Laptop Encryption: Reasonable and Appropriate?

Senior U.S. District Judge for the District of Minnesota, the Honorable Richard H. Kyle, ruled last week that companies don’t have to encrypt their data as a requirement of the Gramm-Leach-Bliley Act of 1999.  The GLBA places a set of constraints on how financial insitutions should handle customer information.  There’s been plenty of coverage on this issue since the ruling.  But I’d like to look at this from a different perspective; given HIPAA, SOX, GLBA, and the standards of ethical behavior, what actions should be considered reasonable and appropriate when protecting sensitive consumer information?

Picture of Judge Kyle  Judge Kyle (Security Pro News)

Stacy Lawton Guin, the plaintiff in a suit against John Wright, held that any financial organization storing investor information on electronic media must encrypt that information.  Wright, a financial analyst, did not encrypt Guin’s information on his laptop.  So when his laptop was stolen during a burglary of his residence, Guin became potentially vulnerable to identity theft, fraud, or other types of crime related to the use of sensitive personal information. 

When brought before Judge Kyle, he dismissed the case.  Judge Kyle’s reason for  dismissal was the lack of encryption requirements in the GLBA.  But does this relieve Wright of all responsibility?  Did he implement “reasonable and appropriate” safeguards to protect his clients’ information?  Let’s examine the facts.

According to information presented before Judge Kyle, Wright’s home was in a low crime area.  Further, the information stolen was in Wright’s home due to the nature of his job; he worked from home as a financial analyst for Brazos Higher Education Service.  Finally, indications were that Wright took reasonable steps to secure his home.  Based on this information, I personally believe Wright did take reasonable and appropriate steps to protect Guin’s information.  But that’s just my opinion.

There are a lot of what-ifs that didn’t make it into the case, probably because they were irrelevant to the incident under review.  I spent about five minutes thinking about variations for how Wright’s laptop data might have been used.  Figure 1 is a short list(strictly fictional).  Next to each condition I list whether I believe encryption should be used.

Conditions.bmp  Figure 1 (Click to Enlarge)

It’s pretty clear that under any circumstances other than leaving his laptop in his locked home, with little or no transient foot traffic, in a low crime neighborhood, that it’s reasonable and appropriate to encrypt sensitive customer information stored on the laptop.   

The point I’m trying to make is this — Judge Kyle’s decision based on a necessarily narrow interpretation of the law should’t be used as an excuse for businesses to immediately back away from any or all projects leading to laptop encryption.  Because the GLBA isn’t grounds for civil liability in this case doesn’t mean that there aren’t strong liability issues under many other circumstances.  Besides, protecting consumer information is the right and ethical thing to do. 

Author:  Tom Olzak

Resources:  RSS Feed for our Podcasts

Your email:  
subscribe unsubscribe  

Leave a Reply

You must be logged in to post a comment.