Bank Sends Confidential Email To Wrong Address, Hauls Google To Court To Figure Out Who Got The Email

from the grab-some-popcorn dept

Everyone does it at some point: you send an email to the wrong person. Hopefully the content isn't that bad or important -- but it happens. However, when a Wyoming bank, Rocky Mountain Bank, accidentally sent confidential and sensitive information to the wrong Gmail account, the bank ended up taking Google to court to find out the identity of the individual. The bank had tried emailing the wrong address again, but got no response. Google, naturally, refused to just give up the name of the person without a court order -- so the bank went to court. It also tried to have the case sealed, but the judge has rejected that idea. You can certainly understand the bank's concern here, but it does seem a bit silly to have to bring someone else to court after you screwed up and sent the wrong email.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    icon
    ChurchHatesTucker (profile), Sep 23rd, 2009 @ 5:08pm

    WTF?

    This makes no sense. What's the blogger going to do? Send the original bits back? They've got to fix this frak-up on their end regardless.

    Also, let's say that there was a blogger who was critical of a corporation. Could they just 'accidently' send a sensitive email and then demand his identity?

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Yakko Warner, Sep 24th, 2009 @ 10:09am

      Re: WTF?

      I saw something like that in the signature of some corporate email where I contracted once. It said something to the effect of, "if you are not the intended recipient, you are required to return this email at once."

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    GJ (profile), Sep 23rd, 2009 @ 5:08pm

    it does seem a bit silly to have to bring someone else to court after you screwed up and sent the wrong email.

    Ok, serious question for you Mike: How else would they find out who received the email?

    Google, rightfully so, doesn't want to give the info without a court order, and the bank, rightfully so, has to cover its ass(ets) and get the information.

    What other course of action does the bank have?

    This, for once, seems like a legit (pardon the pun) reason for using the court system.

    --GJ--

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      ..., Sep 23rd, 2009 @ 5:32pm

      Re:

      "the bank, rightfully so, has to cover its ass(ets) and get the information."

      Once they have the identity, then what, the bank still has to fix the problem. Possibly the bank is hoping the recipent did not read the email and then they do not have to do anything, is it possible to demonstrate whether an email was read or not ?

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Lordmorgul, Sep 23rd, 2009 @ 8:37pm

      Re:

      The bank has no right to know who they sent that email to, but they have a responsibiliy to fix any losses incurred due to their own failures. Even if that information has 'seemingly' been used in identity theft the bank cannot prove it was due to this email, and if not then they have no rights to the email recipients information.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Sep 23rd, 2009 @ 8:50pm

        Re: Re:

        Drawing an analogy to the law of trade secrets, the Uniform Trade Secrets Act, which has been codified in the laws of the majority of states, does not permit a recipient of obviously secret information that was accidentally disclosed and the accident apparent to the recipient to proceed "full speed ahead" without worry.

        See: Uniform Trade Secrets Act, Secion 1, Clause 2.

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          ChurchHatesTucker (profile), Sep 23rd, 2009 @ 9:17pm

          Re: Re: Re:

          "Drawing an analogy to the law of trade secrets, the Uniform Trade Secrets Act, which has been codified in the laws of the majority of states, does not permit a recipient of obviously secret information that was accidentally disclosed and the accident apparent to the recipient to proceed "full speed ahead" without worry. "

          Forgetting for a moment that those are stupid laws (that fly in the face of the whole concept of the patent process) which are dubious at best in this case, IT DOES NOT MATTER whom the bank sent the info to, and EVEN LESS what may be lawfully done with it. . They have to assume it's already compromised. I shudder to think that they're hoping to somehow get the email back.

           

          reply to this | link to this | view in chronology ]

          •  
            identicon
            Anonymous Coward, Sep 24th, 2009 @ 6:52pm

            Re: Re: Re: Re:

            " I shudder to think that they're hoping to somehow get the email back."

            Sure, that's what the second email was asking for... "We accidentally emailed you a file intended for someone else. Would you please be kind enough to email it back to us so we can send it to the correct person?"

             

            reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Sep 23rd, 2009 @ 5:31pm

    Those bastards not only stole the identity of the intended recipient, they got his email as well!!

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    DJ (profile), Sep 23rd, 2009 @ 5:50pm

    Tricare dealt with this

    A few years back (can't remember actually when) Tricare had a bunch of medical records of military personnel stolen. At first, that was the absolute extent of their knowledge. So what did they do? They sent out official notices to anyone whose records were stored at that facility basically saying "Your records MIGHT have been compromised. Keep an eye on your shit."
    So to cover their asses, RMB just had to notify the originally intended recipient; possibly offer some sort of ID theft recovery as well. There. End of story. No lawsuits are needed.
    "But DJ, that would require the bank to admit guilt!"
    Uhh..yeah. And?

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    zcat (profile), Sep 23rd, 2009 @ 6:08pm

    --
    Disclaimer:
    By sending an email to any of my addresses you are agreeing that:
    1. I am by definition, "the intended recipient"
    2. All information in the email is mine to do with as I see fit and
    make such financial profit, political mileage, or good joke as it
    lends itself to.
    3. I may take the contents as representing the views of your company.
    4. This overrides any disclaimer or statement of confidentiality
    that may be included on your message.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Sep 23rd, 2009 @ 6:13pm

      Re:

      I need to add that as my signature to all my emails.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      Fred McTaker (profile), Sep 24th, 2009 @ 11:25am

      Re:

      For future reference, this legal notice trumps everyone else's legal footers:

      By sending an email to any of my addresses, or any lists that I am subscribed to, you are agreeing that:

      1. I am by definition, "the intended recipient"
      2. All information in the email is mine to do with as I see fit and make such financial profit, political mileage, or good joke as it lends itself to. In particular, I may quote it ruthlessly.
      3. I may take the contents as representing the views of your company.
      4. This overrides any disclaimer or statement of confidentiality that may be included on your message.
      5. Even if you only see this legal notice once, it still applies to all our communications.
      6. Unless the email is both signed and encrypted via PGP, with public/private key pairs that can only be attributed to two distinct owners, the real sender and recipient can never be determined with any certainty. All legal representations about any plain-text email are
      thus null and void, including this one.
      7. All hate mail will automatically be forwarded to please.arrest.me@fbi.gov

      Loosely derived from:
      http://discuss.joelonsoftware.com/default.asp?biz.5.588844.18


      To all Banks, everywhere: if the message isn't PGP encrypted using the intended recipients' Public Key(s), you can't be sure they will be the only readers. EMAIL IS NOT A MEDIUM FOR SENSITIVE INFORMATION, EVER. Email a link to an HTTPS/SSL encrypted site, and require secure authentication. You can't fix a breach afterwards, especially if you committed the breach.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      another mike (profile), Sep 25th, 2009 @ 12:27pm

      Re:

      This is going to be my e-mail server's new TOS.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Sep 23rd, 2009 @ 7:43pm

    "but it does seem a bit silly to have to bring someone else to court after you screwed up and sent the wrong email."

    If I make a mistake someone else has to pay. That pretty much sums up the American legal system in a nutshell.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Sep 23rd, 2009 @ 8:56pm

      Re:

      You know the bank isn't suing Google for monetary damages right?

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Sep 23rd, 2009 @ 10:12pm

        Re: Re:

        Never said they were. Stop putting words in my mouth.

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          What?, Sep 24th, 2009 @ 6:24am

          Re: Re: Re:

          AC1 -> "If I make a mistake someone else has to pay."
          AC2 -> "You know the bank isn't suing Google for monetary damages right?"
          AC1 -> "Never said they were. Stop putting words in my mouth."

           

          reply to this | link to this | view in chronology ]

          •  
            identicon
            Anonymous Coward, Sep 24th, 2009 @ 10:10am

            Re: Re: Re: Re:

            Ok, let me help correct your reading comprehension problem.

            Pay can have more than one meaning.

            "11. to suffer in retribution; undergo: You'll pay the penalty for your stubbornness! "

            http://dictionary.reference.com/browse/pay?r=75

            Given the context that should have been the meaning you chose.
            There, I hope this helps you in the future, now go forth and read with better reading comprehension.

             

            reply to this | link to this | view in chronology ]

            •  
              identicon
              Anonymous Coward, Sep 24th, 2009 @ 10:15am

              Re: Re: Re: Re: Re:

              Another example

              "17. to suffer or be punished for something: The murderer paid with his life. "

              http://dictionary.reference.com/browse/pay?r=75

              There, are you happy? Do you not know that words can have more than one meaning in English. I know this is true in other language too, so I won't buy the excuse that English is your third language either. In many languages one has to interpret the meaning of certain words based on the context. What, are you really that illiterate or something?

               

              reply to this | link to this | view in chronology ]

          •  
            identicon
            Anonymous Coward, Sep 24th, 2009 @ 10:49am

            Re: Re: Re: Re:

            If you really are struggling to understand the meaning of words based on context there are many colleges and universities that offer English courses. I suggest you enroll. I'll even help you, give me your approximate location and I'll find the nearest one for you via goolge maps.

             

            reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Sep 23rd, 2009 @ 10:12pm

        Re: Re:

        Never said they were. Stop putting words in my mouth.

         

        reply to this | link to this | view in chronology ]

  •  
    icon
    DavisPrime (profile), Sep 23rd, 2009 @ 7:45pm

    Chances are the person that received it thought it was just phishing emails and deleted both emails without much thought.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Jason, Sep 23rd, 2009 @ 7:57pm

    my question is why was the bank having this data in plain english upon an employees computer in the first place, isn't there a data protection plan for their customers that doesn't include distributing files throughout the office with customers social security numbers plainly available?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Sep 23rd, 2009 @ 9:03pm

    What if the bank had sent printed documents to the wrong recipient using the postal system, say, to the wrong PO Box (otherwise it'd be pretty obvious where to find the recipient)?

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    G Thompson (profile), Sep 23rd, 2009 @ 10:46pm

    Everyone (including the bank no doubt) is assuming that the email recipient is a citizen of the USA.

    Though its more likely they are than not, there is still the chance that they are not a US citizen and therefore not beholden to the Uniform Trade Secrets Act.

    Not only that but if they are a citizen of the EU or AU/NZ then Privacy laws are absolute and the bank has no actionable way to even do anything to the individual who could for example place the whole email onto Wikileaks.

    The Bank is liable and has a duty of care to its customers to assume that the data is now fully publicly available and to take all measures to secure further emails (encryption etc) to allay any fears that the customers have. The customers themselves have cause though to make a claim for negligence on the bank. That is most likely the real reason why the bank wanted the records sealed.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Sep 23rd, 2009 @ 10:55pm

      Re:

      "The Bank is liable and has a duty of care to its customers to assume that the data is now fully publicly available and to take all measures to secure further emails (encryption etc) to allay any fears that the customers have."

      I completely agree, but again, in America if I make a mistake someone else has to pay. That's the mentality that our legal system has encouraged and that's why all these entities hold such a mentality.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Errrr, Sep 24th, 2009 @ 6:30am

        Re: Re:

        "in America if I make a mistake someone else has to pay. "

        pay what? how much?
        I thought the case was not about money

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Sep 24th, 2009 @ 9:55am

          Re: Re: Re:

          Please understand the context of the conversation before you demonstrate your reading comprehension problems.

          Given the context, payment wasn't referring to paying money directly. It's referring to the privacy that the E - Mail address owner gives up as a result of the banks mistakes. Other people have to suffer (pay) for the mistakes that the bank makes. The COST of the banks mistakes is our privacy.

           

          reply to this | link to this | view in chronology ]

          •  
            identicon
            Anonymous Coward, Sep 24th, 2009 @ 10:00am

            Re: Re: Re: Re:

            The made the mistake, the bank should have to pay to rectify the problem and ensure the users privacy. Yes, that means the bank may have to do a little work and spend some time (time = money) but why waste everyone else's time (ie: Google's time, and time = money so Google is paying for the banks mistakes, and the time of the ISP's as well if Google has to give up a hostmask and the ISP must look up the name, the risk of both these entities being sued for giving up private information, and then the person with the E - Mail address suffers because his/her privacy is given away against his/her for a mistake the bank made, so s/he has to pay) for a mistake the bank made.

            Because in America if I make a mistake someone else has to pay. That's basically what the laws in this country encourage and so entities have acquired this mentality.

             

            reply to this | link to this | view in chronology ]

            •  
              identicon
              Anonymous Coward, Sep 24th, 2009 @ 10:07am

              Re: Re: Re: Re: Re:

              sp/The made the mistake/They made the mistake

              sp/against his/her for a mistake the bank made,/against his/her will for a mistake the bank made,

               

              reply to this | link to this | view in chronology ]

            •  
              identicon
              again, more errrr., Sep 24th, 2009 @ 12:28pm

              Re: Re: Re: Re: Re:

              Who's getting paid now? Yoose guys keep confusing me. errrr.

               

              reply to this | link to this | view in chronology ]

    •  
      identicon
      ..., Sep 24th, 2009 @ 6:28am

      Re:

      "Everyone (including the bank no doubt) is assuming that the email recipient is a citizen of the USA."

      Everyone?
      That is quite an assumption. It only takes one person who didn't think that in order to make the statement incorrect.

      btw, I did not assume it went to any particular country

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    well, Sep 24th, 2009 @ 3:36am

    Whoever got it could embarrass the bank by simply posting something like:

    OK you want my identity...here it is..and to prove this isn't just a joke...here's the entire email posted in plain text!

    If I was the bank, I'd have sort of fessed up...asked google to contact the recipient without telling me who they were and then offered some sort of "reward" for the person contacting the bank to help them sort the problem out.

    Obviously whatever has been lost goes way beyond a few bank account numbers or SN's, because the banks losing this type of stuff has become a regular running weekly joke (and they simply don't seem to care if its 1 account lost or 1,000,000), so I'm guessing its either a celebrities embarassing credit card statement or belongs to someone with real power that can do the bank A LOT of harm.
    Or possibly something to do with the stealing money from the recent bailout (but banks would never do that sort of thing surely? ) :)

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Sep 24th, 2009 @ 4:32am

    Every one assumes that this was an accident. What if it was not?

    What if the accident part is bank management discovering that the information was sent out and the rest is a cover up of a theft of sensitive information that can and will be used?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Michael, Sep 24th, 2009 @ 5:03am

    Missing the point

    I think the bigger point is that someone (or everyone) at this bank thinks that emailing sensitive information is secure. Even if they were smart enough to type the correct email address, it seems like a massive security problem to be sending unencrypted sensitive information in an email.

    They have a much larger problem to worry about than finding the recipient of this information. They should be worrying about the hundreds of other emails full of sensitive information that could have been easily intercepted.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    RoyalWitCheese (profile), Sep 24th, 2009 @ 6:33am

    +1 for Google

    At least Google's stepping up to the plate for their users' privacy. Many companies would just hand over that info.

    BTW - This would make for a great phishing scam. Spam emails, then get the mail server host to release the names of all recipients.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Josh in CharlotteNC (profile), Sep 24th, 2009 @ 8:52am

    What then?

    Has anyone at the bank figured out what they're going to do if they actually do get the person's name?

    Knock on his door and force him to delete the email? Have the police follow him around to make sure he doesn't do anything with the info?

    Assuming of course there's anything more than an IP address of the login to that gmail account. When I signed up to gmail, the only thing I remember inputting was another email address in case I forgot my password.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Overcast (profile), Sep 24th, 2009 @ 9:51am

    That's what I was thinking Josh - even if this guy/girl replies and said 'sure, I deleted it' - how is there any real proof it was done?

    I guess the bank's gonna have to pony up for 'ID protection' or change account numbers, etc to attempt to reduce liability.

    If I would have gotten it, I really would just delete it - but who's to say what someone else might do if they get mine?

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Lonzo (profile), Sep 24th, 2009 @ 10:51am

    Very questionable

    It goes without saying that they can never get this information "back". I'm very concerned about their methods, and hope this is not SOP throughout the US banking system, because they cannot possibly rectify the situation by contacting this individual; in fact, he next "logical" step along the path they appear to be pursuing is to lock the recipient of the message in a cage, which, I would dearly hope is legally impossible. This bank should have never even attempted to contact Google, much less have them ordered to disclose private information-- a fact that should be recognized by any sane judge. They should have simply fessed up (even made up some kind of story), contacted their customers and changed their ABA#s, Acct#s and whatever info they could-- SSNs are fairly easy to compromise anyway, from what I understand, so it's safe to assume one could find that info elsewhere. As it stands, the recipient of that mail has been compromised every bit as much as the customers whose account information has been fumbled. He will be open to unwanted and undeserved scrutiny by government agencies when he should not even have to bother with this situation. Any information he might have should have been rendered useless by now.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    ImTheOne, Sep 24th, 2009 @ 11:15am

    pls give out my ID...

    Google, pls give the bank my name and address. And tell the bank it will cost them $1m if they don't want me to forward the email to the world. ha ha

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    bluecraze378, Sep 24th, 2009 @ 4:12pm

    I hate to say it but...

    For once, Google should be defended for their actions in this case. Clearly, the bank screwed up and should have to come up with good cause before hauling Google into court to get the information.

    Email companies should be fighting to protect the privacy of their customers, not revealing it at the drop of a hat. Sure, maybe if there were legal cause I could maybe see it in some very rare cases, but generally speaking, when people want private email communications they should be guaranteed the privacy they were promised by the email service so they don't have their account compromised by advertisers, hackers, identity thieves or by the government or courts snooping in on one's private conversations and data.

    Although, the concept that Gmail could be considered a "private email" service is kind of a ridiculous thought to begin with. They regularly harvest users' information for advertising and don't provide much of a defense from spam, scams, and identity thieves.

    I use PrivacyHarbor.com to avoid these sorts of issues all together. They don't share your private information with anyone and don't mine your data for advertising. I also never get spam or people phishing to get my private data. It's a great service compared to what Gmail has to offer.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    another mike (profile), Sep 25th, 2009 @ 12:35pm

    reply all

    Why couldn't that employee just send a suggestive email to a female employee after clicking "Reply All" like a normal person. All this trouble about tracking down where you leaked your data.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This