Bank sues Google after emailing sensitive data to wrong Gmail account

By on September 22, 2009, 3:11 AM
Interestingly, a Wyoming bank has filed suit against Google after mistakenly emailing sensitive data to the wrong address.

Last month, a customer of the Rocky Mountain Bank asked to be sent loan statements. In doing so, an employee inadvertently sent the email containing the customer's sensitive data to the wrong Gmail account. Attached to the message was personal information on 1,325 individual and business patrons -- including their names, addresses, tax identification or Social Security numbers and loan information.

After recognizing the blooper, the worker sent a second message asking the person to delete the first email without viewing it, and instructed them to respond. When the receiver failed to reply, the bank contacted Google in an attempt to identify the individual. Google refused to comply without court order, and so the Wyoming bank filed suit against the search giant.

Apparently, even if the bank succeeds in obtaining the order, Google's policy is to notify the account holder and allow them the opportunity to object to the disclosure of their identity. While the court mulls things over, the Rocky Mountain Bank filed a motion last week to keep a lid on the case in an attempt to prevent customer panic. A California judge denied this, saying it lacked "compelling reason that overrides the public's common law right of access to court filings."

The fiasco is rather ironic. In one hand, you have a fine example of modern technology impeding on privacy, and in the other is a company flexing its muscle to shield a user's identity. You can read further details about the case here (PDF).




User Comments: 18

Got something to say? Post a comment
Guest said:

Maybe the message went to that person's SPAM box, never to be seen again... or not.

Badfinger said:

1325 accounts? WTF!

Whoever got it, hmmmm interesting dilemma.

Lots of people don't even use some email accounts often or abandon, so there is a reasonable chance this email was never seen.

Whose this fool that did make this idiotic mistake, should be fired.

Always double check email addresses when sending sensitive stuff, common sense!

Google might not even have the name of the person, let alone real contact information.

Staff
Matthew Matthew, TechSpot Staff, said:

Interestingly, a Wyoming bank has filed suit against Google after mistakenly emailing sensitive data to the wrong address.

Read the whole story

Vrmithrax Vrmithrax, TechSpot Paladin, said:

Classic example of modern thinking here in the US today... We screwed up, so you need to fix it, and if you don't we will sue you.

The entire thing is absolutely absurd, and any bank that is using Gmail accounts to handle sensitive bank information is one that should be avoided at ALL costs. My wife worked in the operations center of a bank, and there are massively strict guidelines about never EVER divulging any account information to a system outside of the bank's internal communications system. So, if they let it happen, the person(s) responsible should be summarily dismissed, and the victims of this idiocy notified so they can take appropriate action to protect their credit record. And any costs incurred in such protection should be covered by the bank.

But, of course, that's if we lived in a world where people were actually responsible for their actions. Much better to sue the company who's only involvement in this was that they happened to have the email system the ***** at the bank used, and who's only "crime" is that they are just following their previously disclosed privacy policies.

LightHeart said:

Of course the bank employee made a few mistakes, not verifying the email address, sending a large amount of data containing customer info, not encrypting the attachement or using a secure method to send it. I can see Google trying to protect the identity of the account however given the circumstances it seems Google could help more rather than turning a blind eye.

nazartp said:

I can see Google being afraid of a massive fallout if they divulge personal information without the court order. On the other hand I agree with LightHeart that they can help - do not give the information to the bank, but act as an intermediary and contact the account holder in question.

Punkid said:

its the banks fault i dont get it why they sued google...u cant jst call google and say HEY i want my email deleted blablabla

Guest said:

Quite simply bank personnel should not be emailing production customer data to anyone outside the bank's network. There's no excuse for sending sensitive customer data to any Gmail account, period. How there is no legal action against the bank, I don't understand. They broke the law.

Vrmithrax Vrmithrax, TechSpot Paladin, said:

LightHeart said:

Of course the bank employee made a few mistakes, not verifying the email address, sending a large amount of data containing customer info, not encrypting the attachement or using a secure method to send it. I can see Google trying to protect the identity of the account however given the circumstances it seems Google could help more rather than turning a blind eye.

They don't bend, because this is a very slippery slope in the modern "if it moves, sue it!" environment. Making a single exception, even for good reasons like in this case, sets a bad precedent and can open up the floodgates of requests for user information. The Google lawyers know this, and that is why they are sticking to their absolute documented account agreements, which every gmail user acknowledges (and assumes is true) when signing up. To break their own contract with a single user would open them up for frivolous lawsuit after lawsuit, with each claiming "well, you made an exception for them, why not me?" The end result could very well be either Google buckling financially under a massive legal debt, or them being forced to buckle and make Gmail a useless mail system that is no more private and secure than posting something on your myspace page, or just shouting it out for the world to hear.

pgbsamurai said:

Ok, first off, why is information on over a thousand accounts being sent to a single account holder? Second, why is it being sent through an UNSECURED medium like email? This is in no way Google's fault. They are not being uncooperative. They are following their privacy contract. They did not flat out refuse to help. They simply stated that they could not give out the information the bank requested without a court order. This protects Google, Gmail users, and provides the bank in question with better evidence if a legal case needs to be brought to court. My question now is, how many hackers have set up sniffers on this bank's email system to see if they can catch outgoing account info?

Guest said:

Rocky mountain bank - Wyoming employs a bunch of ******. The market pres came from a now failed bank, the folks behind operations don't know how to open an account, the vp of talent should have been fired along time ago, and the entire bank itself has zero integrity. They've let this breech go for over 6 weeks and did nothing to help those that are at risk. That is crap! Waste money and sue google but not take action and limit the risk to your customer? Are you kidding me?

maestromasada said:

I have received a forwarded e-mail from the mentioned Bank but only with 1324 addresses on it, could it be that one?? Maybe the person who sent me the e-mail delete themselves from the list before forwarding. Please advise if you request a copy.

red1776 red1776, Omnipotent Ruler of the Universe, said:

Vrmithrax said:

Classic example of modern thinking here in the US today... We screwed up, so you need to fix it, and if you don't we will sue you.

The entire thing is absolutely absurd, and any bank that is using Gmail accounts to handle sensitive bank information is one that should be avoided at ALL costs. My wife worked in the operations center of a bank, and there are massively strict guidelines about never EVER divulging any account information to a system outside of the bank's internal communications system. So, if they let it happen, the person(s) responsible should be summarily dismissed, and the victims of this idiocy notified so they can take appropriate action to protect their credit record. And any costs incurred in such protection should be covered by the bank.

But, of course, that's if we lived in a world where people were actually responsible for their actions. Much better to sue the company who's only involvement in this was that they happened to have the email system the ***** at the bank used, and who's only "crime" is that they are just following their previously disclosed privacy policies.

I don't think it could be stated any better than this.

TJGeezer said:

pgbsamurai got it right: "...why is information on over a thousand accounts being sent to a single account holder? Second, why is it being sent through an UNSECURED medium like email? This is in no way Google's fault. They are not being uncooperative. They are following their privacy contract."

I'll add that the lawsuit smells to me like a CYA attempt by the bank. They are SO culpable in so many ways, by rights every one of their customers should be grabbing anything left in their accounts and running for the doors.

The only way this story makes sense is if disclosing the information to an outsider was either malicious or incredibly incompetent, and the managers, when advised of it, curled into fetal positions and hoped it would go away. Now they're announcing "We are TOO doing something about it!" and blaming Google, whose legally binding policies forbid disclosure without a court order.

If the bank had any case at all, that court order would not be hard to get. Google all but invited them to go get one. So there is some other agenda working here. There has to be.

raybay said:

Mostly a covery your butt exercise, I suspect.

Punkid said:

Ok, first off, why is information on over a thousand accounts being sent to a single account holder? Second, why is it being sent through an UNSECURED medium like email? This is in no way Google's fault. They are not being uncooperative. They are following their privacy contract. They did not flat out refuse to help. They simply stated that they could not give out the information the bank requested without a court order. This protects Google, Gmail users, and provides the bank in question with better evidence if a legal case needs to be brought to court. My question now is, how many hackers have set up sniffers on this bank's email system to see if they can catch outgoing account info?

well said mate

Guest said:

its an honest mistake.

T77 T77 said:

the bank is at fault,sending sensitive info through email and to the wrong person.

i don't think google is at fault

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.