Unfortunate Court Ruling Regarding Gramm-Leach-Bliley

"A Federal Court Rules That A Financial Institution Has No Duty To Encrypt A Customer Database":

In a legal decision that could have broad implications for financial institutions, a court has ruled recently that a student loan company was not negligent and did not have a duty under the Gramm-Leach-Bliley statute to encrypt a customer database on a laptop computer that fell into the wrong hands.

Basically, an employee of Brazos Higher Education Service Corporation, Inc., had customer information on a laptop computer he was using at home. The computer was stolen, and a customer sued Brazos.

The judge dismissed the lawsuit. And then he went further:

Significantly, while recognizing that Gramm-Leach-Bliley does require financial institutions to protect against unauthorized access to customer records, Judge Kyle held that the statute "does not prohibit someone from working with sensitive data on a laptop computer in a home office," and does not require that "any nonpublic personal information stored on a laptop computer should be encrypted."

I know nothing of the legal merits of the case, nor do I have an opinion about whether Gramm-Leach-Bliley does or does not require financial companies to encrypt personal data in its purview. But I do know that we as a society need to force companies to encrypt personal data about us. Companies won't do it on their own -- the market just doesn't encourage this behavior -- so legislation or liability are the only available mechanisms. If this law doesn't do it, we need another one.

EDITED TO ADD (2/22): Some commentary here.

Posted on February 21, 2006 at 1:34 PM • 28 Comments

Comments

LeeFebruary 21, 2006 2:00 PM

I agree, I think sensitive data on a laptop carries a higher risk than a server locked in a room somewhere, for exactly the reason seen in this case, physical theft is more of a threat.

jmcFebruary 21, 2006 2:16 PM

the logical conclusion would be to message the thief, telling him to do something ugly with this data (if he doesn't do it anyway) like publishing it on the internet or something similar visible to the public. then financial damage would result in someone sueing the institute big time and things would need to change.
just an imperfect solution for an imperfect world :>

Mike SherwoodFebruary 21, 2006 2:17 PM

If the person is a victim of identity theft, there is no way to prove that the negligence of a particular organization is to blame. In order to prove that to the satisfaction of a court, it would be necessary to get everyone in the chain of custody of your information to confess to the crimes they committed to show that the one source was the sole cause of all of the individual's problems.

When the same information is stored in thousands of places, every organization has plausable deniability, even in the case of a high profile breech. I've had my passport and social security card stolen and there is absolutely nothing I can do to prevent exposure for the rest of my life. This is a fundamental flaw in the way we handle information. If this were a computer being compromised, I would be able to go through a nontrivial process to secure the environment and get back up and running. There is no equivalent in the real world for real people.

Protecting information is expensive and there is no real liability for not doing it right now. In the business world, that leads to a simple, predictable conclusion - it's not done. This case is a perfect example of how it works in the real world - documentation is generated to demonstrate the existence of a policy and that's the end of it.

Unfortunately, I don't see this situation changing without widespread identity theft against every executive of every major company and every judge in the country. Only when it becomes personal to the people making decisions will the priorities shift. The following article mentions the epiphany Scott McNealy had when he found out his information was lost:

http://www.securityfocus.com/news/11377

paulFebruary 21, 2006 2:23 PM

The only good news is that, if it's a motion for summary judgement, the decision is from a judge at the bottom level of the system and has little precedential power. From the facts given in the link, it sounds as if the judge wanted to slap the plaintiff for filing a suit when he had no clearly visible damages, and let that desire get the better of his discretion.

Given that there was apparently no need for the plaintiff's personal information to be on the stolen laptop in the first place (you don't need the name, address and SSN associated with loans to do financial analysis on a loan portfolio), one wonder just what kind of negligent behavior this particular judge would require to find a violation under Gramm-Leach-Bliley. As it is, the phrase sounds a little like the "technological measure" mumbo-jumbo in the DMCA.

HritzFebruary 21, 2006 2:23 PM

I guess the real question here is whether the Gramm-Leach-Bliley act was the correct statute to use in the legal argument. This could be a case of a bad strategy as much as anything. In the opEd on Findlaw, the plaintiff could demonstrate no harm, so its tough to see merit. The reason to encrypt and to control access has as much to do with preventing lost reputation and business as it does with avoiding litigation.

fpFebruary 21, 2006 2:44 PM

I guess the jugdge is right on the matter of encryption. What is important is that customer data is protected. Whether that is achieved through encryption is irrelevant. Keeping unencrypted data in a secure place works just as well, given a sufficient definition of "secure place" (to be refined by courts over time). Obviously, the institution in this case did neither.

Nell WaltonFebruary 21, 2006 2:54 PM

Unfortunately, there have been more and more decisions that are turning on very narrow interpretations in some of these laws -this particular ruling is similar to what's going on in some of the Sarbanes whistleblower cases at both the DOL and in the federal courts. Surely this judge doesn't mean that the law should say 'any sensitive data stored on a laptop must be encrypted'? That would be patently absurd. I have to agree with paul - the judge may have been aggravated about the case being filed with no concrete damages - that is what I hope anyway.

Captain NedFebruary 21, 2006 2:55 PM

I'm a bank regulator in my day job and spend a fair bit of time performing IT examinations of our regulated entities.

While there's no explicit requirement under GLBA to encrypt data residing on any computer, we strongly advise them to do so. So far, at least in my corner of the universe, we've not had many arguments against encryption.

Here's what we use as a standard for review:

http://www.ffiec.gov/ffiecinfobase/html_pages/...

Here's the workprogram I use for Information Security reviews:

http://www.ffiec.gov/ffiecinfobase/booklets/...

rjhFebruary 21, 2006 3:00 PM

After more time has passed and admissible evidence is available, court rulings like this might change. Until it is reasonably established in industry that good practice requires encryption, the courts are not going to push technology changes. The definition of "negligence" does change as technology evolves in other disciplines. But the courts lag the accepted practice. They only push beyond minimal accepted practices when actual harm occurs.

My expertise is greater in the HIPAA area, where I think this case would also founder, but not as badly. HIPAA does establish a penalty for unauthorized disclosure, thus establishing a degree of harm. But a private suit without actual injury would not get anywhere. The penalty would need to be imposed as the result of an administrative assessment by the appropriate regulatory agency. Past HIPAA data losses have generally resulted in regulatory attention to procedural changes and only symbolic penalties. The current regulatory attitude is that there is enough new risk in the computer environment that it is better for society to encourage procedural changes by eliminating the fear of draconian financial penalties.

Ex-McAfeeFebruary 21, 2006 4:28 PM

Apparently, an audit firm recently lost a CD with my information on it along with an undisclosed number of current and other former McAfee employees.

They are giving me two years of "Equifax Credit Watch" for my troubles (includes monitoring, $20K in zero deductable identity theft insurance, victim assistance).

Given the results of the Gramm-Leach-Bliley case, McAfee could have left the costs of the lost CD an "externality" but instead chose this other option.

I assume after this financial hit, McAfee will be looking to better protect its private data.

jammitFebruary 21, 2006 4:49 PM

The data needs to be secure. Encryption is a pretty good idea if you're going to be leaving sensitive data just lying around. If each name cost Brazos a dollar each, I'm quite certain they'd be hiring armed guards.

SteveSFebruary 21, 2006 7:53 PM

I work for a health insurance company, and corporate laptops have full-hard-disk encryption installed on them. Not just certain directories, everything - even the MS Office executables are protected from prying eyes :) There's no distinction between job roles, either. My job does not entail me having personal data on my laptop, but if it's a laptop, it's encrypted.

I do not know what GLBA entails, but between HIPAA and the many requirements of doing business with the federal government, it's either a necessity or a really good idea. It's not even all that inconvenient, though I'm sure our help desk has to deal with numerous security-related issues that they didn't need prior to the encryption software.

I never really thought of my company as particularly forward-thinking, but from some of the security breach stories we've been seeing lately, I may have to change that assessment.

BenkayFebruary 21, 2006 7:53 PM

No, I disagree. There's an obligation to keep the data secure, but not to secure the data itself. Of course, encrypting the data could mitigate imposed penalties. Penalties, that in my opinion, should start at minimums so expensive even the multinationals would start to pay attention.

Mike S.February 21, 2006 8:22 PM

They made the right ruling. Government has no business specifying *how* to secure the data. The bank should still get smacked for losing the data or taking insufficient measures, but I think that asking the government to lay out a series of steps for securing the data is asking for trouble.

An example is Sarbanes-Oxley: the need for accountability is mandated by the government, but the *how* (SAS70), is not a law.

Aaron GravesFebruary 21, 2006 11:43 PM

I think it's a rather scarry situation... that a corporate entity such as this has confidential customer data on a laptop that is allowed to leave the premises. While I'm not sure the Government is the right body to set standards in matters such as this, I feel it's an obligation of the bank (or whatever company) to ensure this data is protected if it's on a medium that leaves the walls of the organization.

Clive RobinsonFebruary 22, 2006 6:49 AM

Folks I'm going to go against the grain of what looks like common sense and say that 'Personal Data Should Not be Encrypted'

My reasoning is as follows,

1 - If you lose encrypted data you have a built in defence "it's encrypted", therfore you do not take sensible precautions with the data (I think most would agree that's the likley outcome).

2 - If you do not take sensible precautions with the data, are you any more likley to take care of the key material (we have all seen yellow stickies in draws under keyboards etc with passwords on).

3 - If a Company XX loses your data and it's unencrypted they have clearly shown a lack of "reasonable care". If however they lose an encrypted disk it gives XX a "get out of jail free card". You as the person who has had you data lost then have the very very very difficult task of proving that XX was as negligent with it's keymat, I wish you a lot of luck trying to get sufficient evidence to get "reasonable probability" on that one.

@nonym0usFebruary 22, 2006 8:25 AM

@Mike S.

They made the right ruling. Government has no business specifying *how* to secure the data. The bank should still get smacked for losing the data or taking insufficient measures, but I think that asking the government to lay out a series of steps for securing the data is asking for trouble.

This isn't a matter of asking the government "how" to secure data. It's laying out how to properly interperate the "reasonable man" arguement. Most likely the issue with the judge was a "reasonable man" would not sue if he could not show nay harm. If he could show harm, then a "reasonable man" could then argue the data should be encrypted.

The problem with the judge is this places all the burden on the victim. The victim now has to research all the possible places his identity may be compromised. Then as pointed out earlier show the "chian of custody" to at least show it was likely that the harm came from the loan company. All this while mainting regular employment and a life. While the company with all the resources and a party to the problem walks away.

NocturnFebruary 22, 2006 8:26 AM

I no nothing about this law (don't even live in the US), but it should be obvious that a company that had your data unencrypted on a system would be liable when it gets stolen.

I agree with Bruce, if the law doesn't already make a problem out of this, it should (everywhere in the world).

Mad PatterFebruary 22, 2006 9:02 AM

So I read this story yesterday and thought,
"what morons -- of course they should be
required to encrypt it, among other things". Then
I went home to find a letter from a former
employer explaining how a vice president had
lost a CD containing personal information about
current and former employees, but not to worry
because they were offering me a free two year
subscription to some credit agency.

The punchline is that this former employer is
McAfee (aka Network Associates). Aside from
being a security-based company, they used
to own PGP. I don't think they ever got the
hang of it.

EncryptThisFebruary 22, 2006 9:12 AM

I'm not a legal guy, I'm a techie. I believe in taking responsibility where appropriately required, not pointing fingers out of guilt. So that might be my problem.

First: the laptop was STOLEN from the home. That is the key word. They didn't just give it away. They didn't leave it in the garbage unshredded. Or leave the laptop sitting on a coffee house table. It was stolen.

Second: Encryption is a cop out. As long as technology improves, there will always be ways to hack. I could hold that drive for years. Make backups, move to upgraded devices and eventually I'll be able to get the data. And given that it's personal data and the average life span is increasing -- my bet, I'll have your information (SSN and Name) before you aren't around.

Clive RobinsonFebruary 22, 2006 9:47 AM

@EncryptThis

"First: the laptop was STOLEN from the home"

Are you actually certain of this, in the UK Insurance companies claim that a considerable number of claims of "STOLEN" are in fact left at ticket office / cafe / pub / car park etc.

My point is unless you were there you do not know (nor do I), anyway it should have been locked up if it was not in use. How many proffesional US Citizens have safes these days?

Which ever way you cut it lost/stolen it's negligence.

The person who lost it probably thought "it's just a laptop" not "the data on this is worth XXXX" or more importantly "losing this will bring the company I work for into disrepute", that is neglegent thinking on their behalf.

In the UK most employment contracts have a disrepute clause which gets you slung out the door.

BazzarghFebruary 22, 2006 10:08 AM

Mike S: "They made the right ruling. Government has no business specifying *how* to secure the data."

They already ask them to establish appropriate standards. We're talking about 550,000 records here. What value do you put on your personal details - say $1? Would you think it reasonable to have $550,000 sitting in a bank, but not in the safe? Or to have a $550,000 car with no locks?

Or just consider the risks. 12%-16% of US households experience property crime per year (http://www.ojp.usdoj.gov/bjs/pub/ascii/cv04.txt)
Even assuming the laptop travels with the owner, about 14% of US burglaries happen when the homeowner is present; and a laptop would be right at the top of the list of things to steal. So being generous, a "no encryption" policy leads to a 1% risk that all your data will be stolen this year. If 64 employees have laptops, the odds of a catastrophic loss drop to 50/50. Does this still sound like an appropriate standard?

EncryptThisFebruary 22, 2006 10:22 AM

@Clive:

Odds are a weak argument. I don't care if it is 1,000,000:1 that (s)he is telling the truth that it was stolen.

I'm sure the rape victim would love to hear the cop say: Odds are you weren't raped because the time that it occured was broad daylight.

RoyFebruary 22, 2006 10:59 AM

Try a nondigital analogy: You entrust someone with your keyring. Not only does he lose it, but after he took it from you he added a tag with your name and address on it.

Thanks to the tag, the finder knows where the locks are those keys fit. Without the tag, he has a set of keys but no locks to use them on.

The guy you trusted not only wronged you, he compounded his guilt by enabling the random finder of your keyring to harm you.

In the Brazos case, leaving the information -- keys, really -- in plain text is akin to clearly identifying where to find the locks the keys fit. Encrypting the information leaves the keys on the ring, so to speak, with no idea where to find the locks.

Now, imagine a bank officer accidentally leaving a briefcase full of safe deposit box keys in the back of cab. No culpability?

John JFebruary 22, 2006 12:00 PM

If you read the summary judgement (it's only 14 pages and not full of legalese), the judge states pretty clearly why he ruled in favor of Brazos. GLBA, HIPAA, and every other law don't specify exactly what needs to be done to secure information--they specify the goals. Plus, there was no proof that the person's information was contained on the laptop and he hadn't actually been injured (yet!). You can't sue for damages that *may* happen.
Plus this is a minor ruling in a court in one state/jurisdiction. If this was the Supreme Court it would be a whole different matter. Another judge in another case in another place can rule differently.

Matthias LeisiFebruary 23, 2006 5:15 AM

Encrypting a single database stored on an end-user machine does not offer a lot of benefit in terms of security.

If a company has the habit of using local databases, they will surely also have the habit of storing other data on local drives. Therefor, encrypting that local machine (to be more precise: the harddrive) would be an efficient and effective security measure (given the right encryption solution).

So rather than saying "unencrypted databases are OK", the judge should have said: "You don't take precautions against theft of portable devices? You loose. Here is your fine."

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..