GLB Does Not Prohibit Use Of Unencrypted Personal Financial Information On Home Computer
Question: Does the Gramm-Leach-Bliley Act prohibit an employee of a financial institution from working with sensitive personal financial information on a laptop computer at home, or at least require that such information be encrypted?
Answer: No, according to the Minnesota federal court in Guin v. Brazos Higher Education Service Corp. Inc. (D. Minn. 2006) WL 288483.
In this case, a student loan officer employed by a financial institution worked from his home and had access to sensitive, unencrypted customer financial information that was stored on his laptop. When the computer was stolen, the financial institution notified its customers and offered various assistance. One customer sued, alleging the institution was negligent and that Gramm-Leach-Bliley establishes a duty to protect the confidentiality of customers' nonpublic personal information.
The district court granted the financial institution's motion for summary judgment, holding that the institution "had written security policies, current risk assessment reports, and proper safeguards for its customers' personal information" as required by GLB. It also held that GLB "does not prohibit someone from working with sensitive data on a laptop computer in a home office" or that such data be encrypted.
This opinion demonstrates that the standard of care relating to personal data protection is both evolving and elusive. Some analysts have suggested the court reached its conclusion because there was no indication the plaintiff was damaged, or even that the plaintiff's data had been on the laptop when it was stolen. Notably, the court did not examine the financial institution's security policies in detail or articulate any practical guidelines for future cases.
Even though the court found that encrypting the data was not mandatory, evolving technologies can lead to different legal conclusions. It would thus be prudent for financial institutions to monitor such technologies, including location-based encryption technologies, and continue to weigh their relative costs and benefits.
In communicating with us through this blog, you should not provide any confidential information to us concerning any potential or actual legal matter you may have. Before providing any such information to us, you must obtain approval to do so from one of our lawyers.
By choosing to communicate with us without such prior approval, you understand and agree that Sheppard Mullin will have no duty to keep confidential any information you provide.