Minnesota Federal Court Addresses Information Security Breach Negligence Claim
By: BEAU J. HURTIG
June 2006
Part of the Congressional intent in passing the Gramm-Leach-Bliley Act (“GLBA”) was to require financial institutions to protect customers’ private information by establishing programs relating to administrative, technical, and physical safeguards for customer records and information. In response to Congress’ demand for regulations requiring such informational safeguards, the five banking regulatory agencies issued Interagency Guidelines Establishing Standards for Safeguarding Customer Information (“Interagency Safeguards Rule”). This Rule requires banks, among other things, to establish a written information security program (“Security Program”) designed to implement the goals of GLBA—a recent “hot topic” with regulators. We know that the development of a Security Program is essential to regulatory compliance, and that deviating from the Security Program can draw regulatory criticism. However, in cases where a bank customer’s personal information has been compromised, how successful will the bank customer be in relying upon the GLBA provisions when bringing a lawsuit against the bank based on negligence? A Minnesota Federal District Court recently held in Guin v. Brazos Higher Education Service Corporation, Inc., 2006 WL 288483 (D. Minn. 2006), that a negligence claim based on the GLBA provisions will not be successful if the bank maintains a Security Program.
The Guin case involved Brazos Higher Education Service, Inc. (“Brazos”), a nonprofit corporation headquartered in Waco, TX, that originates and services student loans. Brazos is subject to the Federal Trade Commission (“FTC”) safeguards rule entitled Standards for Safeguarding Customer Information (“FTC Safeguards Rule”), a safeguards rule which requires certain “financial institutions” regulated by the FTC to establish a written information security program similar to that required by the Interagency Safeguards Rule. Since both the FTC Safeguards Rule and Interagency Safeguards Rule are based on the provisions of GLBA, they impose similar obligations. Brazos allowed at least one of its employees to work from home and sent electronic databases containing customers’ personal information to this employee’s laptop computer located in his home. Burglars entered the employee’s home and stole a number of items, including the laptop computer. Although Brazos could not determine whether the employee had actually saved customers’ personal information to the laptop, Brazos decided to take the safe route and notify all of its customers of the incident. One of these customers, Guin, brought action against Brazos for, among other claims, negligence in losing the personal information.
In order to prevail on a negligence claim, plaintiffs must prove certain “elements.” One of these “elements” is proving the defendant owed some sort of duty to the plaintiff, always easier to do if a statute imposes a duty on the defendant. A second “element” involves proving the defendant breached this duty in some manner. In the Guin case, Guin argued GLBA imposed a statutory-based duty for Brazos “to protect the security and confidentiality of customers’ nonpublic personal information.” The court accepted the argument that GLBA imposed a statutory duty on Brazos to develop and maintain a security program, thus constituting the first element of negligence. The court next turned its attention to the issue of whether Brazos breached this statutory-based duty.
Guin argued Brazos breached the duties imposed by GLBA by “(1) providing [the employee] with [personal information] that he did not need for the task at hand, (2) permitting [the employee] to continue keeping [personal information] in an unattended, insecure personal residence, and (3) allowing [the employee] to keep [personal information] on his laptop unencrypted.” Brazos argued it did not breach any duties imposed by GLBA. The court observed that “Brazos had written security policies, current risk assessment reports, and proper safeguards for its customers’ personal information as required by [GLBA].” Further, Brazos authorized the employee to maintain customers’ personal information on his laptop because such information was essential to performing his job. Finally, the court noted that GLBA and the FTC Safeguards Rule contain no provisions requiring personal information be encrypted when stored on a laptop computer. Therefore, the court concluded that while GLBA imposed a statutory-based duty on Brazos to protect Guin’s personal information, Brazos met its obligations under the statute and was not negligent in this case. The court ultimately concluded that Brazos acted reasonably in protecting Guin’s personal information and ruled in Brazos’ favor.
Although the Guin case involved a Texas company regulated by the FTC, the case teaches us important lessons relating to the banking industry and GLBA. First, plaintiffs will attempt to use the GLBA requirements as a basis for private litigation. Even though GLBA contains no provisions providing plaintiffs with a private cause of action, plaintiffs will contend that GLBA imposes a statutory-based duty on banks for purposes of a negligence claim. Therefore, banks should be prepared for the possibility of private litigation, in addition to increased regulatory scrutiny, in the event of an information security breach. However, based on Guin, such claims will not be successful if the bank has written security policies, current risk assessment reports, and proper safeguards for customers’ personal information.