By Declan McCullagh, 15 February 2006 08:55
NEWS
A US federal court has thrown out a lawsuit that accused a student-loan provider of negligence in failing to encrypt a customer database that was subsequently stolen.
Stacy Lawton Guin, a customer of Brazos Higher Education Service, sued the corporation on the grounds that encryption should be used as a routine security precaution.
But US District Judge Richard Kyle in Minnesota dismissed the case last week, saying Brazos had a written security policy and other "proper safeguards" for customers' information and that it acted "with reasonable care" even without encrypting the database.
The case arose as a result of a burglary at the home of John Wright, a Brazos financial analyst who worked remotely and analysed loan portfolios. During that September 2004 burglary, a laptop with personal information about Brazos customers was stolen.
Brazos hired a private investigative firm, Global Options, to recover the laptop but this was unsuccessful. The judge noted there was no evidence that the database on the stolen laptop was used for identity fraud. After the theft, Brazos contacted approximately 550,000 of its customers to let them know of the situation and to suggest they place a security alert on their credit bureau files.
Even though he had not actually been harmed as a result of the theft, Guin argued Brazos was required by the Gramm-Leach-Bliley (GLB) Act to encrypt personal information and limit its disclosure. The 1999 law requires financial service companies "to protect the security and confidentiality of customers' non-public personal information".
Judge Kyle disagreed, saying the house was in a relatively low-crime neighbourhood and that the law does not specifically mandate encryption. Kyle wrote: "The GLB Act does not prohibit someone from working with sensitive data on a laptop computer in a home office. Despite Guin's persistent argument that any non-public personal information stored on a laptop computer should be encrypted, the GLB Act does not contain any such requirement."
Declan McCullagh writes for CNET News.com
Comments
There are 4 comments. Join the discussion
1. anonymous
This article just goes to show how lawyers and security personnel think in different worlds; lawyers in the world of explicit and security in implicit. We all know the company violated GLB by allowing private client information to be allowed beyond their network in an unencrypted fashion (should have been encrypted in the first place); best case scenario they violated common sense and the 550,000 people affected by it should each get a minute alone with the analyst and company's CSO.
The courts and legal analysts are barely treading water trying to understand our world, and we in turn can't comprehend why they can't fathom what we are telling them. This judgment is a failure of the system, but it most likely didn't come from the judge's inadequacies, rather it came from the plaintiff’s poor technical argument and the federal government's poor attempt at creating security legislation that is ambiguous at best. Acts, such as the GLB, are written in generalities for a reason, because they are written for security professionals as a directorate for us to understand and follow. It is our responsibility to educate those who do not understand, but will make policy indirectly through their actions. GLB and other compliance mandates were intentionally written with ambiguity to keep them relevant, but the legal system wants to use them to define case law which is not suppose to be ambiguous. So unless we as a group further the education of those around us, prepare to have compliance dictated by those who do not understand, which will eventually make our jobs unbearable.
2. Martin Dubois, CISSP
Very unfortunate!
Goes to show how the North American judicial systems (even here in the Province of Quebec, Canada) has a long way to go to comprehend what Information Security is all about.
I agree with the strict findings in Law, but this instance would have been a good opportunity to hint at what "adequate" security measures could look like...especially for any outfit dealing with personal and financial data.
3. anonymous
Yes this is unfortunate, all personal and non-public data should be encrypted. It will only be a matter of time before the courts will support this movement.
Dan W. CISSP
4. Graham
Amazing, all data especially data like that have got to be encrypted on laptops. The judge is clearly an idiot. As an IT Pro I might as well pack up and go home and let the users manage IT instead. It's obviously much cheaper to sack IT than do the right thing!