Misfired e-mail was never viewed by Gmail user

A sensitive e-mail mistakenly sent by a bank to a Gmail address that prompted a court to order Google to deactivate the account was not viewed by the recipient and has been deleted, the bank said on Tuesday.

The e-mail, sent by an employee of Jackson, Wyo.-based Rocky Mountain Bank on August 12, contained names, addresses, Social Security numbers, and loan information of more than 1,300 bank customers.

The bank sent another e-mail asking that the data be destroyed and went to court to get Google to intervene on its behalf. Last week, a judge in U.S. District Court in San Jose, Calif., ordered Google to deactivate the Gmail account and Google complied. Google and the bank quickly resolved the matter and the court granted their motion to dismiss the case and allowed Google to reactivate the Gmail account.

"Rocky Mountain Bank, working with Google (through court order), confirmed on Thursday of last week that the e-mail containing client information was never opened and has now been permanently destroyed by Google's system," Tina Martinez, general counsel for Rocky Mountain Capital, wrote in an e-mail response to questions.

"As a result, no customer data of any sort has been viewed or used by any inappropriate user during this data lapse," Martinez wrote. "Rocky Mountain Bank acted to protect its customer's confidential information. That objective was accomplished. The matter is now closed and the TRO (temporary restraining order) entered on September 23, 2009 is now vacated."

Asked for comment, a Google spokesman said: "To protect the privacy of our users, we do not comment on their use of Google services."

The case poses some interesting questions. For instance, should the person who registered the e-mail address lose access to the account or have items deleted without his or her permission, particularly through no fault of their own?

And what recourse would the bank have if the data had been sent via regular mail to the wrong address? The U.S. Postal Office certainly doesn't have the ability to see the envelope sitting on the recipient's desk and vaporize it.

Update 4:35 p.m. PDT:The bank did not take any action against the worker who sent the e-mail, the bank's lawyer said.

[n3td3v]

I was right the whole time, read my original comment on cnet about this http://bit.ly/gAI51

[NocturnalCT]

I guess gmail is really only for casual users who don't depend on it too much. I use it but only as an interface to my pobox.com email address. So if some idiot bank sends me soc#s and google disables my account I can switch my pobox.com forwarding to my yahoo address. At least I'd be able to receive email still.

Did this account go offline for 6 days? Good grief that's a long time.

[kewell82]

"6 days is a long time," HA! The world we live in today.

[Hunnter2k3]

@ kewell82
Dude, half a day is too long for me some times.
I'm living on extreme mode every day.
My braincells end up running around in circles.

[totorototoro]

Maybe it went to his SPAM filter. Or maybe he's just smart. I mean, "Rocky Mountain Bank"? How tacky is that? I'm not about to open any email from a "Rocky Mountain Bank", especially with an attachment.

[benjwah]

@Hunter2k3 Yes, yes, a busy day that involves posting on obscure stories on the cnet bulletin boards.
I bet you all that your bodies would continue to process oxygen if your emails went away for 6 days. Golly, we all might some work done!

[gefitz]

I would have been very interested to see what would have eventually happened would this case have gone to court. Have questions of "ownership" as it pertains to such transmissions of data been addressed? When does a sender cease to control non-copyrighted material? When does a receiver of data assume that control? Do either one of these apply in a case where both the "sender" and "receiver" of such data are mailboxes living on corporately owned systems?

Would Google have argued that the bank's ownership or control of that data ceased as soon as the copy was made onto Google's systems? Would they have had a chance with that argument?

Sounds like a lot of "when does life begin?" questions to me. Yuk. Very messy, no?

[mikekrause]

The real travesty here is why in the world is it legal in this country to send email containing such sensitive information at all? Any institution that is responsible for information such as social security numbers should have other secure IT infrastructure in place to share such information. If they don't, they shouldn't.

I would consider legal action against the bank if I were the unintended recipient of such an email and it caused my account to be locked. This should never have happened in the first place.

[viper396]

A lawsuit is a little drastic don't you think? The problem was resolved, nobody's information was revealed, and the account is now working...what exactly could you sue for without looking greedy and frivilous at this point?

So long any business is run and managed by people the possibilities of mistakes will always exists. All the security in the world won't change that. Do we sue for every mistake or accident that happens? This lawsuit happy society has already made the court system a joke as it is.

[T_Hoff]

Yes, financial institutions aren't allowed to store or send sensitive information in unencrypted form. Whoever sent the e-mail in question needs a refresher on the best practices for data security as well as the applicable laws governing financial data.

[Jeremy Chappell]

This is exactly right - the bank congratulating themselves is amazing. There is no way in the world this person's email should be been suspended. I'm even a big concerned the email was nuked from the inbox - that wouldn't be legal with snail-mail. I don't think the court has acted at all properly in this, makes you worry doesn't it? If the court can get this so wrong, what else can the get wrong?

As for the bankers? You worthless worms, what is wrong with you to be so reckless with such sensitive information? The banks should be facing prosecution here, the fact that no damage was done is down to luck, customers information was put as perilous risk, and somebody should take the fall.

[screamapillar]

@ Jeremy

Actually a court can order a letter returned unopened. A court can order a marshall or officer of the court to go to a person's home and retrieve the snail mail letter. The court acted appropriately as the email was not intended for the recipient. Locking the email account was appropriate. We see this when money is incorrectly transferred into a bank account too - the recipient account is locked until the matter is resolved. There are no grounds for compensation and this is a bank account where you may not have any alternatives and may face financial or other hardship as a result (eg not get paid your salary or not pay a bill on time and get your power cut!), not just something as mundane as email where it could be easily argued other communication devices (phone, face to face) or a temporary email account would mitigate the impact.

As for compensation from the bank for the person whose account was locked, it really depends on the impact on the person whose account was locked. If they were running their own business using that account, it could be argued that 6 days without email cost them financially making the bank responsible for those losses. But as I outlined above, it is unlikely a court would even hear the case. The bank would need to be generous and settle - unlikely.

If it was a personal account or an account that was not impacted significantly there would be no grounds to litigate against the bank - you cannot sue for mere inconvenience (particularly due to a court order, court order's generally provide immunity against litigation). I'd say in this case it would be merely inconvenience, not costly to the person whose account was locked, but those details were not in the article.

[sciontcya]

Not true - I DID open it!
LOL - shopping now... ;)

[Akiba]

"Rocky Mountain Bank acted to protect its customer's confidential information. That objective was accomplished."

Wow. They tried to spin their horrendous internal policies as an example of how they protect customer information.

I don't even understand how this garbage is legal. You can take a company to court because you sent them an email by mistake. Who ever does business with this bank needs to get out asap. I'm not saying other banks don't do similar things, but this is just too obvious. Also this judge sounds very incompetent and incapable of dealing with these issues. I wish Google would have taken this further because this sets a bad precedence. If this situation doesn't define how to promote stupidity, I don't know what does.

[gwailo247]

The judge did a good job. You're all focusing on the bank, instead of the 1,300 customers who now have relief that their data was not compromised.

I'm willing to bet that if you're one of the 1,300 you wouldn't be concerned by the privacy of some guy, you'd be more concerned that Igor from Kazakhstan hasn't just taken out a $20,000 loan using your identity.

Most theoretical arguments, especially overtly liberal ones (I'm not using this word as a synonym for Democrat, but the dictionary definition) tend to fly out the window when you're personally involved.

Nobody was hurt here. Albinos are getting chopped up in Africa to make healing potions, and we're outraged how it this happened to us we might not have access to our e-mail for a few days. Better hire a lawyer and sue!!!!

[SteveMcQwark]

Well, the court made the right choice. By law, everyone who comes into the possession of personal data is responsible for protecting it. Any damages caused are the responsibility of the company that messed up and leaked it. Up to that point, Google had the data on its servers and had to act so that the data was not accessed by anyone. Its that simple.I'm glad it worked out this time. I'm glad I'm not the unlucky person who got the file.

[Dannyboy259]

I disagree.

Consider the following scenarios using this precedent:

1) I "accidently" send the bank some type of sensitive e-mail from my home account, then go to the judge and demand a TRO against ALL of the bank's e-mail while we sift through each and every message looking for mine? Do you realistically think a judge would issue such an order? Why is it alright against an individual then?

2) I use my work account to send an offending message to a client? Can the judge expand this ruling to cover abusive and/or potentially abusive e-mails? Would the judge have the right to shut down the receiving e-mail systems to prevent delivery of obscene or otherwise abusive mail?

I think the judge really, really messed up here. No way should the user's account have been suspended. If Google can safely identify the message and delete just that one, fine delete just that one. Suspending the entire account could have DRASTIC consequences for the acount holder. Remember, they've done nothing wrong and are being harmed by the attempt to recover "misplaced" property. Who would be liable if the account holder missed some financing deadline / opportunity due to their account suspension?

A more thoughtful course of action would have been to notify the account holder of the issue, then issue a TRO against the account holder from taking any action with the data. Think of this as a reminder from the court that the wallet on the ground ISN'T lost, and that they shouldn't pick it up. The user could do whatever they wished, so long as it didn't involve any use of the data.

Simply puts too much power in the hands of the bank (plaintif)... Like the internet "Take-Down" notices, the needs of the bank need to be balanced against the needs of the e-mail account holder. I don't think this was a good call.

[screamapillar]

I agree with gwailo in that the judge's ruling here was correct and not without precedence. This has and is done with snail mail. This is done everytime a mistaken bank transaction occurs where the bank is at fault (which is more frequent that one would hope). Indeed, in my exeperience, most jurisdictions have laws that state the recipient has a duty of care to report an eroneously sent email - ie they must instigate their own account potentially being suspended. Sounds bad? No - it is protecting the broader and more important issue: client privacy.

This was not the case of someone firing off an inappropriate (eg abusive) email. The bank and the court were acting in the public interest of those 1300 customers whose financial records were sent in error.

The issue here people should be outraged about is not the bank's response in acting to have the recipient account suspended - they should be applauded for that. If my account was one of those in the email i'd be thrilled at the response. The judge too acted in the public interest - this is the mandate of the courts. This is how we get case law and precedence. The issue was that there was no recourse against the employee who sent the information, nor any review of their policies, process, security etc to allow such a breach to occur in the first place.

[Akiba]

"I'm willing to bet that if you're one of the 1,300 you wouldn't be concerned by the privacy of some guy, you'd be more concerned that Igor from Kazakhstan hasn't just taken out a $20,000 loan using your identity.

Most theoretical arguments, especially overtly liberal ones (I'm not using this word as a synonym for Democrat, but the dictionary definition) tend to fly out the window when you're personally involved. "

Not really. If this happened to me I would not support it for a number of reasons. You're also making a theoretical argument that is extremely flawed. If this were a life and death situation your theory might make sense, but this is actually a scenario that many people don't take seriously.

1) Something similar (without the gmail and court involvement) happened to me with my credit union and I didn't freak out. In fact I was more annoyed that the bank deactivated my debit card as a result. I think where your assumption took a wrong turn is when you assumed that every customer would be so freaked out in this situation that they would support anything as a result.

2) Also you are assuming that any action taken would make me feel safer. I wouldn't be relieved by this token gesture of safety. It wouldn't make me feel any better.

3) There was no indication that the recipient was a threat, but in contrast the bank had already demonstrated that it was. I would be too busy worry about the bank having information.

4) This judge just reinforced the banks policies so well that the bank and you claim that the customer's confidential information was protected. You logic and no harm done attitude is part of the reason why the bank can get away with this.

Also this is cnet. If I want to make this argument I am in the proper place. If you want to talk Albinos in Africa then you are the one that probably shouldn't be posting.

[screamapillar]

At what point has anyone suggested no harm done? quite the contrary!

[TJay18]

This is very interesting. How do you "misfire" an email containing 1,300 peoples social security number etc? Geesh. Crazy.

[bguyatt79]

I wonder what happened to the employee that made this mistake? Did heads roll? Did they have to pay a fine to help pay for the court costs and time spent? Would be interesting to know.

[elinormills]

I'm updating the story to include that the bank did not take any action against the employee who sent the email.

[Rants&Raves]

Gmail wasn't the issue; sending that kind of data unencrypted to bounce from server to server until they reach their destinations, through pipes that can easily be eavesdropped, is beyond incompetent. Whoever is in charge of IT security should be fired along with the employee who did such a thing.

Never send my e-mail something you wouldn't write on a postcard.

[greglenihan]

my thoughts exactly. The bank is saying that they acted in time to protect the info, but they have no way of verifying that. So the e-mail wasn't opened in gmail, that's not the only place where it could have been seen. Either they don't know how e-mail works, or they're assuming their clients don't.

[Jeremy Chappell]

Exactly, can the bank be sure that this email wasn't intercepted before getting to Google's servers? Can anyone? The court here is done a lousy job, the bank is shambolic and the fact that no action was taken against the employee suggests that such email is "normal" (frightening) and the only problem here was the recipient was wrong. This is utterly staggering.

If I were at Google I think I'd have wanted to fight this a little harder. Perhaps redacting the attachment, to protect other innocent parties, but even this seems morally blurry. Quite frankly, the Bank should have take the fall on this one.

[screamapillar]

Exactly the issue rants&raves. The judge and the bank acted swiftly and did what they could to mitigate a potential disaster. I think their actions were good. The problem is how it was allowed to happen in the first place AND what is being done to ensure it doesn't happen again.

[cantreallysay]

I was mirroring healthnet . com many years ago (big insurance company in CA) website for our company's intranet as most of the employees didn't have internet access. This was before I was allowed to selectively open certain websites through the firewall. Well low and behold just traversing their website with mirroring software up came a document with over 5,000 names, addresses, social security #'s, etc. Now do I report this to health net? Report this to anyone. Heck no. Not even a chance cuz if I did I'd probably be thrown in the slammer and who knows still be in jail for no fault of my own.

Point is if you report lax security your the bad guy no matter if it was intentional or not. It's never the banks fault or big company's crappy security remember that. Always they'll find a scapegoat to make them look good.

[Jeremy Chappell]

This is an interesting point, perhaps there should be a government body who you could report these things to, and the institution concerned would not be able to find out who have reported them.

Does the FBI qualify?

However, this case seems to suggest that the court was rather too quick to act as the bank's "best friend" - that should make everyone feel a little less safe.

[screamapillar]

Cantreallysay - there is a duty of care on your part to report such things. Those that report things don't normally get locked up, it is the ones that keep a copy of the document that do. All that being said, there needs to be formalised protections in place to offer at least comfort to a person in your position to ensure that the public interest is served (ie that document is properly secured).

And Jeremy, I agree re your concerns however I don't think the court acted as the bank's best friend, rather it acted in the public interest of the 1300 people identified in the email.

[Orion Blastar]

Actually why is a bank sending a list of costumer information to any email address without using some form of encryption like PGP or GPG to make sure that only the receiver of the email can read it?

This sounds like a poor security policy for the bank. Even if nobody read the email at GMail, there are copies of it on various SMTP routing servers and people with access to that SMTP server data can read the cache for a copy of the email. Emails don't go from the sender's IP address to the receiver's IP address, the Internet works via a node system and there might be seven or more nodes the email passed through including different ISPs and servers. Not only that but if on one of those systems someone was running a packet sniffer they could have captured the data if it sniffes out social security numbers, credit card numbers, and bank accounts. Usually a hacker/cracker does that and then does identity theft on the sniffed information. But if the data is encrypted, then nobody but the person with the private key and passphrase the message that was created with their public key can read it.

[rgunther]

It's shameful that a big organization like a bank took to using brute force to clean up after its own incompetency by bringing the force of the court down on Google. Where is this going to lead?

[screamapillar]

No, it is prudent on the bank's behalf. Google could have cooperated but was well within their rights not to unless there was a court order, so the bank went that path. The public interest here has been served by all parties.

The issue is that one you raised regarding the bank's incompetency - this shouldn't have been able to happen. It is one thing to want to blame the employee at the bank, but it shouldn't have been possible for him to do this without malicious intent (in which case the State would've prosecuted him). The fact that an "accident" of this magnitude could happen at all is unacceptable.

[SpaceDude2001]

What about any packet sniffers between the bank and Google that can capture an email (that is in the clear) and it's attachment (also sent in the clear)? Just because the gmail user did not view the email, does not mean that information was not view by someone at Google or others running packet sniffers.

[shootfirst]

Anybody else wondering why the bank was actually emailing social security numbers and other information in the first place? No one should be able to get email deleted from another users account if its their mistake once it goes off their operating domain, that is so stupid. I don't care if a court ordered it Google should have retained a copy and sent it to the recipient. I seriously hope that the bank is investigated for sending critical data via email at all, there should be things in place to stop them from doing this. The judge that ordered the email to be deleted and the account deactivated should be thrown off the bench as this is a misuse of powers.

[screamapillar]

shootfirst - looks like your comment suits your namesake :) The judge did the right thing for the public interest. It was in no way a misuse of powers, it was the court trying to mitigate a potential disaster. It is why we have these separations of power. We need the capacity to have an independent body that can step in, this is the role of the courts. The judge acted prudently.

The bank, however, as you've pointed out, is of major concern. Great that it acted quickly to remedy the situation but what is being done to ensure there is no repeat?

[ChipL3]

The very fact that a bank has such power is inconceivable to a small peon like me. The very idea that they can get away with BLATANT misuse of their power to cover up there abysmal screwups is abhorrent to me. How many people in the world wish they could retract a mistaken email sent to the wrong user. Not only is it impossibly irresponsible to send such an email in the clear, it is clear proof that a Bank has much more rights and privilege than I makes me feel like a lower class citizen compared to a bank or any other well heeled group or individual with clout. Not only can they get away with wretched stupidity without penalty they can also walk all over peoples rights to COVER IT UP. Think of that example when you think about our elected officials that bailed these jerks out of the holes they should have been buried in.

[gggg sssss]

Anoiher HUGE argument against using ANY cloud based system, email or otherwise, So some bank whined to some judge and google goes in and just unsends the message. In the real world, if you ran real email software, that message would be on YOUR server or computer, past the reach of anybody at Google. Today some screwup at a bank. Tomorrow your wifes lawyer.. If some lawyer says show us teh messages, Google will simply roll over. If they can take out messages, they can put in incriminating messages for others to find.

Google MUSt not interfere with the mail, They MUST let mail be mail. Regardless of the circumstance.

Fear the cloud

[Jeremy Chappell]

I think email should be held to the same standard as snail-mail.

[dlapham]

I second this. I am a gmail user, but I do not recommend cloud computing for critical information because of situations like this. If the company or the government decided to delete or somehow use your data, they do not have to ask you or kick down your door to get to your data. All they have to do is give a court order to the provider in the cloud, and poof it is gone. At least with gmail, you can use a pop3 connector and download and backup all of your email on a regular basis. In light of this story, I think that I will do just that.

[irondog1970]

Gmail is a free service (to the consumer, anyway) that is offered at the whim of Google. They don't guarantee access to your account. Google could decide to up and close free accounts worldwide tomorrow, and scores of millions of people will be without their main email address (myself included).

Google is within their rights of doing what they did. The scary thing here is just how dependent we are on Google for things Internet-based.

But I learned a lesson from my Yahoo Photos experience. I loved Yahoo's Photo service. I thought it was awesome. Now, Yahoo photos has gone away. I think gggg ssss is right. Cloud, while incredibly convenient, has a cost.

First it was Amazon and the Kindle. Now it's Google and gMail. What is next? And what will be the cost?

[techfu2012]

Since Gmail is not necessarily free ie Google Apps; it was never said whether it was a "free" Gmail address or a paid Google Apps Gmail address. Google Apps is geared towards Business, non profits, schools etc.. (this is the type of account that cvaldes1831 was referring to for the City of Los Angeles... not the free gmail account) It would be 100% unacceptable for this to of happened to a paid account. I wold be "less upset" if it was a free account. I think the writer needs to follow up with some more specifics as to which type of account the article was referring to. It really does make a difference.

I still do not understand why the account was disabled, since they knew the exact email address of the sender, it should have taken less than 5 seconds to search the mail store, using that address, then just delete it... or at least striped the attachment (ie as if it was a virus/malware attachment) I even have a free gmail account and i know for a fact it should take about 5 seconds or so to find a specific email from a specific email address. Then notify the Gmail account user, what had happened and why. i would be tolerable of that vs having no access to my account for 6 days.

Now with all this said, i agree with the others comments... Why is a bank sending anyones info like that via email? Who were they sending it too? Another branch? Another Bank? Why would you need to send peoples personal information via email? Like the laptops being stolen with thousands of peoples personal info..stolen from a person trunk or somewhere else in the car. Not only did the banks get bailed out (most of them used that money to buy there competitors...so now they are even more powerful and bigger {remember "too big to fail"},.... than before the bail out) but apparently they are "still" so irresponsible, they can not even send and "important" email to the right person. Anyway you all get the idea. The Banks blow. Sorry for rambling LOL

[gggg sssss]

@ irondog1970 thanks - I love it when people agree with me. And YOU of course are very right to bring up the Kindle episode

[MolerX]

Google shoot itself in a foot! No company will use gmail for any kind of business.

[cvaldes1831]

You are wrong.

Google is trying to convince the City of Los Angeles to move to Gmail. The contract is valued at $7.25 million. Google has other corporate and government customers (they tend to shy away from publicizing them).

Each and every snafu that Google suffers concerning its cloud computing services is a black eye on the whole notion of cloud computing, not just Google.

So for those of you who think that when Gmail goes down, it's not a big deal, think again.

[cvaldes1831]

Oh, I should disclose that I am a GOOG shareholder and thus have a personal interest in seeing Google succeed.

The fact of the matter is that Google is fumbling quite badly with recent service outages. They are doing a p*ss poor job at convincing the world that cloud computing is ready for primetime. It's not.

You Google guys need to get your sh*t together. Don't talk the talk until you can walk the walk. And right now you keep tripping over your own shoelaces every few months.

[greglenihan]

I disagree. I think Google acted properly by initially turning down the request from the bank until they came back with a court order. Blame the courts on this one, not Google.

[Phx01]

@ cvaldes1831

If the city of Los Angeles needs a strong enough e-mail server, why not set up on their own? Too expensive? $7.25 million is a heavy price tag. How long would the contract run before having to renew it? With that money, I would set up their OWN e-mail server. Then all they need to worry about is to have an active Internet connection (which they most-probably already have).

As a business, I would never rely on any external web services (HTTP, FTP, e-mail, etc.). On the long run it is more expensive than having some "mobile" administrator look after your own server every week/month or on demand to maintain, update/upgrade or fix things.

[loose_screw]

This is stupid. What if the Gmail user had forwarding rules in place, or a POP client that retrieved the email before the bank could get Google to act? They got extremely lucky this time. The problem is with the bank's IT policies and employees, not Google and its users.

[Jeremy Chappell]

While a agree in part, I think I'd like to have seen Google fight a little harder, personally I think the most they should have done is redact the attachment. But the real blame here is with the court (which might be the most troubling of all) and the bank (how anyone can be so incompetent is beyond me).

[gggg sssss]

same as the kindle Animal Farm fiasco