Goldman Sachs Asks Court To Have Google Delete An Email With Client Info; Google Blocks Access To The Email
from the this-again dept
Five years ago, we wrote a story about how Rockey Mountain Bank in Wyoming accidentally sent a bunch of confidential information to the wrong Gmail account, then took Google to court to try to find out who received the email. Google demanded a court order first, leading a judge to (ridiculously) order the company to shut down the entire email account. It appears that something somewhat similar may have just happened with a more recognizable bank name: Wall Street giant Goldman Sachs went to court recently to order Google to delete an errant email containing confidential client information. According to the filing (which most news sites haven't posted, for reasons unknown):On June 23, 2014, an employee of the consulting firm was testing changes to Goldman Sachs’s internal reporting and validation process. The employee intended to send a copy of the internal report to the email address provided to her by Goldman Sachs, which is in the form “[first name].[last name]@gs.com,” but instead mistakenly sent a copy of the internal report to an address in the form “[first name].[last name]@gmail.com.” She is not the owner of the gmail address.Goldman also contacted Google directly, and as in the Rocky Mountain case, Google told Goldman to go to court first. Late yesterday, Goldman Sachs noted that Google has told the company that it has blocked access to that particular email and that the email in question had not yet been accessed by anyone. It appears that Google did this despite the lack of a court order, which may seem a bit questionable. Given the nature of the situation, and the fact that Goldman has actually gone to court and requested this, it does seem a bit more reasonable that Google agreed to at least temporarily block access to that particular email until a court decides if it needs to continue blocking it permanently.
The mistakenly sent email contains certain account and client related information (the “Confidential Client Information”). Goldman Sachs’s clients have a right to maintain the confidentiality of the Confidential Client Information. Furthermore, Goldman Sachs has an obligation to protect the privacy of its customers’ confidential information.
Goldman Sachs has made efforts to retrieve, have deleted or otherwise protect the mistakenly sent Confidential Client Information. As part of those efforts, on June 26, 2014, Goldman Sachs sent an email to the gmail address to which the information was mistakenly sent requesting that it be promptly deleted and that the recipient confirm in writing that s/he had done so. There has been no response.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: confidential info, court order, email, gmail
Companies: goldman sachs, google
Reader Comments
Subscribe: RSS
View by: Time | Thread
Think about it for a minute...
If Google sees that this is a dead account, and GS has already gone to court, there's no real harm done here. Yes, we'd prefer that Google fought to the last ounce of blood; yes, this worries us about what google might do if it were a LIVE account. However, at its heart there's nothing wrong with Google looking at the situation and acting reasonably about it; it's what I'd recommend were I advising them.
[ link to this | view in chronology ]
Re: Think about it for a minute...
I'd prefer that Google not mess with my email regardless of how long it has been since I last accessed it.
How specifically would you define a "live" account? Is there a cut-off date in the Gmail TOS that I have not noticed that makes my inactivity indicate that I don't care if they stop me from accessing email sent to me?
Now, this is Google, and it is their service, and they have the right to do things like this (their TOS lets them prevent you from accessing anything they want), but it is bad form for a service provider.
[ link to this | view in chronology ]
Re: Re: Think about it for a minute...
It's just a matter of time before our government starts "accidentally" sending messages to people they don't like, and then requesting that Google freeze or otherwise go through their email boxes and block the emails that they "accidentally" sent for "reasons".
How long before this becomes such a huge problem that the government simply seeks the power to do this on their own?
[ link to this | view in chronology ]
Re: Re: Re: Think about it for a minute...
Now, if they wanted to implement an "email recall" that actually worked and give people the ability to cancel an email that has not yet been read - great. This would be a nice feature for email, but doing one-offs like this for a big company is sketchy.
[ link to this | view in chronology ]
Re: Re: Re: Re: Think about it for a minute...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Think about it for a minute...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Think about it for a minute...
Not if you are also paranoid of getting hit by lightning.
Paranoia of being hit by lightning is every bit as sound and reasonable as being paranoid of NSA (and foreign) spying, corporate spying, corporate power and government corruption.
[ link to this | view in chronology ]
Re: Re: Re: Re: Think about it for a minute...
It used to be that those who seemed a little paranoid were the ones to consider as crazy.
The world has changed. Now the people who say "it seems a little paranoid" are the crazy ones in denial of reality.
The ongoing revelations of reality far and vastly exceeded even the most wild paranoid ravings prior to about 14 months ago.
No offense intended, just sayin'
[ link to this | view in chronology ]
Re: Re: Re: Re: Think about it for a minute...
[ link to this | view in chronology ]
Re: Think about it for a minute...
Google has been haled into court, and they must pay their attorneys. Those attorneys might have been occupied in other matters if they were not spending time on this Goldman Sachs affair.
Google has been damaged.
Perhaps they had to fly one of their attorneys across the country to appear. Should Google have to pay that airfare? Google did no wrong. Goldman Sachs should pay that money.
[ link to this | view in chronology ]
Confidential Paragraph
Wouldn't it be along the lines of not having to pay for items delivered to you that you never requested? Its yours and you can do with it what you want.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
Step 1 - don't ask for advice on how to commit a crime on a public website.
Step 2 - If you fail to perform step 1, by all means, do not mention that you have a Russian name, or that the institution you plan on blackmailing is a Dominican bank.
Step 3 - do not mention that you already notified the bank multiple times regarding their error.
Step 4 - If you've failed to perform steps 1, 2, and 3 - After sending your blackmail notice, please walk into your nearest law enforcement office and turn yourself in. You have no hope of getting away.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
;)
[ link to this | view in chronology ]
Goldman Sucks
2. confidential information was sent via _un_ encrypted email to an unverified account
3. they take the mail provider to court
4. ?
5. Profit
[ link to this | view in chronology ]
Re: Goldman Sucks
[ link to this | view in chronology ]
Recklessness
It's widely known that internet email transmission occurs hop-by-hop, over channels and through servers which are controlled by neither sender nor recipient. The vulnerability of email to eavesdropping has been well-discussed.
PGP was initially released in 1991, and other products with similar capabilities have been available for years. Thus, failure to use those encryption products cannot be attributed to lack of availabile software.
Sending highly confidential information over internet email without encryption is reckless.
[ link to this | view in chronology ]
Re: Recklessness
2) Most medium/large (and small) organisations have their own, internal, email servers, such that if an employee sends an email to another employee, that email never leaves the departmental network to go over 'the internet', therefore doesn't need encryption.
3) In most large organisations that are multi-site (e.g. banks with many remote branches etc), or that closely deal with other organisations interchanging sensitive data (e.g. government departments communicating with other government departments), there are internal routing policies that send, say, emails destined for particular endpoints to hardware VPN routers, that have encrypted secure VPNs to the other organisation/office, therefore the data is fully encrypted before it leaves the organisation, sends it across the internet fully encrypted, till it hits the destination organisation/office, which routes it to its own internal hardware VPN encrypting service based on the source, then decrypts it before putting it into the receipients mailbox. All fully/highly encrypted, all transparent to the end-users.
4) There is no protecting against a stupid f*ckup by an obviously incompetent moron who manages to bypass all that encryption by sending it to gmail which would not be in the "forward to encrypting VPN service to use secure tunnel to other office" routing rules.
This f*ckup shows that no matter how you try to insulate the 'dumb average' user from the complexities of technology (in this case encryption) by putting in transparent encryption systems, in the end if you want a (relatively) secure system, you should't be insulating the user and relying on transparent VPN'ing, you should be teaching them how to encrypt their emails 'manually', thus teaching them to always manually encrypt any email they think is sensitive (but then you've gotta train them on identifying what is sensitive too!), or any email they aren't sure whether it's sensitive or not, before sending. Thus if it's sent to the right place it get's a 2nd level of encryption via the VPN, or if it's sent to the wrong place then at least the receipient can't open it due to the manual encryption.
But as we all know, the average user is either too f*king stupid (abot 30% of the users out there) or too f*king lazy (about 68% of the users out there) to learn and do this.
[ link to this | view in chronology ]
Re: Re: Recklessness
Not so.
Note paragraphs 1 and 7 of the complaint embedded above.
From para 1:From para 7:
There's a significant difference between a regular Goldman Sachs employee compared with an employee of a consulting firm employed by Goldman Sachs. The complaint does not allege that an internal employee was following internal procedures for internal mail. Rather, an outside consultant would normally be expected to use external procedures.
[ link to this | view in chronology ]
Re: Re: Re: Recklessness
[ link to this | view in chronology ]
What precedent does this set?
First corporations will demand a direct, automatated access to un-send emails sent by anyone whose email address they know of.
Because of the controversy this will create, the EU will pass a law recognizing a basic human right to un-send emails.
The French and/or maybe Germans will pass a law requiring Google by force of law to make people be able to un-read and un-remember emails they already read. Legislators and Judges will think this is all quite reasonable.
After all, it's Google's email service, they will argue. (The french won't even bother with the pretense of an argument -- it will be to preserve french culture.)
If you think this sounds crazy, you haven't been following along here for the last decade.
[ link to this | view in chronology ]
Re: What precedent does this set?
No. Don't be ridiculous. This special favor is only available to corporations with over a billion dollars. Maybe even ten billion dollars. A hundred billion? Somewhere in there. At any rate, it's an exclusive club.
Not kidding. That's how the world works.
[ link to this | view in chronology ]
Re: Re: What precedent does this set?
> Not kidding. That's how the world works.
Sorry to disagree, but you're wrong. Very wrong.
This special favor is only available to ANYONE who can find a judge crazy enough to give them the force of law make Google un-send emails, or get Google to make other people un-read and un-remember the emails already read.
Not kidding. That's how the world works.
Yes, really. Conformity to reality not required. Just ask copyright holders. Look at the outrageous DMCA which now seems reasonable compared to SOPA.
[ link to this | view in chronology ]
Re: Re: Re: What precedent does this set?
[ link to this | view in chronology ]
An ID-10-T error if I've ever seen one....
2 - Would GS expect to be able to call the USPS and say "ummm, we mailed a statement to the wrong user, will you make sure it isn't delivered for us?"
3 - you don't "test" with live client data!!
4 - email should NEVER be assumed to be secure during transit unless you fully encrypt it
5 - you don't "test" with live client data!!!
6 - Once you've sent it to the wrong address, YOU sent it to the wrong address.
7 - see steps 1, 3 and 5!!!!
[ link to this | view in chronology ]
I don't have much of a problem with this.
The account wasn't shut down.
Google required a court order
Only a specific message FROM THE BANK was checked and deleted.
The Bank did not get any information about the account holder, other emails, etc.
Where I to receive a court order to do this on my mail server, I would take similar actions.
And if you're wondering about Google looking at your e-mails, then maybe you better use something else. If you don't trust your email administrator (local or hosted), you get another one.
[ link to this | view in chronology ]
Re: I don't have much of a problem with this.
But I do have a problem with the precedent it sets.
Where this will lead, and where it ends up is not a good place.
[ link to this | view in chronology ]
Re: Re: I don't have much of a problem with this.
[ link to this | view in chronology ]
Re: Re: Re: I don't have much of a problem with this.
How much compensation should the court order Goldman Sachs to pay Google for the service?
Bear in mind that Goldman Sachs did not take the measures which were within their control to encrypt the email. If Goldman Sachs had not been so reckless, the action by Google would have been unnecessary.
How much should Goldman Sachs pay Google for salvaging their reckless course?
[ link to this | view in chronology ]
Re: Re: I don't have much of a problem with this.
[ link to this | view in chronology ]
Re: I don't have much of a problem with this.
If the bank is legally required to ensure that the information is only accessed by the intended recipient, then why isn't the bank routinely taking reasonable measures within their control? Why isn't the banking routinely encrypting email so that it can only be read by the intended recipient?
Alternatively, if the bank doesn't have real duty sufficient to require encryption, then they don't have a real duty.
The bank is capable of encrypting email so that only the recipient can read it. It's not a lack of capability. The bank is in control of whether they choose to take reasonable measures on a routine basis or not.
[ link to this | view in chronology ]
Re: Re: I don't have much of a problem with this.
[ link to this | view in chronology ]
Re: Re: Re: I don't have much of a problem with this.
[ link to this | view in chronology ]
Re: Re: I don't have much of a problem with this.
What happens when a bank demand that their clients set up to receive encrypted emails, and provide them with the necessary keys, and use the banks key to send emails to the bank. Note the more senior a person is in a company the more resistant they are to any inconveniences in their secretaries use of technology.
[ link to this | view in chronology ]
Re: Re: Re: I don't have much of a problem with this.
[ link to this | view in chronology ]
Re: I don't have much of a problem with this.
[ link to this | view in chronology ]
Re: Re: I don't have much of a problem with this.
Anyhow, I was going to ask: What if this was physical mail? Would you be OK with USPS coming back to your house, opening your mailbox, and removing mail that was addressed to you just because some corporation realized after-the-fact, that they didn't want to send it?
What you're suggestion is insane - that corporations can decide AFTER THEY'VE SENT SOMETHING, that they made a mistake and can take it back by going crying to a judge and asking for some order forcing an unbiased 3rd party to interject and create distrust with their customers.
It sounds like for you, a "court order" is good enough to not ask questions, and I guess that's your opinion, but this sets some seriously bad precedent.
[ link to this | view in chronology ]
Re: Re: Re: I don't have much of a problem with this.
You are also forgetting that the USPS effectively owns your mailbox. So there's nothing preventing them from doing something like that even without a court order (doubtful it would be effective, since you probably pick up your mail long before a court order would get through). And once you get your mail out of the mailbox, it's out of the USPS hands. So, basically, it's possible a court COULD order that, but it's more unlikely to be effective.
[ link to this | view in chronology ]
Re: Re: Re: I don't have much of a problem with this.
The document embedded at the top, though, is not a court order.
It is a summons, demanding that a corporation headquartered in California appear in a court in New York.
Do the airlines give away free airfare? If one of Google's attorneys, meaning to fly from California to New York, mistakenly buys a ticket to Miami, and gets on the plane, and then gets somewhere over flyover country before realizing his mistake... is the airline on the hook to turn the plane around, or divert it?
Surely the airline is not kidnapping the confused passenger. The airline would not be at fault.
Who pays?
[ link to this | view in chronology ]
Re: Re: Re: I don't have much of a problem with this.
There's no question that a physical letter is tangible, movable property. If someone wrongfully has possession of that chattel, then that specific item may be recovered.
But Goldman Sachs presumably does not want to recover the actual electrons or photons that were sent. Even if they did, those electrons or photons are not physically distinguishable.
Goldman Sachs has no rightful claim to the physical disks or other tangible media which stores the intangible information.
[ link to this | view in chronology ]
Re: I don't have much of a problem with this.
[ link to this | view in chronology ]
Re: Re: I don't have much of a problem with this.
Not answering your question (I didn't make the assertion), but on a related note...
I understand that New York has NOT enacted the Uniform Trade Secret Act (UTSA).
[ link to this | view in chronology ]
Once delivered, the courts are impotent.
However, if you want to assert that right you may need a mail client that downloads to your local system.
And, of course, you would need to receive it in the first place. Which is why Google even enters the picture; the mail wasn't delivered (accessed) yet.
And re the Dominican bank emails, talking to the bank more than once is obviously the wrong thing. Well, naming the bank publicly and then emailing them to point to said public naming might get a response. Also, notifying the "correct recipient" of the bank's error might get a response from the bank once said customer raises a stink. Of course, notifying the bank in google-translated spanish is also a possibility. Their CS people might just be monolingual to enhance account security!
[ link to this | view in chronology ]
Ahhh... as expected, toward the end, some weasel words from Mike. If this had been anyone else but the Googlez, they would have been crucified.
[ link to this | view in chronology ]
auto- forwarding
retrieved to a computer/etc under you direct control as soon as possible. So much for living 'in the cloud'. Had the Gmail account holder done such a configuration then sender would of been quite SOL!.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Beating the drum
[ link to this | view in chronology ]
Stored Communications Act
But, in the situation at hand, it's necessary to remember that Google does not have complete freedom to just "return" to some third party an email sent between two other parties.
18 U.S.C. 2702 -- Voluntary disclosure of customer communications or records
If Goldman Sachs were simply asking for the destruction of their outside consultant's misdirected email, it wouldn't implicate the SCA's "knowingly divulge". But Goldman Sachs is asking for the email's "return". Presumably, they believe that they're the "intended recipient" of the email which their outside consultant wrote.
[ link to this | view in chronology ]
Wrong target
Google could - maybe, at most - be asked to help GS in identifying the recipient, but I'm not sure they would be much help (depends on the info in the account).
And the fact that GS has that obligation to keep confidential information out of the wrong hands? Yeah, right, they screwed up! Their mistake, their problem, their lawsuit for negligence... not Google's.
[ link to this | view in chronology ]
[ link to this | view in chronology ]