Google, Rocky Mountain Bank Ask Judge To Restore Deactivated Gmail Account
from the bring-'er-back dept
Last week, we noted that a court had ordered Google to shut down a Gmail account of a user who had accidentally been emailed confidential information by Rocky Mountain Bank. The two companies have now both asked the judge to reinstate the Gmail account, saying that the original request is now “moot.” The article notes that the judge has adjourned the case until next week, so the account will remain deactivated until then. Still, it’s not at all clear why the issue is now “moot.” Did Google delete the email in question? Was it determined that the account itself was dormant? It would seem like these details are relevant, and not anything that would need to be hidden.
Filed Under: confidential information, court order, deactivated, email
Companies: google, rocky mountain bank
Comments on “Google, Rocky Mountain Bank Ask Judge To Restore Deactivated Gmail Account”
What?
“Still, it’s not at all clear why the issue is now “moot.” “
Because it was *always* moot. Once the info was compromised, it was… what’s the word? Let me think… Oh yeah… Compromised! You can’t get the bits back.
Moot Smoot
Regardless of how moot, obviously it is in the best interests (now) to try and make this terrible decision “go away”. I’m glad that the judge has adjourned it and I hope in the interveening time both parties are forced to disclose why suddenly they’ve had a change of heart.
If it was a technical issue and Google was able to act without this court drama then good, we’ll know for next time. However it is very disturbing how this case played out so easily without any involvement of the person who’s account was in question!
Re: Moot Smoot
“If it was a technical issue and Google was able to act without this court drama then good, we’ll know for next time”
How is it a ‘technical issue?’ It was a data security issue. From the start. The court basically impounded a cab because some doofus might have left his wallet there.
Yes, good that the court is undoing the damage it wrought. But not exactly a shining moment in jurisprudence.
If the account is dormant, why bother reactivating it?
Tricky Problem
At what point does a person’s individual rights run up against “the common good”? A lot of law is about this issue.
In this case, the judge has to measure the inconvenience of temporarily locking down a single, free, consumer-level, non-SLA’d email account against the possible substantial and widespread financial damage to a very large group of other people, resulting from an accident at the bank.
With electronic data, you have to act quickly or not at all. This buys Google enough time to run the logs to see if that data has spread (ie: has anyone/anything accessed the account, has the account forwarded the data). If the data has been SMTP’d, POP’d, or IMAP’d, locking the account is moot. If not and Google deletes the data, locking the account is also moot.
No offense to the account holder, but if *my* data was in that pile, I’d prefer that their account be temporarily locked, while the data is tracked and removed.
And the bank would be hearing from my lawyer.
Re: Tricky Problem
“In this case, the judge has to measure the inconvenience of temporarily locking down a single, free, consumer-level, non-SLA’d email account against the possible substantial and widespread financial damage to a very large group of other people, resulting from an accident at the bank.”
Is the sky blue in your world?
Here on earth, once the data was compromised, it was (say it with me) COMPROMISED. You have to assume you sent it to Osama Bin Laden and act accordingly. The fact that Rocky Mountain Bank wasted time with this, and the fact that the judge did likewise, undermines the credibility of both. I sure as shit won’t be setting up an account with RMB any time soon.
Perhaps the confidential info is now outdated enough to be harmless.
Perhaps it was more widely sent...
Perhaps it was more widely sent than to just this single account or perhaps the recipient was the INTENDED one?
Bolted. Gate. Horse.
If the email was encrypted then there should never have been a problem.
If the email was not encrypted, then shutting down the Google account achieved nothing. Every SMTP relay that the email hit between the bank and Google would also have a copy of the data. If the user had already downloaded the email via POP or IMAP (or just saved the attachment), then they would have a local copy in addition to the copy on Google’s servers.
Purging records is remotely conceivable in the context of a corporate intranet. On the general internet? Pointless waste of time.
Re: Bolted. Gate. Horse.
@Nick: Although in theory emails passing through SMTP are loggable as you mention, in practice intermediate SMTP servers delete queued mails more or less immediately after relaying. Sure, it’s even then _possible_ to retrieve it, but it’s the kind of thing that requires both lots of effort, and knowledge that it did pass through your particular server.
Moreover, the only SMTP servers likely to be involved in this are those of the bank, and those of google, so all parties that would need to be involved with scrubbing them are already involved.
Re: Re: Bolted. Gate. Horse.
Yep once that genii is out of the bottle you can’t stuff it back in.
The bank needs to assume that the file has escaped and is in the wrong hands regardless of what they think they know. If the file has escaped they are doing what they need to do and if the file hasn’t escaped they have taken prudent action where they can’t be 100% certain.
Maybe...
Maybe the owner of the account finally replied to his emails. It could be that he complained to Google about this misconduct by this Judge on behalf of some bank who failed to keep it’s secrets a secret. Just imagine what could happen if the owner starts to file for damages simply because this bank “forced” his account to be closed! He was never responsible for this error and should never suffer from the irresponsibilities of this bank!
Still, it amazes me that the recipient never published this data in any way, nor did he ever draw attention to himself. Or maybe he finally did, to Google and this bank, threatening some legal actions against these two for violating his privacy, first amendment rights and whatever more. Losing 1300 account records is bad, losing a lot more in damages for some civil case would really be worse. I think this bank already has more than enough damage to it’s reputation and therefor wants to stop it.
Re: Maybe...
More likely the user flagged the email as spam when he recieved it without ever reading it, and after a couple days the spam folder was emptied.
Of course.. we’ll never know.. unless someone (google.. the court.. the bank…) tells us.
But why would they want to do that?
Why it's moot
As per the court order, Google turned over the personal information of the account holder to Rocky Mountain Bank, and RMB’s hit squad, a.k.a. their “Leaked Information Containment Unit”, has terminated the account holder.
Moot
I’m not sure how deactivating the account was expected to help things. Either the email was read by the recipient, or it was not. Meanwhile, what if someone cracked the WPA key to the recipient’s Wifi? Bluejacked his smartphone? What if he simply wrote down his password somewhere in his office, and now a malicious coworker has access to his account? It doesn’t matter– the damage has been done; the people whose information has been leaked should be informed, their account information changed. The information sent to that gmail should -no longer be useful-.
violation of every information security policy known
Why was RMB able to send critical sensitive financial data out of their systems at all? And not only send it out, but e-mail it out as an attachment to an unsigned unencrypted free e-mail account. And to top it off, they typoed the address to send it to the wrong person!
Rocky Mountain Bank’s account holders need to seriously reconsider their choice of financial services partner. I’ve changed banks simply because I didn’t like their color scheme. But to so thoroughly screw up data security?! I’d be gone so fast the shockwave would pull the vault door off it’s hinges.
Maybe because of the publicity?
Maybe they mean the points moot because knowledge of their screw up has gotten out to the ‘general population’. Meaning us…
Once they realized someone noticed, and that their clients might have heard about their screw up, they decided to contact them all, as they should have in the first place. Now their hoping to avoid further potential legal damages by getting the account reactivated.
I’m just throwing another idea out there everyone. I don’t know this is the reason. But it seems reasonable.
Re: Maybe because of the publicity?
I find this most likely. They were hoping to pretend it never happened, and when it got out to the general population, they had to fix it the right way.
In any event, the only thing I learned from this is that RMB is run by a bunch of douche canoes.
Seems this bank has a history of bad practice
If this is the same bank as:
http://www.fdic.gov/bank/individual/enforcement/2009-04-06.pdf
Then God help ’em cause the Feds sure won’t.
-Ross
You missed the point
I think you all have missed the point. The question is – why did the bank use an inherently insecure protocol to transfer their customers’ private information over? Do they not have to abide by SOX laws?
newest jordan shoes
Hey dear your blog is very much rocking and stunning. This blog has main attraction and high quality features.