Wednesday, February 15, 2006

No negligence for not encrypting

Here's an interesting case from the US:

Incidents involving missing and stolen data have regularly been in the news and reported on this blog. In many cases, the first question asked is whether the data was encrypted. Or, the company missing the data will very loudly say "don't worry. It was encrypted." In this particular case, a laptop was stolen from an employee's home that contained information on thousands of student loan account holders. The data was not encrypted and there was no evidence that the data was used in connection with any other criminal activity.

One of the individuals involved sued the company that owned the data, arguing that the data should have been encrypted and, by not encrypting it, the company was negligent. Well, a US District Court Judge has thrown out the lawsuit, concluding that Gramm-Leach-Bliley legislation does not mandate encryption. And besides, the laptop was in a house in a low-crime neighbourhood.

See Declan McCullagh's report from CNet News: Judge: Firm not negligent in failure to encrypt data CNET News.com.

Technorati tags: :: .

No comments: