The background leading up to the lawsuit goes like this. Brazos, a company that originates and services student loans, has had about 365 employees, including John Wright, a financial analyst. Though Brazos is based in Texas, Wright has worked from his home in Maryland.
As part of his work, Wright analyzes loan portfolios, including purchasing portfolios from other lending institutions and purchasing bonds financed by student loan interest payments. Before conducting a financial analysis, Wright has received an electronic database from the Brazos finance department in Texas. When he performs asset-liability management for Brazos, he has obtained loan-level details, including customer personal information.
All is well and good, right? Wrong. In September 2004, Wright's home was burglarized and various items, including the laptop issued by Brazos to Wright, were stolen. Despite a police and private investigation, the laptop never was recovered.
Brazos determined that Wright had received databases containing personal information of borrowers seven times before the laptop was stolen. Because it was not clear which specific borrowers had their personal information at risk after the theft of the laptop, Brazos sent a notification letter to all of its more than 500,000 customers.
Coming full circle, Guin, who had acquired a student loan through Brazos in August 2002, received the notification letter and contacted a Brazos call center to ask follow-up questions. He then tracked his credit status through various credit agencies but found no evidence of any identity theft or other fraud relating to his personal information. Indeed, according to Brazos, none of its borrowers suffered any fraud as a consequence of the theft of Wright's laptop.
Regardless, Guin filed his federal lawsuit against Brazos, claiming the company had been negligent by improperly protecting his personal information and improperly delegating control of his personal information to another (Wright). Guin asserted that he had suffered out-of-pocket loss, emotional distress and incidental damages.
At the heart of Guin's lawsuit was the allegation that under the Gramm-Leach-Bliley Act, Brazos had a heightened duty to protect customer information, including the duty to make sure personal information on laptops was encrypted.
In response to Guin's lawsuit, Brazos filed a summary judgment motion. By way of this motion, Brazos argued that Guin's case was so lacking in merit that it should be dismissed without the need for a trial.
Financial institutions across America are likely breathing a sigh of relief knowing that the bar has not been raised further in terms of the protective measures they must take under Gramm-Leach-Bliley.
Biography
See more CNET content tagged:
borrower,
financial company,
personal information,
statute,
laptop computer
- Wrong Judgement
- I disagree with the judge's ruling in this case. I don't disagree, necessarily, that the plaintiff should be awarded any (substantial) damages because he really didn't sustain any notable harm, but I disagree with the ruling that the company was not negligent with this guy's personal information. There is absolutely *zero* reason why all of this private data should be on *any* worker's laptop computer. This is why they have things such as servers, VPN, and all the other plethora of technology that is out there to protect against this kind of scenario. The company was negligent, plain and simple. Having a database worth of personal information on any company laptop computer is unacceptable.
- Reply to this comment View reply
- Whew! That WAS close!!
- Man, us IT people almost had to enact reasonable security measures and protect data on a platform that is inherently more susceptible to theft than the normal datacenter resource. Thank goodness for the short-sightedness of that judge. Now it's back on the customer to be sweating bullets, and not us people who control the AIC triad. <ouch - I think I sprained my sarcastic gland on that one>
- Reply to this comment
- Punative judgement is in order, get an ex wittness
- This judge must read "heightened" as not posting on the internet or something. It would seem as though if that were the case the law would read "duty to protect customer information." Take a laptop home with my documents stored on it is what I do. I lock my doors etc, I don't post them on internet sites. "heightened" would be to go to additional measures, I lock my door because my laptop cost $3000 not because I have important documents. If I did I would indeed encrypt them and the entire disk which is not hard to do and does not imped proformance. I do these computer things though and understand that it is hard to know encryption. Which is why a computer tech should have been employed to do encryption. Or recommend other means but for harddrive stored data encryption is what is needed. This would be able to protect the data for years and years. IBM make it extra easy given the finger reader. Nothing was done and data, alot of data, was in the wrong hands, just take from the house.
- Reply to this comment View reply
... or log in manually to your email client and click the link in our email. Once you have confirmed your registration, please log in.
Get more done with Windows Mobile