To Encrypt or Not to Encrypt? That Is the Question
Piazza, Peter, Security Management
TWO RECENT COURT CASES have led to speculation that the Gramm-Leach-Bliley Act (GLB) does not require financial services companies to encrypt customer data. But legal experts warn not to read too much into these decisions.
In one case, Guin v. Brazos Higher Education Service (U.S. District Court for the District of Minnesota, 2006), a laptop containing unencrypted student loan information was stolen from the home of a Brazos employee. The company informed its customers of the theft.
Stacy Guin's information was on the computer, and she sued Brazos for negligence. The United States District Court in Minnesota granted Brazos' request for summary judgment--a hearing based on the facts of the case, without a trial. In the second case, Forbes v. Wells Fargo Bank (U.S. District Court for the District of Minnesota, 2006), laptops containing data on student loans and mortgage customers were stolen from a subsidiary of Wells Fargo. The plaintiffs sued for breach of contract, breach of fiduciary duty, and negligence. Again, the court granted summary judgment to the defendant.
In both cases, says attorney Jeffrey D. Neuburger, a partner in the New York City office of Brown, Raysman, Millstein, Felder & Steiner, the courts found that there was no negligence because there was no evidence of any damage or injury, such as theft of identity, to any of the plaintiffs. To prove negligence, a plaintiff must sustain damage, and both courts cited a 1982 case that says "the threat of future harm, not yet realized, will not satisfy the damage requirement."
The judge in the Guin case also concluded that GLB does not require financial institutions to implement encryption. Guin had argued that Brazos had breached the duty imposed by GLB in part because it allowed its employee to keep personal information unencrypted on his laptop. …