Encryption not required by law, says judge
Published: 15 February 2006 08:55 GMT
A US federal court has thrown out a lawsuit that accused a student-loan provider of negligence in failing to encrypt a customer database that was subsequently stolen.
Stacy Lawton Guin, a customer of Brazos Higher Education Service, sued the corporation on the grounds that encryption should be used as a routine security precaution.
But US District Judge Richard Kyle in Minnesota dismissed the case last week, saying Brazos had a written security policy and other "proper safeguards" for customers' information and that it acted "with reasonable care" even without encrypting the database.
The case arose as a result of a burglary at the home of John Wright, a Brazos financial analyst who worked remotely and analysed loan portfolios. During that September 2004 burglary, a laptop with personal information about Brazos customers was stolen.
Brazos hired a private investigative firm, Global Options, to recover the laptop but this was unsuccessful. The judge noted there was no evidence that the database on the stolen laptop was used for identity fraud. After the theft, Brazos contacted approximately 550,000 of its customers to let them know of the situation and to suggest they place a security alert on their credit bureau files.
Even though he had not actually been harmed as a result of the theft, Guin argued Brazos was required by the Gramm-Leach-Bliley (GLB) Act to encrypt personal information and limit its disclosure. The 1999 law requires financial service companies "to protect the security and confidentiality of customers' non-public personal information".
Judge Kyle disagreed, saying the house was in a relatively low-crime neighbourhood and that the law does not specifically mandate encryption. Kyle wrote: "The GLB Act does not prohibit someone from working with sensitive data on a laptop computer in a home office. Despite Guin's persistent argument that any non-public personal information stored on a laptop computer should be encrypted, the GLB Act does not contain any such requirement."
Declan McCullagh writes for CNET News.com
This article just goes to show how lawyers and sec...
Anonymous
Very unfortunate!
Goes to show how the North Am...
Martin Dubois, CISSP
Yes this is unfortunate, all personal and non-publ...
Anonymous
Amazing, all data especially data like that have g...
Graham
I need 3 engineers to roll out laptops for a rolling 8 week contract London Based Duties: - Receiving the laptop with the basic build. Adding any ...
They currently have a number of positions open within their Loan Operations department. Applicants should have a good understanding of Loan ...
JOB TITLE: UK Sales Executive-Disk Encryption & Data Protection Sales SELLING: Disk Encryption and Data Protection SELLING TO: Enterprise and Mid ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Power Solutions Article: High-Availability Virtualization with Dell EqualLogic Arrays...
Power Solutions Article:Â Power Solutions Article: Getting Started with Microsoft...
Customer Case Study:Â A L Filters
Solution Brief: Dell Equalogic PS Series Can Offer Robust, High-Availability Infrastructure...
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Naked CIO Naked CIO: Social networks are useless for finding a job 'Quantity over quality' approach poisoning professional networks
Peter Cochrane Peter Cochrane's Blog: Uneconomics We must move away from short-termism to prevent next economic crisis