[ISN] Police blotter: Wells Fargo not required to encrypt data

From: InfoSec News (isn@private)
Date: Sun Apr 16 2006 - 23:35:14 PDT


http://news.com.com/Police+blotter+Wells+Fargo+not+required+to+encrypt+data/2100-1030_3-6061400.html

By Declan McCullagh 
Staff Writer, CNET News.com
April 14, 2006

"Police blotter" is a weekly CNET News.com report on the intersection
of technology and the law.

What: Wells Fargo Bank customers sue after their personal financial
data was stolen from a contractor that had not encrypted the
information.

When: U.S. District Judge David Doty in Minnesota ruled on March 16.

Outcome: Wells Fargo was found not to be negligent because the
information was never misused by the thieves.

What happened, according to court documents: Wells Fargo had hired
Regulus Integrated Solutions to print monthly statements for certain
customers who had mortgages and student loans from its subsidiaries.  
In October 2004, thieves stole computers from Regulus with unencrypted
customer information including names, addresses, Social Security
numbers and account numbers.

A few weeks later, Wells Fargo alerted its customers and offered to
provide identity protection services.

There has never been any indication to date that thieves did anything
with the data (in other words, they appear to have been after the
computer hardware instead).

Nevertheless, two of the bank's customers, Kristine Forbes and Morgan
Koop, filed a class action suit anyway. They claimed that Wells Fargo
was liable for emotional distress (including fear, anxiety and worry),
negligence, breach of contract and breach of fiduciary duty. Forbes
and Koop claimed that Wells Fargo owed them a cash payout because they
had to spend extra time monitoring their credit reports.

Judge Doty rejected those arguments, saying the pair of would-be class
action plaintiffs had not actually suffered damages. "Plaintiffs have
shown no present injury or reasonably certain future injury to support
damages for any alleged increased risk of harm," he wrote, and granted
the bank's motion for summary judgment.

This is not the first decision of its type. In February, CNET News.com
reported that a federal court tossed out a lawsuit against a
student-loan provider that did not encrypt a customer database that
was subsequently stolen. That judge's reasoning was similar: The data
had not been misused. (Some data breach bills in Congress and state
legislatures also urge the use of encryption.)

Excerpt from the court's opinion: "Plaintiffs contend that the time
and money they have spent monitoring their credit suffices to
establish damages. However, a plaintiff can only recover for loss of
time in terms of earning capacity or wages. Plaintiffs have failed to
cite any Minnesota authority to the contrary. Moreover, they overlook
the fact that their expenditure of time and money was not the result
of any present injury, but rather the anticipation of future injury
that has not materialized.

"In other words, the plaintiffs' injuries are solely the result of a
perceived risk of future harm. Plaintiffs have shown no present injury
or reasonably certain future injury to support damages for any alleged
increased risk of harm. For these reasons, plaintiffs have failed to
establish the essential element of damages. Therefore, summary
judgment in favor of defendant on plaintiffs' negligence claim is
warranted.

"Plaintiffs also bring a claim for breach of contract against Wells
Fargo. To establish their claim, plaintiffs must show that they were
damaged by the alleged breach. For all of the reasons discussed above,
plaintiffs have failed to establish damages. Therefore, summary
judgment in favor of defendant on plaintiffs' breach of contract claim
is warranted."

Copyright ©1995-2006 CNET Networks, Inc. All rights reserved.

 

_________________________________
LayerOne 2006 : Pasadena Hilton : Pasadena, CA
Infomation Security and Technology Conference
http://layerone.info



This archive was generated by hypermail 2.1.3 : Mon Apr 17 2006 - 00:05:44 PDT