Police blotter: Wells Fargo not required to encrypt data

"Police blotter" is a weekly CNET News.com report on the intersection of technology and the law.

What: Wells Fargo Bank customers sue after their personal financial data was stolen from a contractor that had not encrypted the information.

When: U.S. District Judge David Doty in Minnesota ruled on March 16.

Outcome: Wells Fargo was found not to be negligent because the information was never misused by the thieves.

What happened, according to court documents: Wells Fargo had hired Regulus Integrated Solutions to print monthly statements for certain customers who had mortgages and student loans from its subsidiaries. In October 2004, thieves stole computers from Regulus with unencrypted customer information including names, addresses, Social Security numbers and account numbers.

A few weeks later, Wells Fargo alerted its customers and offered to provide identity protection services.

There has never been any indication to date that thieves did anything with the data (in other words, they appear to have been after the computer hardware instead).

Nevertheless, two of the bank's customers, Kristine Forbes and Morgan Koop, filed a class action suit anyway. They claimed that Wells Fargo was liable for emotional distress (including fear, anxiety and worry), negligence, breach of contract and breach of fiduciary duty. Forbes and Koop claimed that Wells Fargo owed them a cash payout because they had to spend extra time monitoring their credit reports.

Judge Doty rejected those arguments, saying the pair of would-be class action plaintiffs had not actually suffered damages. "Plaintiffs have shown no present injury or reasonably certain future injury to support damages for any alleged increased risk of harm," he wrote, and granted the bank's motion for summary judgment.

This is not the first decision of its type. In February, CNET News.com reported that a federal court tossed out a lawsuit against a student-loan provider that did not encrypt a customer database that was subsequently stolen. That judge's reasoning was similar: The data had not been misused. (Some data breach bills in Congress and state legislatures also urge the use of encryption.)

Excerpt from the court's opinion: "Plaintiffs contend that the time and money they have spent monitoring their credit suffices to establish damages. However, a plaintiff can only recover for loss of time in terms of earning capacity or wages. Plaintiffs have failed to cite any Minnesota authority to the contrary. Moreover, they overlook the fact that their expenditure of time and money was not the result of any present injury, but rather the anticipation of future injury that has not materialized.

"In other words, the plaintiffs' injuries are solely the result of a perceived risk of future harm. Plaintiffs have shown no present injury or reasonably certain future injury to support damages for any alleged increased risk of harm. For these reasons, plaintiffs have failed to establish the essential element of damages. Therefore, summary judgment in favor of defendant on plaintiffs' negligence claim is warranted.

"Plaintiffs also bring a claim for breach of contract against Wells Fargo. To establish their claim, plaintiffs must show that they were damaged by the alleged breach. For all of the reasons discussed above, plaintiffs have failed to establish damages. Therefore, summary judgment in favor of defendant on plaintiffs' breach of contract claim is warranted."

[datasecure]

Wells Fargo Sells old computers with information

Encryption is not as large as a problem as selling Terabytes of account and banking information that is found on all of their data processing equipment. They claim to erase the information but forensic experts state that computer files are never erased and can be restored using forensic tools. Does the encryption problem really matter?

[MVHarley]

Put you Data where your words are...

If these are facts, don't tease, post your facts!

Otherwise this could appear to be slander, unfounded hoax information.

MV Me

[davekern]

You can?t trust anyone ? can we? When will organization be held responsible

Corporate America will continue to do ?wrong things? until they feel enough financial pain or Congress does their job to insist that customer records and important data MUST BE ENCRYPTED or PARSED so that the data is un-usable to unauthorized individuals.
C-level decision makers deserve stiff fines and/or incarceration if they continue business as normal. Leaders must realize that their firm?s serious deficiencies will not be solved at the same levels and mindsets in which they were created.
It?s time to allow new technologies to cut costs and risks. Management should start taking initial steps to learn, explore and evaluate new ?user access? and ?data protection? technologies so they stop violating ?trusting? customers and shareholders.
Story after story will continue about computers being lost, stolen, and/or discarded with private customer information. Shockingly, with courts ?snubbing? unprotected customers because plaintiffs couldn?t produce actual financial losses is understandable ? but didn?t we learn from the hundreds of overlooked foreseeable security warning before 9.11?

[datasecure]

Wells Fargo Sells old computers with information

Encryption is not as large as a problem as selling Terabytes of account and banking information that is found on all of their data processing equipment. They claim to erase the information but forensic experts state that computer files are never erased and can be restored using forensic tools. Does the encryption problem really matter?

[MVHarley]

Put you Data where your words are...

If these are facts, don't tease, post your facts!

Otherwise this could appear to be slander, unfounded hoax information.

MV Me

[davekern]

You can?t trust anyone ? can we? When will organization be held responsible

Corporate America will continue to do ?wrong things? until they feel enough financial pain or Congress does their job to insist that customer records and important data MUST BE ENCRYPTED or PARSED so that the data is un-usable to unauthorized individuals.
C-level decision makers deserve stiff fines and/or incarceration if they continue business as normal. Leaders must realize that their firm?s serious deficiencies will not be solved at the same levels and mindsets in which they were created.
It?s time to allow new technologies to cut costs and risks. Management should start taking initial steps to learn, explore and evaluate new ?user access? and ?data protection? technologies so they stop violating ?trusting? customers and shareholders.
Story after story will continue about computers being lost, stolen, and/or discarded with private customer information. Shockingly, with courts ?snubbing? unprotected customers because plaintiffs couldn?t produce actual financial losses is understandable ? but didn?t we learn from the hundreds of overlooked foreseeable security warning before 9.11?

[datasecure]

Bigger Problem

Wells Fargo recycles old computers with Terabytes of account and other banking information stored in disks and memory. Encryption is not as big of a problem as this information leak!

[datasecure]

Bigger Problem

Wells Fargo recycles old computers with Terabytes of account and other banking information stored in disks and memory. Encryption is not as big of a problem as this information leak!

[datasecure]

Bigger Problem

Wells Fargo recycles old computers with Terabytes of account and other banking information stored in disks and memory. Encryption is not as big of a problem as this information leak!

[datasecure]

Bigger Problem

Wells Fargo recycles old computers with Terabytes of account and other banking information stored in disks and memory. Encryption is not as big of a problem as this information leak!

[datasecure]

Bigger Problem

Wells Fargo recycles old computers with Terabytes of account and other banking information stored in disks and memory. Encryption is not as big of a problem as this information leak!

[datasecure]

Bigger Problem

Wells Fargo recycles old computers with Terabytes of account and other banking information stored in disks and memory. Encryption is not as big of a problem as this information leak!

[Razzl]

Judge in the pocket of the big guys

"their expenditure of time and money was not the result of any present injury, but rather the anticipation of future injury that has not materialized"

This is how a judge throws a case in favor of Goliath. Any claims for mental pain, suffering, distress, etc., are always anticipatory--except, apparently, when one of your local chamber of commerce giants is the irresponsible party.

[Razzl]

Judge in the pocket of the big guys

"their expenditure of time and money was not the result of any present injury, but rather the anticipation of future injury that has not materialized"

This is how a judge throws a case in favor of Goliath. Any claims for mental pain, suffering, distress, etc., are always anticipatory--except, apparently, when one of your local chamber of commerce giants is the irresponsible party.

[davekern]

You can?t trust anyone ? can we? When will organization be held responsible

Corporate America will continue to do ?wrong things? until they feel enough financial pain or Congress does their job to insist that customer records and important data MUST BE ENCRYPTED or PARSED so that the data is un-usable to unauthorized individuals.
C-level decision makers deserve stiff fines and/or incarceration if they continue business as normal. Leaders must realize that their firm?s serious deficiencies will not be solved at the same levels and mindsets in which they were created.
It?s time to allow new technologies to cut costs and risks. Management should start taking initial steps to learn, explore and evaluate new ?user access? and ?data protection? technologies so they stop violating ?trusting? customers and shareholders.
Story after story will continue about computers being lost, stolen, and/or discarded with private customer information. Shockingly, with courts ?snubbing? unprotected customers because plaintiffs couldn?t produce actual financial losses is understandable ? but didn?t we learn from the hundreds of overlooked foreseeable security warning before 9.11?

[davekern]

You can?t trust anyone ? can we? When will organization be held responsible

Corporate America will continue to do ?wrong things? until they feel enough financial pain or Congress does their job to insist that customer records and important data MUST BE ENCRYPTED or PARSED so that the data is un-usable to unauthorized individuals.
C-level decision makers deserve stiff fines and/or incarceration if they continue business as normal. Leaders must realize that their firm?s serious deficiencies will not be solved at the same levels and mindsets in which they were created.
It?s time to allow new technologies to cut costs and risks. Management should start taking initial steps to learn, explore and evaluate new ?user access? and ?data protection? technologies so they stop violating ?trusting? customers and shareholders.
Story after story will continue about computers being lost, stolen, and/or discarded with private customer information. Shockingly, with courts ?snubbing? unprotected customers because plaintiffs couldn?t produce actual financial losses is understandable ? but didn?t we learn from the hundreds of overlooked foreseeable security warning before 9.11?