Ducking a bullet over data encryption

In a legal decision that could have broad implications for financial institutions, a court ruled recently that a student loan company was not negligent and did not have a duty under the Gramm-Leach-Bliley statute to encrypt a customer database on a laptop computer that fell into the wrong hands. Intrigued? Read on. Stacey Lawton Guinn filed a federal lawsuit in Minnesota, claiming that Brazos Higher Education Service Corporation negligently permitted an employee to maintain unencrypted, private customer data on a laptop computer that ultimately was stolen from the employee's home.

The background leading up to the lawsuit goes like this. Brazos, a company that originates and services student loans, has had about 365 employees, including John Wright, a financial analyst. Though Brazos is based in Texas, Wright has worked from his home in Maryland.

As part of his work, Wright analyzes loan portfolios, including purchasing portfolios from other lending institutions and purchasing bonds financed by student loan interest payments. Before conducting a financial analysis, Wright has received an electronic database from the Brazos finance department in Texas. When he performs asset-liability management for Brazos, he has obtained loan-level details, including customer personal information.

All is well and good, right? Wrong. In September 2004, Wright's home was burglarized and various items, including the laptop issued by Brazos to Wright, were stolen. Despite a police and private investigation, the laptop never was recovered.

Brazos determined that Wright had received databases containing personal information of borrowers seven times before the laptop was stolen. Because it was not clear which specific borrowers had their personal information at risk after the theft of the laptop, Brazos sent a notification letter to all of its more than 500,000 customers.

Coming full circle, Guin, who had acquired a student loan through Brazos in August 2002, received the notification letter and contacted a Brazos call center to ask follow-up questions. He then tracked his credit status through various credit agencies but found no evidence of any identity theft or other fraud relating to his personal information. Indeed, according to Brazos, none of its borrowers suffered any fraud as a consequence of the theft of Wright's laptop.

Regardless, Guin filed his federal lawsuit against Brazos, claiming the company had been negligent by improperly protecting his personal information and improperly delegating control of his personal information to another (Wright). Guin asserted that he had suffered out-of-pocket loss, emotional distress and incidental damages.

At the heart of Guin's lawsuit was the allegation that under the Gramm-Leach-Bliley Act, Brazos had a heightened duty to protect customer information, including the duty to make sure personal information on laptops was encrypted.

In response to Guin's lawsuit, Brazos filed a summary judgment motion. By way of this motion, Brazos argued that Guin's case was so lacking in merit that it should be dismissed without the need for a trial.

Judge Richard Kyle agreed with Brazos, granted the motion and dismissed Guin's lawsuit. While recognizing that Gramm-Leach-Bliley does require financial institutions to protect against unauthorized access to customer records, Judge Kyle held that the statute "does not prohibit someone from working with sensitive data on a laptop computer in a home office," and does not require "any nonpublic personal information stored on a laptop computer should be encrypted."

Financial institutions across America are likely breathing a sigh of relief knowing that the bar has not been raised further in terms of the protective measures they must take under Gramm-Leach-Bliley.