--- begin forwarded text
Date: Wed, 15 Feb 2006 18:38:13 -0500
To: Philodox Clips List
From: "R. A. Hettinga"
Subject: Judge: Firm not negligent in failure to encrypt data
http://news.com.com/2102-1030_3-6039645.html?tag=st.util.print
CNET News
Judge: Firm not negligent in failure to encrypt data
By Declan McCullagh
http://news.com.com/Judge+Firm+not+negligent+in+failure+to+encrypt+data/2100...
Story last modified Wed Feb 15 06:20:32 PST 2006
A federal court has thrown out a lawsuit that accused a student-loan
provider of negligence in failing to encrypt a customer database that was
subsequently stolen.
Stacy Lawton Guin, a customer of Brazos Higher Education Service, sued the
corporation on the grounds that encryption should be used as a routine
security precaution.
But U.S. District Judge Richard Kyle in Minnesota dismissed the case last
week, saying Brazos had a written security policy and other "proper
safeguards" for customers' information and that it acted "with reasonable
care" even without encrypting the database.
ID fraud help
Identity fraud isn't that likely to happen to you, but it does occur. CNET
News.com has compiled a resource center with background information,
statistics, and tips. A recent debit-card theft case has also drawn
attention, and in response we've created a list of frequently-asked
questions. Security protection is also being discussed at this week's RSA
Conference.
The case arose as a result of a burglary at the Silver Spring, Md., home of
John Wright, a Brazos financial analyst who worked remotely and analyzed
loan portfolios. During that September 2004 burglary, a laptop with
personal information about Brazos customers was stolen.
Brazos hired a private investigative firm, Global Options, to recover the
laptop, but this was unsuccessful. The judge noted that there was no
evidence that the database on the stolen laptop was used for identity
fraud. After the theft, Brazos contacted approximately 550,000 of its
customers to let them know of the situation and to suggest they place a
security alert on their credit bureau files.
Even though he had not actually been harmed as a result of the theft, Guin
argued, Brazos was required by the Gramm-Leach-Bliley Act to encrypt
personal information and limit its disclosure. The 1999 law requires
financial service companies "to protect the security and confidentiality of
customers' nonpublic personal information."
Judge Kyle disagreed, saying that the house was in a relatively low-crime
neighborhood and that the law does not specifically mandate encryption.
"The GLB Act does not prohibit someone from working with sensitive data on
a laptop computer in a home office," Kyle wrote. "Despite Guin's persistent
argument that any nonpublic personal information stored on a laptop
computer should be encrypted, the GLB Act does not contain any such
requirement."
--
-----------------
R. A. Hettinga
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
--- end forwarded text
--
-----------------
R. A. Hettinga
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'