Judge: Firm not negligent in failure to encrypt data

A federal court has thrown out a lawsuit that accused a student-loan provider of negligence in failing to encrypt a customer database that was subsequently stolen.

Stacy Lawton Guin, a customer of Brazos Higher Education Service, sued the corporation on the grounds that encryption should be used as a routine security precaution.

But U.S. District Judge Richard Kyle in Minnesota dismissed the case last week, saying Brazos had a written security policy and other "proper safeguards" for customers' information and that it acted "with reasonable care" even without encrypting the database.

ID fraud help

Identity fraud isn't that likely to happen to you, but it does occur. CNET News.com has compiled a resource center with background information, statistics, and tips. A recent debit-card theft case has also drawn attention, and in response we've created a list of frequently-asked questions. Security protection is also being discussed at this week's RSA Conference.

The case arose as a result of a burglary at the Silver Spring, Md., home of John Wright, a Brazos financial analyst who worked remotely and analyzed loan portfolios. During that September 2004 burglary, a laptop with personal information about Brazos customers was stolen.

Brazos hired a private investigative firm, Global Options, to recover the laptop, but this was unsuccessful. The judge noted that there was no evidence that the database on the stolen laptop was used for identity fraud. After the theft, Brazos contacted approximately 550,000 of its customers to let them know of the situation and to suggest they place a security alert on their credit bureau files.

Even though he had not actually been harmed as a result of the theft, Guin argued, Brazos was required by the Gramm-Leach-Bliley Act to encrypt personal information and limit its disclosure. The 1999 law requires financial service companies "to protect the security and confidentiality of customers' nonpublic personal information."

Judge Kyle disagreed, saying that the house was in a relatively low-crime neighborhood and that the law does not specifically mandate encryption. "The GLB Act does not prohibit someone from working with sensitive data on a laptop computer in a home office," Kyle wrote. "Despite Guin's persistent argument that any nonpublic personal information stored on a laptop computer should be encrypted, the GLB Act does not contain any such requirement."

[caxaca51]

It's a policy the company should enforce

Any sensitive data that is allowed to be mobile should undergo
some basic security precautions such as encryption. If I
understand correctly, this judge is saying that since no harm was
done, the company did no wrong. This is negligence at it's best.

[declan00]

actually not negligence

To be a little lawgeekish here, the tort of negligence requires actual harm, not speculative harm.

So it's more like the judge is saying "Sorry, the law does not provide you with a way to cash in by suing this company when you haven't been able to demonstrate harm. If you don't like it, change the law. But otherwise you're out of luck."

[duerra]

WTH? A *laptop*

Maybe I missed something, but what the h*ll is half a million records of personal data doing on somebody's *laptop*? That sounds pretty negligent to me.

[baswwe]

Is there a low crime network online?

"Judge Kyle disagreed, saying that the house was in a relatively low-crime neighborhood and that the law does not specifically mandate encryption."

What about online? Is there a low crime network that you shouldn't have your stuff safeguarded?

How do you figure?

"So it's more like the judge is saying..."

The judge mentions the factors as being, one, a low crime-rate neighborhood, and, two, no specificity in the law, itself, requiring encryption.

So what twisted logic gives you the idea that 'what he's saying" is about actual damages as a prerequisite to going to Court there buddy? Misconstruing arcane laegalese is one thing, but fabrication is something else, no?

[booboo1243]

A desktop would have been better?

Desktop machines get stolen, too. Note that the laptop wasn't being used as a mobile machine, but as a remote machine. It was being used in a physical location thought to be secure.

Security is never absolute. The fact that something bad happened does not, itself, imply negligence. The fact that further safeguards could have been taken that would have protected against a specific threat does not, itself, imply negligence.

[skobryan]

Firm not negligent in failure to encrypt

Well, if this is how the Judge sees it then I guess the banking and healthcare regulators better re-write the audit programs and save everyone the time audits cost to companies. Wow, the judge totally missed the point on this one!