Google ordered to disable email account after bank sues

By on September 29, 2009, 6:00 AM
Update (September 29th): It is expected that the lawsuit brought by Rocky Mountain Bank against Google will be 'vacated' soon after both companies reached an undisclosed agreement. As a result the Gmail account holder should regain access to his inbox as soon as Oct. 5th, after being locked down since last week in compliance with a judge's order.

Original story: A federal judge has ordered Google to deactivate the email account of a user who was mistakenly sent sensitive financial data. Last month, The Rocky Mountain Bank emailed names, addresses, tax identification/Social Security numbers and loan information of over 1,300 individuals to the wrong Gmail address.

The bank contacted the unintended recipient, instructing the person to delete the private information without opening it, and asked them to reply. When the receiver failed to respond, the bank panicked, and requested that Google reveal the user's identity. Doing so would be a direct violation of Google's privacy policy, so the search giant refused to comply without court order, and the bank quickly filed suit.

US District Court Judge James Ware has ordered Google to disable the account, and disclose the holder's identity and contact information. Some lawyers believe the move treads on the account holder's First Amendment rights to communicate online, as well as his or her privacy -- after all, the user hasn't done anything wrong.

I have not seen any mention of how active the email account is, so it may be totally unused -- which would explain why nobody replied to the bank. On the flip side, what if it is active, or even heavily relied upon for business purposes? There is no telling what ramifications may unfold.




User Comments: 24

Got something to say? Post a comment
Wendig0 Wendig0, TechSpot Paladin, said:

Either way Google played it safe and did the right thing by standing by their privacy policy. Hopefully it works out for all parties though.

Guest said:

Over 1,300 Emails were sent to the wrong Gmail address just in one month alone?

All those customers should be suing Rocky Mountain Bank in the first place.

Staff
Matthew Matthew, TechSpot Staff, said:

No, the personal information of over 1,300 individuals had been sent in one email, to a single address (in an attachment, supposedly). See the original article here for more info: [link]

Reloader2 said:

I can't see what google did wrong. Giving the details to the bank would be a violation of their privacy policy.

Dampflok said:

If it had come to me and if I was dishonest,, I would have made sure that I had copied the data to a memory stick and then deleted the mail and deleted then permanently deleted the deleted mail. The details could then have been sold on. I'd probably get caught tho., one way or the other.

Guest said:

Why didn't Google just delete message from the server. They could have easily just went into the customer's email account and removed the message.

mailpup mailpup said:

Maybe they could have but that's probably not what the judge ordered. Google had to do what the judge ordered.

HaMsTeYr HaMsTeYr said:

Its the bank's mess up in the first place, google did nothing wrong >.>

Alex Atkin UK said:

I am more worried that people are e-mailing this sort of information in the first place.

The fact they panicked kinda implied it was not encrypted and with the nature of e-mail, who knows who else could have listened in and stolen the attachment.

maestromasada said:

First of all the user should sue the bank for attempting to close his/her account without a solid reason, after all the user has done nothing wrong whatsoever.

Secondly, Google should also sue the bank for impossing his arrogance a forcing google to attempt to close an account

Thirdly, the 1300 people of flesh and bones affeccted should sue the bank for not taking care at all of the information they held, why didn't they encrypt the mail, or why the hello did they send it 1300 to an address hosted by google? what's the need of that??

And fourthly, what happens if the worker at the bank is the same person who received the e-mail?? Maybe he send it to himself by mistake, thinking it was the address to send from, and not to.

In that case, he should sue himself as well.

Guest said:

Oh my god. This is the most retarded thing I've ever heard.

Okay, retarded bank, first of all it's your fault for sending your stuff to the wrong person, not Google's.

Second, if it's important that unauthorized parties do not read it, why the hell wasn't it encrypted?

Third, how naive can you be? If whoever you sent it to was malicious, obviously they are just going to save a copy for themselves, delete it off gmail, and reply letting you know they deleted it, you morons.

Fourth, since you got no reply, either;

A) Nobody uses that account

B) The message was sent to the spam folder

C) Whoever uses the account deleted the message without reading it

D) Whoever uses the account doesn't speak English and has no clue what you said to them

Fifth, you should be sued for making such a huge ****-up. Sued until you go bankrupt.

Sixth, by the time this order goes through court, whoever uses the account (if anyone) will have already had enough time to save the email you dipshit, so what the hell do you want to ban his account for?

TJGeezer said:

@Guest said it all. To sum up, the bank is run by security illiterates and any institution so careless with its customers' confidential information should be shut down until reasonably internet-literate managers can take over. Every account number compromised needs to be changed or frozen pending customers coming in with suitable ID to move their assets to some other, safer bank.

Guest said:

"I am more worried that people are e-mailing this sort of information in the first place."

THANK YOU. That is the question here. Why was customer information sent to an external Gmail account? The question is not, "why did they send to the wrong Gmail account?", but "Why did they send to Gmail?"

In the rare case that I am asked to handle data for my fellow employees, I am SUPER EXTRA CAREFUL that the data never touches any form of personal account or storage medium. It stays strictly on corporate hardware and accounts.

That modern bank employees could be so naive points to a grotesque failure in security policy at the bank.

JudaZ said:

My question is also why does the account/computer, that have access to this finacial data also access to gmail (or internet at all for that matter).

This should not be allowed in the first place. You are at work for doing your job, not updating your twitter or facebook. Your job hardly inludes using gmail if you work at a bank.

its basic Security 101. Unfortunally i know this is common at hospitals as well...people workin on senitive, personal information in one program...and updating ther myspace profile at the same time in another.

These things should always be seperated. Sure there can be a need for an employer to reach the internet , but not on the same system the important data is stored.

Guest said:

It is my understanding that judges are there to uphold the law ...not create it. The fact that a "court judge" has opted to force Google into surrendering all of that personal and private information is a direct first amendmend rights violation. The bank should be the one getting their "pee pees" slapped not Google. Where are the fines and "jail time"for the bank that allowed such a screw up as this. Google should just be able to prove that the e-mail has been removed from their system. Whoever received this info could have done anything they wanted with it. I agree with what was stated earlier.....Google should have just checked the account to see if their is indeed activity before having to surrender any information. Wouldn't it be great if it was your google e-mail address that received this info at which time you were sunbathing somewhere on a beautiful beach suirrounded by half clothed beautiful women when all of a suddun your jumped by the men in black"" (lol) and then thrown into a black room with a big light shining on you and then questioned about information you know nothing about? Come on......The law is so scewered and twisted that anyone with a little clout can manipulate it. I wonder what the bank offered the judge to overlook the basic rights of the one in question.

anguis said:

Google better appeal this. Where is the defense attorney for the email account holder? He is not equally represented. The judge's decision should be overturned upon appeal.

Darth Shiv Darth Shiv said:

Guest said:

Why didn't Google just delete message from the server. They could have easily just went into the customer's email account and removed the message.

Because it is not in their delivery policy. Who would use an email service that has a policy "We reserve the right to delete any email from your inbox".

And let's not forget that the bank committed how many security faux pas? Multiple account details, unencrypted, to a public email service, via email. I mean that is pathetic. The bank should be 100% liable for any security breach and the judge should have thrown them out.

Guest said:

yep, that judge is an absolute *****...

T77 T77 said:

thats quite unfair.thats a kind of a punishment given to a person who has nothing to do with all this.

Vrmithrax Vrmithrax, TechSpot Paladin, said:

The judge is obviously trying to protect those 1300 innocent people, who's only wrongdoing was to choose a bank run by complete ******... But still, that does not excuse the judge from tramping all over privacy rights and trying to create precedents that would have massively negative ramifications on the entire internet privacy world... And I'm sure it will become some huge knock-down drag-out legal battle very quickly.

I think Google should turn around and counter-sue the bank in a class action suit on behalf of the customers who had their information wrongly emailed outside of the bank. I'm sure they could find a way to make the bank actually take responsibility for their actions. They could at least sue for negligence, violation of privacy acts, or just being stupid without a license maybe.

xempler said:

Encryption

Encryption, Encryption, Encryption.

Any email sent out is to be considered open to prying eyes...no email is safe. So why didn't the bank encrypt such sensitive information before sending it out?

The employee or manager or both are both incompetent and have no clue about technology. They need to take another look at their protocols because if I was their customer I'd sue them and then close my account immediately.

Guest said:

I had a doubtful pleasure to work with one the the UK's biggest consumer banks. They were running a mailing campaign which involved sending us the list of their customers. The list included a lot of sensitive details and the way this bank's security personnel initially proposed to send the data went a bit like this:

- we'll send the password protected spreadsheet in one email and the password (which was going to be different every time) in another email - for security reasons.

I must say that the idiocy of this bank's security person has almost knocked me unconscious.. I've refused to work with security illiterate people..

For some reason the biggest IT morons happen to work in banks... I'm not saying that there are no smart people there. I just haven't come across many of them..

RebelFlag said:

@Judaz-- The fact that the email was sent to a gmail account does not mean that the computer it was sent from was connected to the internet. The bank could have been using outlook through an exchange server, and sent to the gmail address. Yes, the bank should not be sending confidential information unencrypted, especially to an offsite unsecure email account. Yes, the bank is being operated by the technologicly illiterate, but no, the computer did not have to have internet access to send the email.

greyd said:

absolutely absurd

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.