise for service providers to assist companies in understanding and complying with the new requirements, and new insurance products covering the privacy risk will become more available and their cost will fall. Companies that consider Personal Information using the risk management approach embodied in the cradle to grave analogy will be able to adapt more efficiently than those that don’t. New ways of doing business while mitigating the risk of release will be developed, and indeed the business use Personal Information will likely be limited to essential functions. That result may be better for us all.