To Encrypt or Not to Encrypt? That is the Question
TWO RECENT COURT CASES have led to speculation that the Gramm-Leach-Bliley Act (GLB) does not require financial services companies to encrypt customer data. But legal experts warn not to read too much into these decisions.
In one case, Guin v. Brazos Higher Education Service (U.S. District Court for the District of Minnesota, 2006), a laptop containing unencrypted student loan information was stolen from the home of a Brazos employee. The company informed its customers of the theft.
Stacy Guin’s information was on the computer, and she sued Brazos for negligence. The United States District Court in Minnesota granted Brazos’ request for summary judgment—a hearing based on the facts of the case, without a trial. In the second case, Forbes v. Wells Fargo Bank (U.S. District Court for the District of Minnesota, 2006), laptops containing data on student loans and mortgage customers were stolen from a subsidiary of Wells Fargo. The plaintiffs sued for breach of contract, breach of fiduciary duty, and negligence. Again, the court granted summary judgment to the defendant.
In both cases, says attorney Jeffrey D. Neuburger, a partner in the New York City office of Brown, Raysman, Millstein, Felder & Steiner, the courts found that there was no negligence because there was no evidence of any damage or injury, such as theft of identity, to any of the plaintiffs. To prove negligence, a plaintiff must sustain damage, and both courts cited a 1982 case that says “the threat of future harm, not yet realized, will not satisfy the damage requirement.”
The judge in the Guin case also concluded that GLB does not require financial institutions to implement encryption. Guin had argued that Brazos had breached the duty imposed by GLB in part because it allowed its employee to keep personal information unencrypted on his laptop. The court disagreed, writing, “Despite Guin’s persistent argument that any nonpublic personal information stored on a laptop computer should be encrypted, the GLB Act does not contain any such requirement.”
Rather than mentioning specific technologies, GLB demands “administrative, technical, and physical safeguards that are appropriate” to protect customer data. That’s because legislators typically try to keep legislation technology-neutral, relying on case law to determine what qualifies as appropriate.
Eric J. Sinrod, partner in the San Francisco office of Duane Morris LLP, says, “The way the judge is reading this statute, essentially the legislators would have to have a laundry list of every potential instance in which encryption would be required. I’m not sure all judges would see it that way; judges might look at broader language of the statute and the intent behind the statute, and the people for whom the statute is designed...and decide differently.”
Both Neuburger and Sinrod think that future cases will lead to different interpretations of what GLB requires. “I think it would be a mistake to get any sense of false comfort from these decisions,” Neuburger says. “I think financial institutions should be focusing on Gramm-Leach-Bliley and their data-security practices, and really evaluating them periodically because I think the standards might change.”
Sinrod agrees, saying that future cases where plaintiffs have suffered identity theft after a laptop has been stolen may very well result in different conclusions by courts. In the meantime, he counsels caution. “Do whatever you possibly can to protect customer data. Go beyond best practices, go beyond what the law requires,” he says. “It’s good business, and it can save you a lot of money on the back end if you would otherwise get it wrong.”