A recent opinion by Judge Kyle held that a company was not negligent because it failed to encrypt database with customers’ information stored on a laptop which was stolen. Guin v. Brazos Higher Educ. Service Corp., Inc, 2006 WL 288483 (D. Minn., Feb. 7, 2006).

Plaintiff Stacy Guin, a customer of Brazos Higher Education Service, sued the company for negligence for not encrypting customers’ personal information arguing that encryption should have been a routine security precaution which a reasonable student-loan provider would put in place. The information was stored on a laptop which was stolen after a burglary at the Silver Spring, MD., home of a Brazos financial analyst who worked remotely and analyzed loan portfolios.

As a result of the breach, Brazos hired a private investigator to recover the laptop but was unsuccessful. There has been no evidence of identity theft against any of the 550,000 customers whose information was compromised, and the company took steps to notify its customers in a reasonable time.

Even though Guin had not suffered any harm as a result of the breach, she argued that Brazos was required by the Gramm-Leach-Bliley Act to encrypt personal information and limit its disclosure. Under the statute, financial service companies are required "to protect the security and confidentiality of customers’ nonpublic personal information," 15 U.S.C. 6801.

Judge Kyle disagreed and held that the law does not specifically mandate encryption.

Despite Guin’s persistent argument that any nonpublic personal information stored on a laptop computer should be encrypted, the GLB Act does not contain any such requirement.
..
While it appears that the FTC routinely cautions businesses to "[p]rovide for secure data transmission" when collecting customer information by encrypting such information "in transit," there is nothing in the GLB Act about this standard, and the FTC does not provide regulations regarding whether data should be encrypted when stored on the hard drive of a computer.

Judge Kyle is correct that the statute on its face does not require financial companies to encrypt data but it is not unlikely that in a different set of circumstances encrypting data would be the reasonable thing to do and a company may be held negligent for not doing so.

Dubbed by the press as the ‘NASA hacker,’ Gary McKinnon, the British hacker accused of illegally accessing US government computers faces a tough extradition hearing in his home country whether he should be extradited for prosecution in the U.S. McKinnon was charged with computer fraud and hacking into 97 US government computers causing $700,000 worth of damages.

McKinnon has said that his actions were prompted by an interest in the U.S. space program and the search for extraterrestrial life. He is "terrified" by the prospect of facing US court and possibly spending time in US jail, so the extradition hearing in his home country is of crucial importance.

The seven count indictment of United States of America v. Gary McKinnon can be found here. Most of the counts allege illegally accessing US goverment computers under 18 U.S.C. §1030.

Update:
District Judge Nicholas Evans ruled that he would deny the US extradition request unless the US could guarantee that they would not prosecute McKinnon as a terrorist.  The defendant’s attorney argued that if his client were treated as a terrorist, the U.S. would have the authority to detain him indefinitely.  The case will resume on March 14, 2006.