February 14, 2006 5:29 PM PST
Judge: Firm not negligent in failure to encrypt data
- Related Stories
Bots may get cloak of encryptionNovember 14, 2005
Ellison: Encryption is key to data protectionSeptember 23, 2005
Researchers: Digital encryption standard flawedFebruary 16, 2005
Saluting the data encryption legacySeptember 27, 2004
High hopes for unscrambling the voteJune 8, 2004
Quantum encryption inches closer to realityMay 3, 2004
VoIP provider to block eavesdroppersMarch 30, 2004
Former FBI chief takes on encryptionOctober 14, 2002
But U.S. District Judge Richard Kyle in Minnesota dismissed the case last week, saying Brazos had a written security policy and other "proper safeguards" for customers' information and that it acted "with reasonable care" even without encrypting the database.
ID fraud help
Identity fraud isn't that likely to happen to you, but it does occur. CNET News.com has compiled a resource center with background information, statistics, and tips. A recent debit-card theft case has also drawn attention, and in response we've created a list of frequently-asked questions. Security protection is also being discussed at this week's RSA Conference.
The case arose as a result of a burglary at the Silver Spring, Md., home of John Wright, a Brazos financial analyst who worked remotely and analyzed loan portfolios. During that September 2004 burglary, a laptop with personal information about Brazos customers was stolen.
Brazos hired a private investigative firm, Global Options, to recover the laptop, but this was unsuccessful. The judge noted that there was no evidence that the database on the stolen laptop was used for identity fraud. After the theft, Brazos contacted approximately 550,000 of its customers to let them know of the situation and to suggest they place a security alert on their credit bureau files.
Even though he had not actually been harmed as a result of the theft, Guin argued, Brazos was required by the Gramm-Leach-Bliley Act to encrypt personal information and limit its disclosure. The 1999 law requires financial service companies "to protect the security and confidentiality of customers' nonpublic personal information."
Judge Kyle disagreed, saying that the house was in a relatively low-crime neighborhood and that the law does not specifically mandate encryption. "The GLB Act does not prohibit someone from working with sensitive data on a laptop computer in a home office," Kyle wrote. "Despite Guin's persistent argument that any nonpublic personal information stored on a laptop computer should be encrypted, the GLB Act does not contain any such requirement."
8 commentsJoin the conversation! Add your comment