Bank Sends Confidential Email To Wrong Address, Hauls Google To Court To Figure Out Who Got The Email
from the grab-some-popcorn dept
Everyone does it at some point: you send an email to the wrong person. Hopefully the content isn't that bad or important -- but it happens. However, when a Wyoming bank, Rocky Mountain Bank, accidentally sent confidential and sensitive information to the wrong Gmail account, the bank ended up taking Google to court to find out the identity of the individual. The bank had tried emailing the wrong address again, but got no response. Google, naturally, refused to just give up the name of the person without a court order -- so the bank went to court. It also tried to have the case sealed, but the judge has rejected that idea. You can certainly understand the bank's concern here, but it does seem a bit silly to have to bring someone else to court after you screwed up and sent the wrong email.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: bank, email, identity, privacy, security
Companies: google, rocky mountain bank
Reader Comments
Subscribe: RSS
View by: Time | Thread
WTF?
Also, let's say that there was a blogger who was critical of a corporation. Could they just 'accidently' send a sensitive email and then demand his identity?
[ link to this | view in chronology ]
Re: WTF?
[ link to this | view in chronology ]
Ok, serious question for you Mike: How else would they find out who received the email?
Google, rightfully so, doesn't want to give the info without a court order, and the bank, rightfully so, has to cover its ass(ets) and get the information.
What other course of action does the bank have?
This, for once, seems like a legit (pardon the pun) reason for using the court system.
--GJ--
[ link to this | view in chronology ]
Re:
Once they have the identity, then what, the bank still has to fix the problem. Possibly the bank is hoping the recipent did not read the email and then they do not have to do anything, is it possible to demonstrate whether an email was read or not ?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
See: Uniform Trade Secrets Act, Secion 1, Clause 2.
[ link to this | view in chronology ]
Re: Re: Re:
Forgetting for a moment that those are stupid laws (that fly in the face of the whole concept of the patent process) which are dubious at best in this case, IT DOES NOT MATTER whom the bank sent the info to, and EVEN LESS what may be lawfully done with it. . They have to assume it's already compromised. I shudder to think that they're hoping to somehow get the email back.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Sure, that's what the second email was asking for... "We accidentally emailed you a file intended for someone else. Would you please be kind enough to email it back to us so we can send it to the correct person?"
[ link to this | view in chronology ]
[ link to this | view in chronology ]
You think that's bad
[ link to this | view in chronology ]
Tricare dealt with this
So to cover their asses, RMB just had to notify the originally intended recipient; possibly offer some sort of ID theft recovery as well. There. End of story. No lawsuits are needed.
"But DJ, that would require the bank to admit guilt!"
Uhh..yeah. And?
[ link to this | view in chronology ]
Disclaimer:
By sending an email to any of my addresses you are agreeing that:
1. I am by definition, "the intended recipient"
2. All information in the email is mine to do with as I see fit and
make such financial profit, political mileage, or good joke as it
lends itself to.
3. I may take the contents as representing the views of your company.
4. This overrides any disclaimer or statement of confidentiality
that may be included on your message.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
By sending an email to any of my addresses, or any lists that I am subscribed to, you are agreeing that:
1. I am by definition, "the intended recipient"
2. All information in the email is mine to do with as I see fit and make such financial profit, political mileage, or good joke as it lends itself to. In particular, I may quote it ruthlessly.
3. I may take the contents as representing the views of your company.
4. This overrides any disclaimer or statement of confidentiality that may be included on your message.
5. Even if you only see this legal notice once, it still applies to all our communications.
6. Unless the email is both signed and encrypted via PGP, with public/private key pairs that can only be attributed to two distinct owners, the real sender and recipient can never be determined with any certainty. All legal representations about any plain-text email are
thus null and void, including this one.
7. All hate mail will automatically be forwarded to please.arrest.me@fbi.gov
Loosely derived from:
http://discuss.joelonsoftware.com/default.asp?biz.5.588844.18
To all Banks, everywhere: if the message isn't PGP encrypted using the intended recipients' Public Key(s), you can't be sure they will be the only readers. EMAIL IS NOT A MEDIUM FOR SENSITIVE INFORMATION, EVER. Email a link to an HTTPS/SSL encrypted site, and require secure authentication. You can't fix a breach afterwards, especially if you committed the breach.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
If I make a mistake someone else has to pay. That pretty much sums up the American legal system in a nutshell.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
AC2 -> "You know the bank isn't suing Google for monetary damages right?"
AC1 -> "Never said they were. Stop putting words in my mouth."
[ link to this | view in chronology ]
Re: Re: Re: Re:
Pay can have more than one meaning.
"11. to suffer in retribution; undergo: You'll pay the penalty for your stubbornness! "
http://dictionary.reference.com/browse/pay?r=75
Given the context that should have been the meaning you chose.
There, I hope this helps you in the future, now go forth and read with better reading comprehension.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
"17. to suffer or be punished for something: The murderer paid with his life. "
http://dictionary.reference.com/browse/pay?r=75
There, are you happy? Do you not know that words can have more than one meaning in English. I know this is true in other language too, so I won't buy the excuse that English is your third language either. In many languages one has to interpret the meaning of certain words based on the context. What, are you really that illiterate or something?
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Though its more likely they are than not, there is still the chance that they are not a US citizen and therefore not beholden to the Uniform Trade Secrets Act.
Not only that but if they are a citizen of the EU or AU/NZ then Privacy laws are absolute and the bank has no actionable way to even do anything to the individual who could for example place the whole email onto Wikileaks.
The Bank is liable and has a duty of care to its customers to assume that the data is now fully publicly available and to take all measures to secure further emails (encryption etc) to allay any fears that the customers have. The customers themselves have cause though to make a claim for negligence on the bank. That is most likely the real reason why the bank wanted the records sealed.
[ link to this | view in chronology ]
Re:
I completely agree, but again, in America if I make a mistake someone else has to pay. That's the mentality that our legal system has encouraged and that's why all these entities hold such a mentality.
[ link to this | view in chronology ]
Re: Re:
pay what? how much?
I thought the case was not about money
[ link to this | view in chronology ]
Re: Re: Re:
Given the context, payment wasn't referring to paying money directly. It's referring to the privacy that the E - Mail address owner gives up as a result of the banks mistakes. Other people have to suffer (pay) for the mistakes that the bank makes. The COST of the banks mistakes is our privacy.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Because in America if I make a mistake someone else has to pay. That's basically what the laws in this country encourage and so entities have acquired this mentality.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
sp/against his/her for a mistake the bank made,/against his/her will for a mistake the bank made,
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re:
Everyone?
That is quite an assumption. It only takes one person who didn't think that in order to make the statement incorrect.
btw, I did not assume it went to any particular country
[ link to this | view in chronology ]
OK you want my identity...here it is..and to prove this isn't just a joke...here's the entire email posted in plain text!
If I was the bank, I'd have sort of fessed up...asked google to contact the recipient without telling me who they were and then offered some sort of "reward" for the person contacting the bank to help them sort the problem out.
Obviously whatever has been lost goes way beyond a few bank account numbers or SN's, because the banks losing this type of stuff has become a regular running weekly joke (and they simply don't seem to care if its 1 account lost or 1,000,000), so I'm guessing its either a celebrities embarassing credit card statement or belongs to someone with real power that can do the bank A LOT of harm.
Or possibly something to do with the stealing money from the recent bailout (but banks would never do that sort of thing surely? ) :)
[ link to this | view in chronology ]
What if the accident part is bank management discovering that the information was sent out and the rest is a cover up of a theft of sensitive information that can and will be used?
[ link to this | view in chronology ]
Missing the point
They have a much larger problem to worry about than finding the recipient of this information. They should be worrying about the hundreds of other emails full of sensitive information that could have been easily intercepted.
[ link to this | view in chronology ]
+1 for Google
BTW - This would make for a great phishing scam. Spam emails, then get the mail server host to release the names of all recipients.
[ link to this | view in chronology ]
What then?
Knock on his door and force him to delete the email? Have the police follow him around to make sure he doesn't do anything with the info?
Assuming of course there's anything more than an IP address of the login to that gmail account. When I signed up to gmail, the only thing I remember inputting was another email address in case I forgot my password.
[ link to this | view in chronology ]
I guess the bank's gonna have to pony up for 'ID protection' or change account numbers, etc to attempt to reduce liability.
If I would have gotten it, I really would just delete it - but who's to say what someone else might do if they get mine?
[ link to this | view in chronology ]
Very questionable
[ link to this | view in chronology ]
pls give out my ID...
[ link to this | view in chronology ]
I hate to say it but...
Email companies should be fighting to protect the privacy of their customers, not revealing it at the drop of a hat. Sure, maybe if there were legal cause I could maybe see it in some very rare cases, but generally speaking, when people want private email communications they should be guaranteed the privacy they were promised by the email service so they don't have their account compromised by advertisers, hackers, identity thieves or by the government or courts snooping in on one's private conversations and data.
Although, the concept that Gmail could be considered a "private email" service is kind of a ridiculous thought to begin with. They regularly harvest users' information for advertising and don't provide much of a defense from spam, scams, and identity thieves.
I use PrivacyHarbor.com to avoid these sorts of issues all together. They don't share your private information with anyone and don't mine your data for advertising. I also never get spam or people phishing to get my private data. It's a great service compared to what Gmail has to offer.
[ link to this | view in chronology ]
reply all
[ link to this | view in chronology ]