Chat with AI
Business Law 11th Edition by Kenneth Clarkson,Roger LeRoy Miller,Gaylord Jentz,Frank Cross
Edition 11ISBN: 978-0324655223Business Law 11th Edition by Kenneth Clarkson,Roger LeRoy Miller,Gaylord Jentz,Frank Cross
Edition 11ISBN: 978-0324655223 Exercise 10
Guin v. Brazos Higher Education Service Corp.
United States District Court, District of Minnesota, 2006. __ F.Supp.2d __.
• Background and Facts Brazos Higher Education Service Corporation, which is based in Waco, Texas, makes and services student loans. Brazos issued a laptop computer to its employee John Wright, who worked from an office in his home in Silver Spring, Maryland, analyzing loan information. Wright used the laptop to store borrowers' personal information. In September 2004, Wright's home was burglarized and the laptop was stolen. Based on Federal Trade Commission (FTC) guidelines and California state law (which requires notice to all resident borrowers), Brazos sent a letter to all of its 550,000 customers. The letter stated that "some personal information associated with your student loan, including your name, address, Social Security number and loan balance, may have been inappropriately accessed by [a] third party." The letter urged borrowers to place "a free 90-day security alert" on their credit bureau files and review FTC consumer assistance materials. Brazos set up a call center to answer further questions and track any reports of identity theft. Stacy Guin, a Brazos customer, filed a suit in a federal district court against Brazos, alleging negligence. Brazos filed a motion for summary judgment.
KYLE, J. [Judge]
* * * *
* * * [N]egligence [is] the failure to exercise due or reasonable care. In order to prevail on a claim for negligence, a plaintiff must prove [among other things] the existence of a duty of care [and] a breach of that duty * * *. [Emphasis added.]
* * * *
Guin argues that the Gramm-Leach-Bliley Act (the "GLB Act") establishes a statutory-based duty for Brazos to protect the security and confidentiality of customers'nonpublic personal information.
* * * Brazos concedes that the GLB Act applies to these circumstances and establishes a duty of care. The GLB Act was created "to protect against unauthorized access to or use of such records which could result in substantial harm or inconvenience to any customer [of a financial institution]." Under the GLB Act, a financial institution must comply with several objectives, including:
Develop, implement, and maintain a comprehensive written information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue * * *.
Guin argues that Brazos breached the duty imposed by the GLB Act by (1) "providing Wright with [personal information] that he did not need for the task at hand," (2) "permitting Wright to continue keeping [personal information] in an unattended, insecure personal residence," and (3) "allowing Wright to keep [personal information] on his laptop unencrypted." * * *
The Court concludes that Guin has not presented sufficient evidence from which a fact finder could determine that Brazos failed to comply with the GLB Act. In September 2004, when Wright's home was burglarized and the laptop was stolen, Brazos had written security policies, current risk assessment reports, and proper safeguards for its customers' personal information as required by the GLB Act. Brazos authorized Wright to have access to customers' personal information because Wright needed the information to analyze loan portfolios * * *. Thus, his access to the personal information was within "the nature and scope of [Brazos's] activities." Furthermore, the GLB Act does not prohibit someone from working with sensitive data on a laptop computer in a home office. Despite Guin's persistent argument that any nonpublic personal information stored on a laptop computer should be encrypted, the GLB Act does not contain any such requirement. Accordingly, Guin has not presented any evidence showing that Brazos violated the GLB Act requirements.
• Decision and Remedy The court granted the defendant's motion for summary judgment and dismissed the case. Brazos may have owed Guin a duty of care under the GLB Act, but neither Brazos nor Wright breached that duty. Wright had followed Brazos's written security procedures, which was all that the GLB Act required.
• What If the Facts Were Different Suppose that Wright had not been a financial analyst and his duties for Brazos had not included reviewing confidential loan data. How might the opinion of the court have been different
• The Ethical Dimension Do businesses have an ethical duty to use enhanced security measures to protect confidential customer information Why or why not Does the fact that Brazos allowed its employees to store customers' unencrypted personal information on a laptop outside the office violate any ethical duty
United States District Court, District of Minnesota, 2006. __ F.Supp.2d __.
• Background and Facts Brazos Higher Education Service Corporation, which is based in Waco, Texas, makes and services student loans. Brazos issued a laptop computer to its employee John Wright, who worked from an office in his home in Silver Spring, Maryland, analyzing loan information. Wright used the laptop to store borrowers' personal information. In September 2004, Wright's home was burglarized and the laptop was stolen. Based on Federal Trade Commission (FTC) guidelines and California state law (which requires notice to all resident borrowers), Brazos sent a letter to all of its 550,000 customers. The letter stated that "some personal information associated with your student loan, including your name, address, Social Security number and loan balance, may have been inappropriately accessed by [a] third party." The letter urged borrowers to place "a free 90-day security alert" on their credit bureau files and review FTC consumer assistance materials. Brazos set up a call center to answer further questions and track any reports of identity theft. Stacy Guin, a Brazos customer, filed a suit in a federal district court against Brazos, alleging negligence. Brazos filed a motion for summary judgment.
KYLE, J. [Judge]
* * * *
* * * [N]egligence [is] the failure to exercise due or reasonable care. In order to prevail on a claim for negligence, a plaintiff must prove [among other things] the existence of a duty of care [and] a breach of that duty * * *. [Emphasis added.]
* * * *
Guin argues that the Gramm-Leach-Bliley Act (the "GLB Act") establishes a statutory-based duty for Brazos to protect the security and confidentiality of customers'nonpublic personal information.
* * * Brazos concedes that the GLB Act applies to these circumstances and establishes a duty of care. The GLB Act was created "to protect against unauthorized access to or use of such records which could result in substantial harm or inconvenience to any customer [of a financial institution]." Under the GLB Act, a financial institution must comply with several objectives, including:
Develop, implement, and maintain a comprehensive written information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue * * *.
Guin argues that Brazos breached the duty imposed by the GLB Act by (1) "providing Wright with [personal information] that he did not need for the task at hand," (2) "permitting Wright to continue keeping [personal information] in an unattended, insecure personal residence," and (3) "allowing Wright to keep [personal information] on his laptop unencrypted." * * *
The Court concludes that Guin has not presented sufficient evidence from which a fact finder could determine that Brazos failed to comply with the GLB Act. In September 2004, when Wright's home was burglarized and the laptop was stolen, Brazos had written security policies, current risk assessment reports, and proper safeguards for its customers' personal information as required by the GLB Act. Brazos authorized Wright to have access to customers' personal information because Wright needed the information to analyze loan portfolios * * *. Thus, his access to the personal information was within "the nature and scope of [Brazos's] activities." Furthermore, the GLB Act does not prohibit someone from working with sensitive data on a laptop computer in a home office. Despite Guin's persistent argument that any nonpublic personal information stored on a laptop computer should be encrypted, the GLB Act does not contain any such requirement. Accordingly, Guin has not presented any evidence showing that Brazos violated the GLB Act requirements.
• Decision and Remedy The court granted the defendant's motion for summary judgment and dismissed the case. Brazos may have owed Guin a duty of care under the GLB Act, but neither Brazos nor Wright breached that duty. Wright had followed Brazos's written security procedures, which was all that the GLB Act required.
• What If the Facts Were Different Suppose that Wright had not been a financial analyst and his duties for Brazos had not included reviewing confidential loan data. How might the opinion of the court have been different
• The Ethical Dimension Do businesses have an ethical duty to use enhanced security measures to protect confidential customer information Why or why not Does the fact that Brazos allowed its employees to store customers' unencrypted personal information on a laptop outside the office violate any ethical duty
Explanation
Verified
Verified
If W had not been a financial analyst an...
Business Law 11th Edition by Kenneth Clarkson,Roger LeRoy Miller,Gaylord Jentz,Frank Cross
Why don’t you like this exercise?
Other Minimum 8 character and maximum 255 character
Character 255
