This article related to the law discussions we had in class. It’s a true example of when we say “it depends” for an answer to a question regarding the law. A recent case involving a stolen laptop containing 550,000 people's full credit information sheds new night on what "reasonable" protections a company must make to secure its customer data - and what customers need to prove in order to sue for damages.
In this case, one of the gentlemen (Stacy Guin) whose information was exposed tried to sue the mortgage company (Brazos). The mortgage company had hired a financial analyst to review its loan portfolio and that person’s laptop got stolen from his house, with all the information all it. In order to succeed, Guin had to show that the loan company owed him a duty to protect his information, that the theft of the laptop was reasonably foreseeable, and that Brazos failed to take reasonable efforts to prevent the loss of the data. Guin would also have to show that this failure was the legal cause of some damage or injury. The standard of care for the prevention of harm is typically what the law calls the "reasonable man" standard. What would a reasonable person (or company) of ordinary prudence do? The law doesn't define reasonable. There are lots of ways to define it - common practice, industry standards, best practices, whatever everybody else is doing.
The court did not find the mortgage company guilty and said that the mortgage company had written security policies and risk assessment reports – even though they didn’t even mention what the company actually did with these reports. The court concluded that the mortgage company had compiled with the statutory provisions of the GLBA (Gramm Leach Bliley Act), so they were not found negligent.
But the surprising part is that the GBLA establishes goals - not procedures. The procedures should be set up by the companies. The court should have looked beyond the standards and should have asked: “Should it be? Could we reasonably do better?” After all portable sensitive information is a hot topic today and I think people are addressing it too loosely. Most consulting work is related to this portability of sensitive information and it should be given more emphasis.
Entities should reasonably ask themselves a few simply questions, such as: (1) does this information really need to be portable; (2) can it be simply made remotely accessible, and can this be done more securely; (3) does all of the information need to be accessible at all times; (4) can all or part of the information be encrypted at any time; (5) are there reasonable technologies that will, if deployed, better protect this data?
"An ounce of prevention is worth a kilogram of cure".
Reference:
Strict liability for data breaches?