Last month, a Rocky Mountain Bank employee fired off an email containing confidential loan information, SSNs, etc for 1,325 clients to the
wrong Gmail address. (
RMB privacy policy |
RMB security statement)
Rocky Mountain Bank then proceeds to attempt to recall the message, and when they realize there's no such thing, asks the recipient to delete the message. Cricket sounds are heard in the background. (Would you have replied?)
So Rocky Mountain Bank did what any logical person would do after mailing obviously non-encrypted über-secret stuff to the wrong address. Or the exact opposite. They
sued Google to find out who owned the email address, whether the recipient opened or forwarded the email, to have Google forcefully delete it, and most egregious IMHO, asked the courts to seal the proceedings to hide the screwup from their own customers. Nice.
Judge Ronald Whyte had the sense to
deny the motion to seal the proceedings or we might never have found this out (
Decision PDF, courtesy of Threat Level) .
First, I must ask..
The wrong Gmail address? Really?! How come nobody is asking WTF a bank employee is doing sending confidential customer data to any Gmail address in the first place?
Moving on.. a few days later, Judge James Ware
granted their request to
deactivate the victim's Gmail account and disclose the account holder's identity. View Judge Ware's temporary restraining order
here (PDF, courtesy of the
How Appealing blog).
The matter has now since been "settled." The victim's access has been restored. The email has been deleted from their inbox through the long arm of the law. Google has confirmed
the Gmail user never viewed the misfired email.
Good news for Rocky Mountain Bank-- I guess now they don't have to deal with all those Breach Notifications.
I'm no lawyer, but I see a very troubling precedent here.
- Invasion of privacy: An external entity was able to find out who owns an email address (essentially, a PO box) through no fault of the account holder, and to confirm whether an email was ever opened or not. Furthermore, an email addressed to them was forcefully deleted before they opened it.
- The account holder's ability to communicate was shut off through no fault of their own: Google was forced to disable the account holder's Gmail account. Note that unlike a PO box, Gmail accounts are used to both send and receive email, and store a massive amount of data, and as such, for many people can be considered a person's "papers" or "files."
Think about these ramifications of what just happened...
- Can I send something to your PO Box and then pull a Rocky Mountain Maneuver and sue the USPS to give me your identity and retrieve the package from your PO Box?
- What if during this search on behalf of Rocky Mountain Bank, which is done with no probable cause, the USPS finds pot in your post office box? Alternatively, what if Google finds illegal porn in your inbox?
Remember that with the advent of cloud computing services like Gmail and the like, there comes a price. Your corporate and personal data are at the mercy of the lowest common denominator.
(Update 10/14/09:
Further Analysis...)
Wow.