Unfortunate Court Ruling Regarding Gramm-Leach-Bliley
In a legal decision that could have broad implications for financial institutions, a court has ruled recently that a student loan company was not negligent and did not have a duty under the Gramm-Leach-Bliley statute to encrypt a customer database on a laptop computer that fell into the wrong hands.
Basically, an employee of Brazos Higher Education Service Corporation, Inc., had customer information on a laptop computer he was using at home. The computer was stolen, and a customer sued Brazos.
The judge dismissed the lawsuit. And then he went further:
Significantly, while recognizing that Gramm-Leach-Bliley does require financial institutions to protect against unauthorized access to customer records, Judge Kyle held that the statute “does not prohibit someone from working with sensitive data on a laptop computer in a home office,” and does not require that “any nonpublic personal information stored on a laptop computer should be encrypted.”
I know nothing of the legal merits of the case, nor do I have an opinion about whether Gramm-Leach-Bliley does or does not require financial companies to encrypt personal data in its purview. But I do know that we as a society need to force companies to encrypt personal data about us. Companies won’t do it on their own — the market just doesn’t encourage this behavior — so legislation or liability are the only available mechanisms. If this law doesn’t do it, we need another one.
EDITED TO ADD (2/22): Some commentary here.