When a bank sends confidential data to the wrong Gmail address, who is responsible for cleaning up the mess—the bank, Google, or the recipient?
We all know that sinking feeling in the pit of your stomach. You've just done something (cut a wire, deleted a file, clicked the wrong button, etc.) and immediately realized it was a mistake. An employee at Rocky Mountain Bank likely felt this sensation when they sent confidential account information to the wrong Gmail account.
Account information sent to wrong Gmail address
According to various news reports and the court filing, a customer of Rocky Mountain Bank in Wyoming asked a bank employee to email loan statements to a third-party representative. Unfortunately, the bank employee sent the information to the wrong Gmail address. To make matters worse, the data file attached to the erroneously-sent email contained confidential information on 1,325 accounts of other customers. The file included names, addresses, tax identification numbers, and loan information.
After discovering the mistake, Rocky Mountain Bank personnel tried to recall the email, without success. They also sent a follow-up message to the recipient, instructing them to delete the message and attachment without opening it and requesting that he or she contact the bank to discuss their actions. The bank also contacted Google to determine if the account was active or dormant, and what could be done to prevent the data from being disclosed.
Google declined to provide any information about the Gmail account in question without a court order. Rocky Mountain Bank filed suit to force the disclosure of account information and asked the Court to seal the case. On September 18, 2009, a federal judge denied the bank's request to seal the case.
Blaming everyone but themselves
Although the bank employee made two colossal mistakes (sending the email to the wrong address and sending a file which shouldn't have even been sent), I sympathize with him or her. We've all made mistakes, and I suspect they will suffer significant repercussions—including possible termination. I'm not saying the employee should be disciplined, but I still empathize with him or her.
Even more so, I sympathize with the bank customers. Their confidential information was carelessly handled and is now at risk through no fault of their own.
I have however, little if any sympathy for Rocky Mountain Bank. Here are three reasons why:
- They should have had better systems in place to prevent confidential information from being sent to the wrong recipient. At the very least, they should have encrypted the data to prevent it being read by the wrong person.
- The bank shouldn't have tried to cover up their mistake to avoid negative publicity and angry customers. They argued that sealing the case was to prevent needless customer panic, but the judge disagreed. They should have made the disclosure public, outlined the corrective action that they had taken or planned to take, and offered free credit monitoring support to the affected customers.
- Mostly, the bank's response to the incident just rubs me the wrong way. They put the blame everyone except themselves. They want Google to turn over proprietary information. They want the owner of the Gmail account to take immediate action and contact the bank to discuss that action. They want the court to seal the proceedings and protect the bank's reputation. What are they doing to resolve the issue?
Who's at fault?
Although I clearly think Rocky Mountain Bank deserves the blame in this case, what about you? Also, do you think IT could have prevented the disclosure? If so, how? Lastly, have you ever had to help a user frantically trying to recall an email sent to the wrong recipient? Where you able to help them or not?
Updated 10/1/2009: According to news reports, on Wednesday, Sept. 23, U.S. District Court Judge James Ware (northern District California) issued a court order requiring Google to deactivate the email account to which the confidential information was sent and to disclose the account holder's identity and contact information to the court and to Rocky Mountain Bank. After notifying the account holder, Google complied.
After handing over the requested information, Google also confirmed that the confidential information had not been opened, and deleted the information. These actions seemed to be sufficient for Rocky Mountain Bank and the court. Earlier this week, the court granted a motion to dismiss the case and vacate the temporary restraining order, which kept the account disabled. Google has since reactivated the account.
You can read more about the incident from the following sources:
- Misfired e-mail was never viewed by Gmail use (CNET News.com)
- Google, bank resolve issue over misfired e-mail (CNET News.com)
- Judge Orders Google To Deactivate User's Gmail Account (MediaPost)
- Bank Sends Sensitive E-mail to Wrong Gmail Address, Sues Google (Wired)
- Lawsuit Tied To Bank Gmail Error Can't Be Secret, Judge Says (InformationWeek)
- Bank Sues Google After Employee Negligence (Softpedia)