A Federal Court Rules That A Financial Institution Has No Duty To Encrypt A Customer Database

By ERIC J. SINROD
Monday, Feb. 20, 2006

In a legal decision that could have broad implications for financial institutions, a court has ruled recently that a student loan company was not negligent and did not have a duty under the Gramm-Leach-Bliley statute to encrypt a customer database on a laptop computer that fell into the wrong hands. Intrigued? Read on.

Stacey Lawton Guinn filed a federal lawsuit in Minnesota, claiming that Brazos Higher Education Service Corporation, Inc. negligently permitted an employee to maintain unencrypted, private customer data on a laptop computer that ultimately was stolen from the employee's home.

The factual background leading up to the lawsuit goes like this. Brazos, a company that originates and services student loans, has had about 365 employees, including John Wright, a financial analyst for the company. While Brazos is based in Texas, Wright has worked from his home office in Maryland.

As part of his work, Wright analyses loan portfolios, including purchasing portfolios from other lending institutions and purchasing bonds financed by student loan interest payments. Before he conducts a financial analysis, Wright has received an electronic database from Brazos' finance department in Texas. When he performs asset-liability management for Brazos, he has obtained loan-level details, including customer personal information.

All is well and good, right? Wrong. In September, 2004, Wright's home was the subject of a burglary and various items were stolen, including the laptop issued by Brazos to Wright. Notwithstanding a police and private investigation, the laptop never was recovered.

Brazos determined that Wright had received databases containing personal information of borrowers seven different times before the laptop was stolen. Because it was not clear which specific borrowers had their personal information at risk due to the theft of the laptop, Brazos sent a notification letter to all of its more than 500,000 customers.

Coming full circle back to Guin, who had acquired a student loan through Brazos in August, 2002, received the notification letter and contacted a Brazos call center to ask follow up questions. He then tracked his credit status through various credit agencies, and as a result, he was not apprised of any identity theft or other fraud relating to his personal information. Indeed, according to Brazos, none of its borrowers suffered any fraud as a consequence of the theft of Wright's laptop.

Undeterred, Guin filed his federal lawsuit against Brazos, principally claiming that Brazos had been negligent by not properly protecting his personal information and by improperly delegating control of his personal information to another (Wright). Guin asserted that he had suffered out-of-pocket loss, emotional distress, and incidental damages.

At the heart of Guin's lawsuit was the allegation that under the Gramm-Leach-Bliley Act, Brazos had a heightened duty to protect customer information, including the duty to make sure that personal information on laptops be encrypted.

In response to Guin's lawsuit, Brazos filed a summary judgment motion. By way of this motion, Brazos argued that Guin's case was so lacking in merit that it should be dismissed without the need to even get to trial.

Judge Richard Kyle agreed with Brazos, granted the motion, and dismissed Guin's lawsuit. Significantly, while recognizing that Gramm-Leach-Bliley does require financial institutions to protect against unauthorized access to customer records, Judge Kyle held that the statute "does not prohibit someone from working with sensitive data on a laptop computer in a home office," and does not require that "any nonpublic personal information stored on a laptop computer should be encrypted."

Financial institutions across America probably are applauding this legal decision, and likely are breathing a sigh of relief knowing that the bar has not been raised further in terms of the protective measures they must take under Gramm-Leach-Bliley.


Eric Sinrod is a partner in the San Francisco office of Duane Morris (www.duanemorris.com), where he focuses on litigation matters of various types, including information technology and intellectual property disputes. His Web site is (www.sinrodlaw.com), and he can be reached at ejsinrod@duanemorris.com. To receive a weekly e-mail link to Mr. Sinrod's columns, please send an e-mail with the word Subscribe in the Subject line to ejsinrod@duanemorris.com. This column is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.

Ads by FindLaw