X

Police blotter: Wells Fargo not required to encrypt data

Bank wins ruling in suit claiming its contractor should have encrypted customer data on computers that were stolen.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
See full bio
Declan McCullagh
3 min read
"Police blotter" is a weekly CNET News.com report on the intersection of technology and the law.

What: Wells Fargo Bank customers sue after their personal financial data was stolen from a contractor that had not encrypted the information.

When: U.S. District Judge David Doty in Minnesota ruled on March 16.

Outcome: Wells Fargo was found not to be negligent because the information was never misused by the thieves.

What happened, according to court documents: Wells Fargo had hired Regulus Integrated Solutions to print monthly statements for certain customers who had mortgages and student loans from its subsidiaries. In October 2004, thieves stole computers from Regulus with unencrypted customer information including names, addresses, Social Security numbers and account numbers.

A few weeks later, Wells Fargo alerted its customers and offered to provide identity protection services.

There has never been any indication to date that thieves did anything with the data (in other words, they appear to have been after the computer hardware instead).

Nevertheless, two of the bank's customers, Kristine Forbes and Morgan Koop, filed a class action suit anyway. They claimed that Wells Fargo was liable for emotional distress (including fear, anxiety and worry), negligence, breach of contract and breach of fiduciary duty. Forbes and Koop claimed that Wells Fargo owed them a cash payout because they had to spend extra time monitoring their credit reports.

Judge Doty rejected those arguments, saying the pair of would-be class action plaintiffs had not actually suffered damages. "Plaintiffs have shown no present injury or reasonably certain future injury to support damages for any alleged increased risk of harm," he wrote, and granted the bank's motion for summary judgment.

This is not the first decision of its type. In February, CNET News.com reported that a federal court tossed out a lawsuit against a student-loan provider that did not encrypt a customer database that was subsequently stolen. That judge's reasoning was similar: The data had not been misused. (Some data breach bills in Congress and state legislatures also urge the use of encryption.)

Excerpt from the court's opinion: "Plaintiffs contend that the time and money they have spent monitoring their credit suffices to establish damages. However, a plaintiff can only recover for loss of time in terms of earning capacity or wages. Plaintiffs have failed to cite any Minnesota authority to the contrary. Moreover, they overlook the fact that their expenditure of time and money was not the result of any present injury, but rather the anticipation of future injury that has not materialized.

"In other words, the plaintiffs' injuries are solely the result of a perceived risk of future harm. Plaintiffs have shown no present injury or reasonably certain future injury to support damages for any alleged increased risk of harm. For these reasons, plaintiffs have failed to establish the essential element of damages. Therefore, summary judgment in favor of defendant on plaintiffs' negligence claim is warranted.

"Plaintiffs also bring a claim for breach of contract against Wells Fargo. To establish their claim, plaintiffs must show that they were damaged by the alleged breach. For all of the reasons discussed above, plaintiffs have failed to establish damages. Therefore, summary judgment in favor of defendant on plaintiffs' breach of contract claim is warranted."