[Dataloss] Court says banks don't have to encrypt customer databases

Richard Forno rforno at infowarrior.org
Wed Feb 22 10:02:45 EST 2006 

A Federal Court Rules That A Financial Institution Has No Duty To Encrypt A
Customer Database
By ERIC J. SINROD
----
Monday, Feb. 20, 2006
http://writ.news.findlaw.com/commentary/20060220_sinrod.html

In a legal decision that could have broad implications for financial
institutions, a court has ruled recently that a student loan company was not
negligent and did not have a duty under the Gramm-Leach-Bliley statute to
encrypt a customer database on a laptop computer that fell into the wrong
hands. Intrigued? Read on.

Stacey Lawton Guinn filed a federal lawsuit in Minnesota, claiming that
Brazos Higher Education Service Corporation, Inc. negligently permitted an
employee to maintain unencrypted, private customer data on a laptop computer
that ultimately was stolen from the employee's home.

The factual background leading up to the lawsuit goes like this. Brazos, a
company that originates and services student loans, has had about 365
employees, including John Wright, a financial analyst for the company. While
Brazos is based in Texas, Wright has worked from his home office in
Maryland.

As part of his work, Wright analyses loan portfolios, including purchasing
portfolios from other lending institutions and purchasing bonds financed by
student loan interest payments. Before he conducts a financial analysis,
Wright has received an electronic database from Brazos' finance department
in Texas. When he performs asset-liability management for Brazos, he has
obtained loan-level details, including customer personal information.

All is well and good, right? Wrong. In September, 2004, Wright's home was
the subject of a burglary and various items were stolen, including the
laptop issued by Brazos to Wright. Notwithstanding a police and private
investigation, the laptop never was recovered.

Brazos determined that Wright had received databases containing personal
information of borrowers seven different times before the laptop was stolen.
Because it was not clear which specific borrowers had their personal
information at risk due to the theft of the laptop, Brazos sent a
notification letter to all of its more than 500,000 customers.

Coming full circle back to Guin, who had acquired a student loan through
Brazos in August, 2002, received the notification letter and contacted a
Brazos call center to ask follow up questions. He then tracked his credit
status through various credit agencies, and as a result, he was not apprised
of any identity theft or other fraud relating to his personal information.
Indeed, according to Brazos, none of its borrowers suffered any fraud as a
consequence of the theft of Wright's laptop.

Undeterred, Guin filed his federal lawsuit against Brazos, principally
claiming that Brazos had been negligent by not properly protecting his
personal information and by improperly delegating control of his personal
information to another (Wright). Guin asserted that he had suffered
out-of-pocket loss, emotional distress, and incidental damages.

At the heart of Guin's lawsuit was the allegation that under the
Gramm-Leach-Bliley Act, Brazos had a heightened duty to protect customer
information, including the duty to make sure that personal information on
laptops be encrypted.

In response to Guin's lawsuit, Brazos filed a summary judgment motion. By
way of this motion, Brazos argued that Guin's case was so lacking in merit
that it should be dismissed without the need to even get to trial.

Judge Richard Kyle agreed with Brazos, granted the motion, and dismissed
Guin's lawsuit. Significantly, while recognizing that Gramm-Leach-Bliley
does require financial institutions to protect against unauthorized access
to customer records, Judge Kyle held that the statute "does not prohibit
someone from working with sensitive data on a laptop computer in a home
office," and does not require that "any nonpublic personal information
stored on a laptop computer should be encrypted."

Financial institutions across America probably are applauding this legal
decision, and likely are breathing a sigh of relief knowing that the bar has
not been raised further in terms of the protective measures they must take
under Gramm-Leach-Bliley.

More information about the Dataloss mailing list