February 22, 2006 12:26 PM PST
Perspective: Ducking a bullet over data encryptionSee all Perspectives
The background leading up to the lawsuit goes like this. Brazos, a company that originates and services student loans, has had about 365 employees, including John Wright, a financial analyst. Though Brazos is based in Texas, Wright has worked from his home in Maryland.
As part of his work, Wright analyzes loan portfolios, including purchasing portfolios from other lending institutions and purchasing bonds financed by student loan interest payments. Before conducting a financial analysis, Wright has received an electronic database from the Brazos finance department in Texas. When he performs asset-liability management for Brazos, he has obtained loan-level details, including customer personal information.
All is well and good, right? Wrong. In September 2004, Wright's home was burglarized and various items, including the laptop issued by Brazos to Wright, were stolen. Despite a police and private investigation, the laptop never was recovered.
Brazos determined that Wright had received databases containing personal information of borrowers seven times before the laptop was stolen. Because it was not clear which specific borrowers had their personal information at risk after the theft of the laptop, Brazos sent a notification letter to all of its more than 500,000 customers.
Coming full circle, Guin, who had acquired a student loan through Brazos in August 2002, received the notification letter and contacted a Brazos call center to ask follow-up questions. He then tracked his credit status through various credit agencies but found no evidence of any identity theft or other fraud relating to his personal information. Indeed, according to Brazos, none of its borrowers suffered any fraud as a consequence of the theft of Wright's laptop.
Regardless, Guin filed his federal lawsuit against Brazos, claiming the company had been negligent by improperly protecting his personal information and improperly delegating control of his personal information to another (Wright). Guin asserted that he had suffered out-of-pocket loss, emotional distress and incidental damages.
At the heart of Guin's lawsuit was the allegation that under the Gramm-Leach-Bliley Act, Brazos had a heightened duty to protect customer information, including the duty to make sure personal information on laptops was encrypted.
In response to Guin's lawsuit, Brazos filed a summary judgment motion. By way of this motion, Brazos argued that Guin's case was so lacking in merit that it should be dismissed without the need for a trial.
Financial institutions across America are likely breathing a sigh of relief knowing that the bar has not been raised further in terms of the protective measures they must take under Gramm-Leach-Bliley.
is a partner in the San Francisco office of . His focus includes information technology and intellectual-property disputes. To receive his weekly columns, send an e-mail to email@example.com with "Subscribe" in the subject line. This column is prepared and published for informational purposes only, and it should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.
5 commentsJoin the conversation! Add your comment