Bruce Schneier reports that a Federal Court has ruled that a financial institution has no duty to encrypt customer databases under the Gramm-Leach-Bliley statute. From the article:
In a legal decision that could have broad implications for financial institutions, a court has ruled recently that a student loan company was not negligent and did not have a duty under the Gramm-Leach-Bliley statute to encrypt a customer database on a laptop computer that fell into the wrong hands.
… Significantly, while recognizing that Gramm-Leach-Bliley does require financial institutions to protect against unauthorized access to customer records, Judge Kyle held that the statute “does not prohibit someone from working with sensitive data on a laptop computer in a home office,” and does not require that “any nonpublic personal information stored on a laptop computer should be encrypted.”
This is troubling, and I completely agree with Bruce’s thoughts on the matter:
I know nothing of the legal merits of the case, nor do I have an opinion about whether Gramm-Leach-Bliley does or does not require financial companies to encrypt personal data in its purview. But I do know that we as a society need to force companies to encrypt personal data about us. Companies won’t do it on their own — the market just doesn’t encourage this behavior — so legislation or liability are the only available mechanisms. If this law doesn’t do it, we need another one.