Question

Brazos Higher Education Service Corporation, Inc., was a nonprofit student loan company. Brazos allowed one of its employees to store customers’ personal financial information on a laptop with an unencrypted hard drive. The laptop was subsequently stolen from the employee’s home during a robbery. Brazos had no way of knowing which customers’ information was contained on the laptop’s hard drive or whether the information would be accessed by a third party. As a precaution, Brazos notified all of its customers that their information may have been accessed by a third party and offered each customer six months of identity-theft monitoring. One customer, Guin, brought suit against Brazos for negligence, claiming that Brazos had failed to adequately protect his financial information, thereby causing Guin harm. Guin’s information was never accessed by a third party, and Guin never suffered identity theft. How might other businesses be affected if Guin’s lawsuit succeeded? Do you think Brazos was wrong to store its customers’ financial information on an unencrypted laptop hard drive? [Stacy Lawton Guin v. Brazos Higher Education Service Corporation, Inc., 2006 U.S. Dist. LEXIS 4846 (2006).]

For each assigned case, analyze the issue based on the following criteria:

e.       Identify the parties involved in the case dispute (who is the plaintiff and who is the defendant).

f.       Identify the facts associated with the case and fact patterns.

g.      Develop the appropriate legal issue(s) in question (i.e., the specific legal issue between the two parties).Provide a judgment on who should win the case - be clear.

h.      Support your decision with an appropriate rule of law.

i.        Be prepared to defend your decision and to objectively evaluate the other points of view.

j.        Purpose

Answer 1

e. Plantiff - Stacy Lawton Guin

Defendant - Brazos Higher Education Service Corporation, Inc.

f. Facts of the case:-

Brazos, a non-profit corporation with headquarters located in Waco, Texas, originates and services student loans. Brazos has approximately 365 employees, including John Wright, who has worked as a financial analyst for the company since November 2003. As a financial analyst for Brazos, Wright analyses loan portfolios for a number of transactions, including purchasing portfolios from other lending organizations and selling bonds financed by student loan interest payments. When Wright is performing asset-liability management for Brazos, he requires loan-level details, including customer personal information, to complete his work. On September 24, 2004, Wright’s home was burglarized and a number of items were stolen, including the laptop computer issued to Wright by Brazos. With the laptop missing, Brazos sought to determine what customer data might have been stored on the hard drive and whether the data was accessible to a third party. Based on internal records, Brazos determined that Wright had received databases containing borrowers’ personal information on seven occasions prior to September 24, 2004. Without the ability to ascertain which specific borrowers might be at risk, Brazos considered whether it should give notice of the theft to all of its customers. In addition to contemplating guidelines recommended by the Federal Trade Commission (“FTC”)1 , Brazos learned that it was required by California law to give notice to its customers residing in that State.  Brazos ultimately decided to send a notification letter (the “Letter”) to all of its approximately 550,000 customers.

Plaintiff Stacy Guin, who acquired a student loan through Brazos in August 2002, received the Letter. On March 2, 2005, Guin commenced this action asserting three claims: (1) breach of contract, (2) breach of fiduciary duty, and (3) negligence. On September 12, 2005, Guin voluntarily dismissed his breach of contract and breach of fiduciary duty claims. Guin brings the remaining negligence claim under Fed. R. Civ. P. 23, on behalf of “all other Brazos customers whose confidential information was inappropriately accessed by a third party . . . .”

g. The legal issue is between the plantiff and defendant is,

Guin alleges that “[Brazos] owe[d] him a duty to secure [his] private personal information and not put it in peril of loss, theft, or tampering,” and “[Brazos’s] delegation or release of [Guin’s] personal information to others over whom it lacked adequate control, supervision or authority was a result of [Brazos’s] negligence . . . .” As a result of such conduct, Guin allegedly “suffered out-of-pocket loss, emotional distress, fear and anxiety, consequential and incidental damages.”

Minnesota courts have defined negligence as the failure to exercise due or reasonable care. Seim v. Garavalia, 306 N.W.2d 806, 810 (Minn. 1981). In order to prevail on a claim for negligence, a plaintiff must prove four elements: (1) the existence of a duty of care, (2) a breach of that duty, (3) an injury, and (4) the breach of the duty was the proximate cause of the injury. In support of its instant Motion, Brazos advances three arguments: (1) Brazos did not breach any duty owed to Guin, (2) Guin did not sustain an injury, and (3) Guin cannot establish proximate cause.

The defendant (Brazos Higher Education Service Corporation, Inc. ) should win the case.

h. and i. As per the law on a claim for negligence, a plaintiff must prove four elements: (1) the existence of a duty of care, (2) a breach of that duty, (3) an injury, and (4) the breach of the duty was the proximate cause of the injury. Elder v. Allstate Ins. Co., 341 F. Supp. 2d 1095, 1099 (D. Minn. 2004), citing Lubbers v. Anderson, 539 N.W.2d 398, 401 (Minn. 1995).

Guin could not prove that,

1) Breach of Duty

The Court concludes that Guin has not presented sufficient evidence from which a fact finder could determine that Brazos failed to comply with the GLB Act. In September 2004, when Wright’s home was burglarized and the laptop was stolen, Brazos had written security policies, current risk assessment reports, and proper safeguards for its customers’ personal information as required by the GLB Act. (Villarrial Aff. Exs. 1, 3-8, 11, 12.) Brazos authorized Wright to have access to customers’ personal information because Wright needed the information to analyze loan portfolios as part of Brazos’s asset-liability management function for other lenders. Thus, his access to the personal information was within “the nature and scope of [Brazos’s] activities.” See 16 C.F.R. § 314.4(a). Furthermore, the GLB Act does not prohibit someone from working with sensitive data on a laptop computer in a home office. Despite Guin’s persistent argument that any nonpublic personal information stored on a laptop computer should be encrypted, the GLB Act does not contain any such requirement.2 Accordingly, Guin has not presented any evidence showing that Brazos violated the GLB Act requirements.

2. Injury

Guin has failed to present evidence that his personal data was targeted or accessed by the individuals who burglarized Wright’s home in September 2004.3 The record shows that Brazos is uncertain whether Guin’s personal information was even on the hard drive of Wright’s laptop computer at the time it was stolen in September 2004. To this date, Guin has experienced no instance of identity theft or any other type of fraud involving his personal information. (Guin Dep. Tr. at 24-26, 31.) In fact, to Brazos’s knowledge, none of its borrowers has been the subject of any type of fraud as a result of the theft of Wright’s laptop computer.  Furthermore, Guin has provided no evidence that his identity has been “transferred, possessed, or used” by a third party with “with the intent to commit, aid, or abet any unlawful activity.” See 18 U.S.C. § 1028(a)(7); Minn. Stat. § 609.527(2). No genuine issue of material fact exists concerning whether Guin has suffered an injury. Accordingly, he cannot sustain a claim for negligence.

3. Causation

The Court concludes that the September 2004 theft of Wright’s laptop from his home was not reasonably foreseeable to Brazos. In Hilligoss, the Minnesota Supreme Court observed that a high crime rate and the commission of similar crimes in a particular area can establish foreseeability of a subsequent criminal attack. 228 N.W.2d at 548. In this case, however, Wright lived in a relatively “safe” neighborhood and took necessary precautions to secure his house from intruders. Wright was unaware of any previous burglaries on his block or in his immediate neighborhood. There is no indication that Wright or Brazos could have possibly foreseen the burglary which took place on September 24, 2004. A reasonable jury could not infer that the burglary caused Guin any alleged injury; such a conclusion would be the result of speculation and conjecture, not a reasonable inference. See Stollenwerk, 2005 WL 2465906 at *7. Guin cannot establish proximate cause in this case and therefore, his negligence claim fails.