Friday, February 10, 2006

Then, What is (or is not?) a Reasonable Safeguard?

The Minnesota federal district court has just issued a decision involving the ubiquitous stolen laptop with employer's records of consumer financial data stored without encryption scenario. In Guin v. Brazos Higher Education Service Corp., the court held that while the company, a student loan lender, admitted it had a tort duty to the plaintiff arising out of the Gramm-Leach-Bliley Act requirements to provide reasonable safeguards for the data in its hands, the court simply stated that "Brazos had written security policies, current risk assessment reports, and proper safeguards for its customers’ personal information as required by the GLB Act." With that, the court concluded that the defendant had not breached its tort duty.

To the plaintiff's point that it was unreasonable for the defendant's policy to allow such sensitive data to be stored on a laptop kept normally at the owner's personal residence without any encryption, the court responded that "Despite Guin’s persistent argument that any nonpublic personal information stored on a laptop computer should be encrypted, the GLB Act does not contain any such requirement."

That last point was what I found interesting -- Of course the GLB Act does not contain any such requirement (nor do any of the implementing regulations). The government's position has been that it merely describes a need for a process, and then allows that process and the practices of the moment developed over time determine what is reasonable at any particular point in time. It does not seem (at least from the face of the opinion) that the court engaged in much more than reviewing a conclusory statement from the defendant that it had imposed reasonable safeguards -- And left it at that.

Of course, keep in mind that this is a case of creation of a tort duty out of the constructs of a law -- It may be reasonable to say that the tort duty is narrower than the regulatory obligation that may be imposed directly. It may be that the FTC (presuming it is the agency with jurisdiction) would have a lesser burden to show a breach (or could at least demand more than a conclusory statement from the defendant). Still, I am troubled that this decision seems to imply that if it's not expressly written down in the law (or regulations) as a necessary method to safeguard, then it does not exist as a duty. It may be reasonable to argue whether the government's choice to demand process but not set standards was the right one, but it was clearly the choice the government took, and now we might wonder if courts will choose to ignore that philosophy (leaving a void in the law).

(The court went on to say that the plaintiff had failed to show any damages, and that because the computer's owner lived in a 'safe neighborhood' the burglary was not reasonably forseeable -- and stated that both of those were equally fatal to the plaintiff's case standing each on their own. So, maybe we should not look too deeply into the tort duty aspect of the decision.)

No comments: