Banking

Bank sends email to wrong Gmail account: Who's at fault?

When a bank sends confidential data to the wrong Gmail address, who is responsible for cleaning up the mess--the bank, Google, or the recipient?

We all know that sinking feeling in the pit of your stomach. You've just done something (cut a wire, deleted a file, clicked the wrong button, etc.) and immediately realized it was a mistake. An employee at Rocky Mountain Bank likely felt this sensation when they sent confidential account information to the wrong Gmail account.

Account information sent to wrong Gmail address

According to various news reports and the court filing, a customer of Rocky Mountain Bank in Wyoming asked a bank employee to email loan statements to a third-party representative. Unfortunately, the bank employee sent the information to the wrong Gmail address. To make matters worse, the data file attached to the erroneously-sent email contained confidential information on 1,325 accounts of other customers. The file included names, addresses, tax identification numbers, and loan information.

After discovering the mistake, Rocky Mountain Bank personnel tried to recall the email, without success. They also sent a follow-up message to the recipient, instructing them to delete the message and attachment without opening it and requesting that he or she contact the bank to discuss their actions. The bank also contacted Google to determine if the account was active or dormant, and what could be done to prevent the data from being disclosed.

Google declined to provide any information about the Gmail account in question without a court order. Rocky Mountain Bank filed suit to force the disclosure of account information and asked the Court to seal the case. On September 18, 2009, a federal judge denied the bank's request to seal the case.

Blaming everyone but themselves

Although the bank employee made two colossal mistakes (sending the email to the wrong address and sending a file which shouldn't have even been sent), I sympathize with him or her. We've all made mistakes, and I suspect they will suffer significant repercussions--including possible termination. I'm not saying the employee should be disciplined, but I still empathize with him or her.

Even more so, I sympathize with the bank customers. Their confidential information was carelessly handled and is now at risk through no fault of their own.

I have however, little if any sympathy for Rocky Mountain Bank. Here are three reasons why:

  1. They should have had better systems in place to prevent confidential information from being sent to the wrong recipient. At the very least, they should have encrypted the data to prevent it being read by the wrong person.
  2. The bank shouldn't have tried to cover up their mistake to avoid negative publicity and angry customers. They argued that sealing the case was to prevent needless customer panic, but the judge disagreed. They should have made the disclosure public, outlined the corrective action that they had taken or planned to take, and offered free credit monitoring support to the affected customers.
  3. Mostly, the bank's response to the incident just rubs me the wrong way. They put the blame everyone except themselves. They want Google to turn over proprietary information. They want the owner of the Gmail account to take immediate action and contact the bank to discuss that action. They want the court to seal the proceedings and protect the bank's reputation. What are they doing to resolve the issue?

Who's at fault?

Although I clearly think Rocky Mountain Bank deserves the blame in this case, what about you? Also, do you think IT could have prevented the disclosure? If so, how? Lastly, have you ever had to help a user frantically trying to recall an email sent to the wrong recipient?  Where you able to help them or not?

Updated 10/1/2009: According to news reports, on Wednesday, Sept. 23, U.S. District Court Judge James Ware (northern District California) issued a court order requiring Google to deactivate the email account to which the confidential information was sent and to disclose the account holder's identity and contact information to the court and to Rocky Mountain Bank. After notifying the account holder, Google complied.

After handing over the requested information, Google also confirmed that the confidential information had not been opened, and deleted the information. These actions seemed to be sufficient for Rocky Mountain Bank and the court. Earlier this week, the court granted a motion to dismiss the case and vacate the temporary restraining order, which kept the account disabled. Google has since reactivated the account.

You can read more about the incident from the following sources:

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

159 comments
DarkWaterSong
DarkWaterSong

I deal with banks, insurance companies and government agencies all day long. Most of the time it is a royal pain to get sample designs and data files from them to see why they can't get things working. In many cases we have to resort to a FTP connection or I have to log into their secured server that holds emailed files. How is it so many companies do secure their data (like needed a password they issued to view a file), and Rocky Mountain Bank does not? Oh, and the software I support is used to design many of the forms these companies us.

ccaamano
ccaamano

Why was a third party using a gmail account rather than their own? Are they that non-professional?, for lack of words. I have a small business and have a personal email set up through the web hosting. No mistaking my address.

kludwigson
kludwigson

The Bank is at fault. I am the IT dept at a small community bank. It's too bad budgets "don't have room" these days for encryption methods!!

EKRULL8
EKRULL8

I just tried to do the vote on this story and I get a message that I already voted. Not the frist time this has happened. Who is using my account here? It is the banks fault

vickaprili
vickaprili

I hope that Google charged the bank for the additional System Administration that was required to rectify this problem and legal fees as well. Bottom line is that the bank should not e-mail account details in the first place and the account holder should have forwarded on the detail to the third party himself/herself. Was the third party actually authorised to receive the information in the first place (ie written on the account). Also it looks like a coaching opportunity as the employee cannot use e-mail, if they are still employed.

CMag
CMag

That is why we won't email confidential information, we do have secured email via thier web account with the CU when they can log in and recieve inforamtion. We try to be careful, but let us be honest anyone of us can make a HUGE mistake.

thudish
thudish

If the bank sent a notice to the recipient that their information was available on the banks web site. User would log into the bank with a registered login and get the information.

Oz_Media
Oz_Media

Who in thier right mind uses a free online account for ANYTHING other than signing up to websites like TR? Anyone with an internet connection should have a personal email account with them, if not change your ISP. How anyone thinks that using a free account, especialy GMail, Hotmail etc. is worthy for business, important correpsondence, bank account details etc. is just too stupid and deserves the repercussions of it. It's just like poeple who actually think a free or cheap residential VoIP network will suffice for business use. If business was free and such services were reliable and worked, nobody would pay for the premium/managed services. I've seen people try to cut business corners for decades, LONG before computers were mainstream. They rarely succeed though and are easily passed by in the grand scheme of things. Look at all the idiots who used to gloat about using fre einternet access, with that banner across teh bottom of teh screen that paid 3 cents per annum for particpation. Cheap baystards! If for yoru own non-critical use, free is fine. If for business, or inportant information, pay for the privalege.

toolutility
toolutility

the customer of Rocky Mountain Bank in Wyoming

toto171
toto171

i think ,the bank. why? 1:\the bank give the order to his own employe. teh employe maked a mistake,the bank is his boss,so also ,they hafe to clean uo. however. they did not hafe the system ok,even that is a wrong situation.when they had a good control system ,was this never by happend. 2:\google can not do that,because it's ,information for a thirt person. for to do that they need a judge,the judge say's no.because.the person who resieved this did not , a criminal act.so the judge say,s no to is. the bank can only freez al information ,like the accoount and the rest in the system and make a new one,(whit freez is onley for the transackion temperalety)and pay te victom all what is will lose whit intress.

bob
bob

It makes NO difference that the email recipient was a Gmail recipient, it could have been ANY email recipient. The bank and its employees are responsible for all correspondence sent by them. The bank should be held responsible for any damages that the intended recipient suffered as a result of sending this classified information to someone other than the real owner of this information. If the intended recipient gave the WRONG address to the bank, through an online form or other than verbal, then the owner of the data, who supplied the wrong data to the bank, is responsible and not the bank. The bank should have sent a validation mail to the recipient requiring the recipient to PHONE the bank 800 number (so to get caller id) and key in the code to validate, before any email was used to correspond with the customer. If the callerid did not match, then email should not have been used. In any case, it is NEVER GMAIL at fault,since the are merely the carrier, it would have been poor procedure by bank for not validating or customer for providing erroneous email address in the first place. Common sense should prevail as there is only to inspect procedures to determine where the fault lies. If the bank does not validate emails provided by customers, then it should have a very clear policy statement on the form that requests the email address as to errors and that the customer is responsible for an erroneous email address.

nthompson77
nthompson77

Google has to share some responsibility. Whereas I do not agree with disclosing the account holder information they could have simply disabled the account (temporally) or determine the level of exposure of the information. Mistakes do happen and I cannot see why the employee, who hit send, should take the fall for this. It does not seem like the bank had any policies in place to protect the information or determine how it should be handled. Quite often, if you mistype one letter in an email address it belongs to someone else. There have been several occasions when individuals have wanted to recall emails.

adekunlejob
adekunlejob

Well, to my own opinion, It depend on the situation investigation report. A situation that the customer fill-in a wrong email address. The customer is at fault because computer is garbage-in garbage-out. But a situation that customer information is rightly filled but the bank send the statement to the wrong address then the bank is at fault.

ITBuff
ITBuff

What happened to sending a link to data posted on a server and having the recipient verifying themself before being allowed to assess the data? It sounds to me like the bank needs get rid of the person who came up with the idea to send confidential data via e-mail. Haven?t we heard enough stories about data winding up in the wrong hands? Why would you send any type of confidential data outside the bank walls.

wjayd
wjayd

Mistakes get made, fact of life, it's the recovery that shows the mettle. The bank (it's employee/agent) screwed up initially. The issue of having rights to such information is incidental, they have the fiduciary responsibility for using that data in an appropriate and responsible manner. As soon as the error happened, they should have mined the data and found the accounts involved, notified those customers, and offered credit watching and any other compensation they felt appropriate and necessary. The initial notification to the wrong gmail account, also not a bad move, but one which they should also compensate the user for their effort, time and cost of contact at a minimum. After that all the remaining steps might have been appropriate and acceptable. The failure to step up and be open with their customers about their mishap in failing to protecting them is absolutely key!.

DelphiniumEve
DelphiniumEve

The bank is at fault under US laws...however, why did they not have a tool (there are several on the market) that would block PII going through the firewall? Why was there not a link to an encrypted location/file store that would require authentication or validation to open a file with critical and LEGALLY PROTECTED INFORMATION? Someone at the bank is asleep at the wheel and deserves a fine. While I am not a fan of Google Apps due to security concerns, that was just a conduit. It bears no blame in what is delivered to their systems in this case. This is clearly a bank foul-up.

jamesdefreitas
jamesdefreitas

I believe all 3 bear 'some' responsibility; Rocky Bank for lack of procedures - I agree with the article fully; however, the recipient should immediately have contacted the bank or responded and did the right thing by deleting the email; finally Google should in all honesty try to help out although I do not know what the legal implications would have been

aaron.gregoryjr
aaron.gregoryjr

At the end of the day, there were several things wrong with this entire scenario. The bank bears responsibility for lack of proper training in delivering sensitive data - for there is a safe, proper way to do it. It is the bank's responsibility for not training their employees in such a seriously important topic. Also - sensitive information belonging to many others besides the recipient? Also a training and policy issue on the bank's part. The employee - yes she screwed up - but real responsibility lies with management. The second that this email left the bank employee's mail client... everyone in the process was just a channel or route... including Google, and the wrong recipient. Kudos to Google for enforcing their privacy rules, and the wrong recipient... well, if you go by the U.S. Postal Service rule - if its delivered to you, it's yours. The bank made the mess, they need to clean it up.

madhu.panisetty
madhu.panisetty

Any mail I got from my bank was a encrypted pdf file which cannot be opened even by me without password. How this bank can have such a policy of having files without password.

loopboyd
loopboyd

the scenario seems to be one sided. Its seems to be expousing the faults of the bank n this affects the votes made. due to the sensitive nature of the mail, Google should have recalled the mail to themselves and not send it back to the bank. it should then ask the email account owner if they expected an email from the bank n with what kind of content. Afterwards determine on what to do with the mail...

jcqs.bchrd
jcqs.bchrd

My bank cannot address messages to my e-mail address. I need to logon to my bank's website and then I have access to a messaging system. I only receive, at my e-mail address, automatic notification when I have a new mail from my bank. A very closed system. RMB is guilty for its communication organization at a very high level, not the employee level.

Nico Baggus
Nico Baggus

Using encryption should have caught the typo. (when addresses from a known list are used).

raj1402
raj1402

its 100% bank mistake bank should have password to read the bank statement on email its as simple as that a simple password locked pdf bank statement will do

Double Click
Double Click

This kind of human error can and will happen. What surprises me though is that this kind of information is being send over such a unsecure manner ... and this from a first world country Bank. It wonder what other things happen in the rest of the banking community.

shiv
shiv

I believe the fault is of the IT department of the Bank. In the IT field it is a almost a rule that a user will make mistakes and the system design should be robust enough to handle atleast the critical mistakes. In this case for example, there should have been a email system where the employee would have required to select the name/ID of the customer for mailing and the system would send the email to the corresponding email id.

sudesh.sawant
sudesh.sawant

Definitely the bank is at fault. The system of message recall is very poor in most systems. The system should improve a lot. Banks should implement better control systems for sending a document over email, They should have a basic password protection or atleast force the user to enter the valid bank account number before opening the document. This should be simple keeping in mind the average user and that no security system is foolproof. It could cover 90 pc of the cases. The rest 10 pc may anyways be difficult to prevent.

r_hamilton
r_hamilton

Many banks and other businesses have invested in data loss prevention software for exactly this reason. People make mistakes - data loss prevention could have alerted the sender that the attachment may have been inappropriate or it could have just blocked the message from being sent. It works.

rfbautista
rfbautista

I think congress should pass a law to put a minimum security requirement to all bank related communications. I mean, it's not so costly to implement one anyway. The least would be simple operational measures that doesn't really require much investment or technology. For instance, if the bank doesn't have technical expertise to secure their communication, the least they could do is not to send confidential information to emails under public email providers such as yahoo or gmail. A legitimate third-party should at least have a corporate email account. That should at least minimize the potential scope of similar problems like this.

vidahorsfield
vidahorsfield

If the email was encrypted, the fact that it went to the wrong customer would still be a problem for the bank, but the risk would've been much smaller. There are numerious banking regulalations that prohibit this very thing from happening. Sounds like someone's asleet at the wheel. I don't think it's Google:).

eliel_goco
eliel_goco

"Where you able to help them or not?" "Where" should be "were"

ppaplaus
ppaplaus

Putting an address into the "to:" is like loading a gun with a bullet. Not only can a fired bullet not be recalled, but it only takes one small mistake to set it off. As a precaution, configure your email client not to automatically send every email, do it manually in batches. And, if possible, do not put an email address into the box when you start to write the email. This is a practice I learned early on in the office from a very wise supervisor...

tsteele
tsteele

The bank is certainly at fault and the cause of the mess, but Google and the errant recipient also share some degree of responsibility or even liability. If the receipient disregarded the message and did nothing with the data, he is off the hook. On the other hand if he chooses to exploit the data, then he is guilty of fraud and perhaps other crimes. This would be no different than the post office delivering a person a check by mistake, then the recipient cashing it. Likewise, Google must bear some responsibility as well. If they were notified of the mistake and had the opportunity to prevent further exploitation but refused, they would have to share some liability as well since the problem was exasperated by Google's inaction. If fraud was proven, Google could at least be sued (probably unsuccessfully) civally. If it is proven that the recipient used the mistakenly sent data fraudulantly and Google had sufficient notification and opportunity to have prevented it, they could possibly be considered an accessory.

jimaker
jimaker

Confidential information or sesitive contact information should NEVER be sent via Email. Email is notoriously unsecure and that is why most large banks only use a message system on thier secure website where their customers must log in with encrypted passwords to view the encrypted messages partaining to their accounts.

techrepublic
techrepublic

Sending confidential data by email is wrong. Google could have assisted, but they aren't obligated to. When the bank emailed the incorrect recipient again, that person should have replied back, if it's an account actually being used. I was getting faxes for someone else several times a few years ago and called long distance each time to tell them until they finally stopped sending them to me. If the world was all good people, there wouldn't even be an issue here, but the world is not all good people. Of all the points mentioned, I think the most important one is to NOT send private data by email in the first place.

wsargent
wsargent

I don't think it's a question of fault. I think it's a question of liability. GMail is a free service. It is not guaranteed, let alone underwritten, bonded or insured. The bank is entitled to its money back - and a fair trial in a class action suit. Sorry. I don't mean to be unsympathetic, but real businesses should not rely on "free-beer" services for mission critical operations and take no responsibility for the risks.

ZombyWulf
ZombyWulf

The bank couldn't possibly be at fault, it musta been some homeless person, or a terrorist plot, it couldn't have been lousy record keeping or a total nimnal employee.

Ken Cameron
Ken Cameron

Is there any REAL fault? It was a simple clerical error. Rocky Mountain Bank is absolutely "Responsible" for the employee's mistake. However, the "system" and bank procedures & safeguards still let that employee make that mistake. If Rocky Mtn used an internal email system, could they have "blocked" the employee from doing this by blocking any email with attachments to non-corporate email addresses)? I am more curious about a slightly different scenario: what if the email going to the wrong place WAS a Google mistake or "bug"? Is there a contract with SLA's between Google and Rocky Mountain that addresses emails going to the right or wrong place? If there is, what liability does Google sign up for? If there are penalties, the amount would be miniscule compared to the potential damage to Rocky Mtn. Now, think about this last scenario in a Cloud Computing scenario. For that matter, look back at outsourcing. If I have outsourced my business critical systems, let's say I have really tight SLAs (99.99% availability). The penalty for missing that SLA is some portion of the monthly charge I pay this vendor. Now, the vendor has some very critical issue in their infrastructure that leaves me down for most of a business day (complete loss of revenue). Who will be the scapegoat: the outsourcer - wrong! The CEO and the board will most likely shoot the CIO.

rainmaker
rainmaker

This is a cut and dry issue. Blame for something like this can be assigned to any of the parties depending on what occurred: * if the customer provided the wrong e-mail address, the blame lies with the customer * if the bank had the correct e-mail address, but sent the e-mail to the wrong address, the blame lies with the bank * if the bank sent the e-mail to the correct address, but somehow it ended up in someone else's Gmail account, the blame lies with Google From what was described in the article, however, the blame lies SQUARELY with the bank. This is a non-question.

dpereira
dpereira

I use to work in compliance in a national bank and this would not have happened there as they used tumbleweed to secure the email. Under Gramm Leach Billey Act (GLB) no one should be sending confidential information over email or fax as both can be intercepted. With tumbleweed, merely a link is sent to the gmail account and to get to the secure email would require verification that only the customer could authenticate. Also, the message could have been recalled. This was a dumb mistake.

premdas67
premdas67

As you prefaced it, everybody makes mistakes. However the remedial actions taken was hasty and driven by panic. Whats to be done, we are human.

seanferd
seanferd

The bank should always do a check when sending info to a third party without a corporate email address. And why would any professional be using "public" email servers for official correspondence? Actually, I know one answer to that question - lazy or no IT dept. I constantly see posts by professionals on the internet who have less a clue than I do (very little) about running a corporate network, and who want to farm out everything to a multitude of free services.

director_ozemail
director_ozemail

Your details were among those mishandled by the bank. Some Eastern European syndicate has cloned your identity & now they are busy using all your accounts. Either that or someone else has been using your computer - perhaps a co-worker, family member or housemate. You can vote for one or more. * No assumption of paranoia will be inferred from your vote. :) ** Don't worry about those feelings that the banks are out to get you - that's not paranoia - they're out to get all of us. More specifically, all our money. :)

art
art

The bank was irresponsible and mishandled sensitive data. So how does Google disclosing the data in their records fix the problem. I think that if Google had complied they would be just as wrong for disclosing confidential data. I would be just as disappointed in the judicial system had they forced the disclosure of the email account holder's data.

PackMule64
PackMule64

You know I have been watching this topic for days and reading the replies in various forums. The thing that no one really says, or at least I haven't seen it, is what would you do if you received this e-mail? I do all my banking on line, I don't even get a snail mail statement. Once a month I receive an e-mail from them telling me my statement is available online with a link. I have NEVER clicked on that link and delete it immediately. If I receive anything else from them it goes in the trash without ever opening, they will not contact me via e-mail if it is important. NOW! IF I receive an e-mail from some bank I don't do business with and it has an attachment WHAT do you think is going to happen to it??? DELETE! The same procedure with e-mails telling me they want to give me a large sum of money and all I have to do is deposit a big check, yeah right. Now as for the second email I will probably never see it because I have now set up a g-mail filter to automatically delete anything from that address bypassing even the trash folder. I wonder how many of you actually go around opening attachments from senders that you don't know?? NO G-mail should not be required to give out the recipients information nor should they disable the account. Shame on you G-mail for being bullied into action like this! The recipient did nothing wrong, he did not ask for this info or break any laws or circumvent any security features or hack into the bank in any shape or form to get this info, yet you have punished him as though he is a criminal! So now I have to be responsible for all email that is sent to me and open every attachment to see what it is and notify the sender of errors. The hackers and spammers will love this! Ridiculous!

Geek3001
Geek3001

If they did more, temporarily shutting down the account, what would happen if the user of the account lost money because they couldn't get email? Would the bank have to make it up to the person because the bank made a mistake?

kreiss
kreiss

How many other emails were sent with similar confidential information? In the "old days" such information would have been sent via certified mail or similar. Now, in an effort to save money, they use electronic "post cards" that can be read or received by anyone. There is obviously a structural problem at this bank that disregards legal and moral confidentiality requirements. The problem here is not with the employee or the IT department, but goes much higher in the organization.

Nico Baggus
Nico Baggus

The file should probably be encrypted by othermeans before that too.

Geek3001
Geek3001

There are some people in this world that do not check their email every half hour, or even once a day. The person in question may be that type, and therefore couldn't have responded to a much more urgent request to delete the mail.

wsargent
wsargent

I think that's a great suggestion: Don't sent sensitive bank data via email. It's crystal clear. My first thought was also that it would've been nice if Google were more cooperative, but think of the can of worms that creates. How many GMail customers do they have? Millions? How much revenue does it generate to support the service? Zero? I think Google has to enact a very clear policy so customers learn that Google is a volunteer organization.

Editor's Picks