Google Destroyed Missent Bank Info Email Unopened… As More Legal Questions Are Raised

from the still-doesn't-make-sense dept

Last week, Google was ordered to deactivate someone’s Gmail account, because Rocky Mountain Bank had totally screwed up and sent the Gmail account holder an email by accident, which contained all sorts of confidential information. It’s still not at all clear how Rocky Mountain Bank made such a monumental screw up, but we’ll leave that aside for now. On Monday, the two companies asked the judge for permission to restore the email, after they realized that the email in question had never been opened, and Google had deleted it from its servers. Case closed?

Well… not so fast. Paul Alan Levy, from Public Citizen, sees a number of serious problems with the whole episode, starting with the legal complaint in the first place — which offered no opportunity for the email account user to speak up and argue for his or her own rights, against having the account deactivated. But just the legal proceedings themselves suffered from some serious problems:

First, the complaint. Rocky’s complaint is based on the contention that, having botched its obligation to keep its own customers information secret, it was obligated under various state and federal banking regulations to seek to recover the information and prevent its further dissemination. The complaint further alleges that regulatory officials expressed their endorsement of efforts by the Bank to protect the confidentiality of the information. The complaint sought a declaratory judgment that Rocky Mountain was entitled to information about the account holder, and that Google was obligated to prevent use of the information sent to the account. It sought an injunction enjoining Google and the account holder from accessing or distributing the information mistakenly sent to the email account, and compelling Google to identify the account holder. But curiously absent from the complaint was any allegation about how either Google or the owner of the gmail account had violated the plaintiff’s rights, or any assertion of a cause of action against either Google or the anonymous account holder, that would form the basis for granting relief against either. Nor did Rocky Mountain’s papers explain why section 230 of the Communications Decency Act entitled it to bring an action against Google, or to obtain any relief against Google, even assuming that it had a claim against the gmail account holder. Without a cause of action and without a violation of the plaintiff’s rights, why was Rocky Mountain entitled to relief, and why should the defendants be subjected to an injunction? Neither the complaint, nor the brief in support of the TRO, explains this.

Second, the lack of federal court jurisdiction. Although the complaint identified only Google as a defendant, Rocky Mountain asked for relief against the anonymous gmail account holder, which is obviously, therefore, a defendant just as Google was. Indeed, if either Google or the account holder was the right defendant here, it is the account holder. But this poses a serious problem, because the law is clear that a Doe defendant cannot be sued under diversity jurisdiction. If there had been any party with any incentive to protect the Doe’s rights in this case, that party could have pointed this jurisdictional defect out to the Court, which would therefore have been obligated to dismiss the case instead of issuing a TRO.

Oops. And, from there, Levy also wonders why Google was so quick to roll over without trying to defend the user’s rights:

Rocky Mountain’s papers recount that it asked Google for help freezing the account and identifying the account holder but that Google refused to do so without “a valid third party subpoena or other appropriate legal process.” Yet despite the filing of plainly defective papers, there is no indication in the publicly filed papers that Google either opposed the requested order or insisted that it be given the opportunity to notify the Doe gmail user so that he or she could obtain counsel and oppose the requested order. Nor do the papers contain any discussion of efforts to notify either Google or the anonymous user about the requested order, even though Rule 65(b)(1) of the Federal Rules of Civil Procedure requires either notice to the parties sought to be enjoined, or a compelling explanation of why notice was not possible. (Because the Bank noticed the problem on August 13, and waited until September 17 to file its suit, it is hard to believe that a few more days’ delay to give proper notice would have been catastrophic). And within a day of the issuance of the order (one day before the compliance deadline), Google provided the court with a document explaining how it had complied with the TRO and asked, jointly with Rocky Mountain, that the TRO be vacated.

Indeed. It’s certainly understandable why everyone wanted to make sure the data was not compromised, and in this case, it sounds like the account in question was probably inactive or rarely used (or the email went to spam). So everything may have ended up okay. But that’s no excuse for potential violations of an individual’s rights in trying to correct a mistake by the bank.

Filed Under: , , ,
Companies: google, rocky mountain bank

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Google Destroyed Missent Bank Info Email Unopened… As More Legal Questions Are Raised”

Subscribe: RSS Leave a comment
slackr (profile) says:

Re: Re:

I agree, this should terrify all users of gmail or even of google’s services, obviously their prioritites lie in appeasing those companies with money and influence. I would have thought that this raises an issue of who actually ‘owns’ the email account for services such as these and where the lines of privacy/ownership get drawn for cases such as these.

In a way it is nice that the email address is domant because this process can be hammered out without some poor Joe Bloggs stuck in the middle. The principles and actions can and should be scrutinised (as they are slowly being) to avoid these cases becoming more prevalent everytime a company screws up monumentally.

Joe says:

Re: Re: Re:

^ “I agree, this should terrify all users of gmail or even of google’s services, obviously their prioritites lie in appeasing those companies with money and influence.”

Did I miss something? Google didn’t want to give anything out, they only took action upon court order. How are they appeasing a company with money and influe- oh, I suppose if you count the courts/government as a business.

Robert says:

Could this be done intentionally?

Could a company intentionally mailbomb another company with confidential information… then go to the ISP and have their email system shut down on the same basis?

This could potentially be a war like method of hampering the competitions productivity.

I wonder if this “loophole” can be misused or taken advantage of. Most companies would crumble in hours if their mail servers were unplugged as part of a court order.

Seems easy enough to pull off too. If spammers can send millions of emails via a cheap dedicated server, why couldn’t a competitor?

Anonymous Coward says:

Re: Could this be done intentionally?

Could a company intentionally mailbomb another company with confidential information… then go to the ISP and have their email system shut down on the same basis?

You’re overlooking the fact that it takes a court order and most judges apply a different standard to companies than they do to individuals: They’ll screw an individual over in ways that they’d never dream of doing to a company.

Overcast (profile) says:

Re: Re:

Obviously the bank was at fault. Why is anyone else being punished? And why ISN’T the bank?

To me, it just seems like it’s a case of “a big oops happened, now someone has to pay. How can we engineer that?”

Well, banks contribute big to political campaigns. Banks get away with things like ‘payroll’ advances while they try to pay off legislators to ban competition. It’s because bankers bascially run this greedy world, so they get their way.

If there are a couple things anyone should learn about this:

1. DO NOT use Google for ANY sensitive email at all period – I have already changed my bank over to another email address – my ISP.

2. Avoid that bank at all costs – if they screw up, they’ll do a half-ass job at protecting you – I for one, would certainly not consider this case ‘closed’ just because Google supposedly deleted an ‘unread’ email.

Fred McTaker (profile) says:

Re: Re: Re:

“1. DO NOT use Google for ANY sensitive email at all period – I have already changed my bank over to another email address – my ISP.”

Ha! If you trust your ISP any more than Google, then you fail at life. The point is not to send ANY unencrypted confidential data over insecure (read: ALL) lines. Anything short of end-to-end encryption can’t be considered confidential. If you think your ISP wont go into CYA mode the moment they get a court order, you’re bound for disappointment.

“2. Avoid that bank at all costs”

The is the real lesson to be learned. You can’t fault any business for following court orders. You can only fault the business who distributes confidential information willy-nilly over insecure means.

You can’t blame IE for that spyware you click-installed, you can’t blame email for that drunken rant to your ex, and for the same reasons no one can blame Google for anything that happened in this Bank vs. Doe case.

Fred McTaker (profile) says:

Re: Why are they emailing such information?

@dwind: Your statement carries the assumption that physical mail is any more secure than electronic messaging, and that assumption is false. There’s plenty of ways to surreptitiously read both mediums, without either the sender or receiver knowing about it. Faxes and phones can also be tapped, and thus are equally insecure. The only safe form of communication is encrypted messaging, where the receiver has exclusive access to the primary key. PGP and SSL are the standard methods, and can be applied to any medium, though they are applied most easily to email and web communications.

rwahrens (profile) says:

Re: Why are they emailing such information?

I regularly tell my customers that regarding email, if they don’t want to read it on the front page of the Washington Post tomorrow, don’t email it. Of course, using encryption is really the answer, but most people don’t know how to use it, and our employer doesn’t encourage confidential information to be sent via email anyway.

It is safer just to deliver it personally or via secure messenger.

Anonymous Coward says:

Per Gmail TOS (

“4.3 As part of this continuing innovation, you acknowledge and agree that Google may stop (permanently or temporarily) providing the Services (or any features within the Services) to you or to users generally at Google’s sole discretion, without prior notice to you. You may stop using the Services at any time. You do not need to specifically inform Google when you stop using the Services.

4.4 You acknowledge and agree that if Google disables access to your account, you may be prevented from accessing the Services, your account details or any files or other content which is contained in your account.”


“8.3 Google reserves the right (but shall have no obligation) to pre-screen, review, flag, filter, modify, refuse or remove any or all Content from any Service. For some of the Services, Google may provide tools to filter out explicit sexual content. These tools include the SafeSearch preference settings (see In addition, there are commercially available services and software to limit access to material that you may find objectionable.”

Although I find this episode to have been handled quite badly, I don’t think Google did anything wrong. Per their TOS, everything they did was well within their own power legally. I sort of remember reading this years ago when I signed up and it didn’t really bother me then and it doesn’t really bother me now. It’s not like I rely on my email account to perpetually store confidential info. I save copies of important emails locally on my computer and really only would keep copies in my email account for convenience sake. Overall, I think the only person who screwed up here is the bank and that is where the focus should be.

Anonymous Coward says:

Re: Re:

It doesn’t matter if it’s legal or not. The implication is that they’re suspending your service because either 1) you did something wrong or 2) they just don’t want to continue providing the service (to anyone). If they said “hey, we decided you can’t have an email with us because we read your messages and determined you’re a Jew” there’s no TOS that’s going to prevent a lawsuit.

In this case, while Google may not be at fault and while there may not be a legal recourse (I seriously hope there’s a way to countersue the bank, and/or get the stupid judge some sort of reprimand… too bad judges are pretty much gods) it’s still bad for business.

Anonymous Coward says:

Re: Re:

Although I find this episode to have been handled quite badly, I don’t think Google did anything wrong. Per their TOS, everything they did was well within their own power legally.

Nobody’s claiming that they did anything illegal. But if you think that nothing that’s legal can be wrong, then you’ve got some moral issues.

slackr (profile) says:

Thanks for the TOS

Seeing the TOS posted makes it clear that Google had the power to do what they did, however it still worries me that just because it is sensitive commercial information that somehow that allows a company/bank to get a court order to make Google act.

Does this mean the next time I hit send on some innappropriate email if I’ve got the $$$ I can get it deleted by court order? What did the bank prove to the court that forced Google to act?

The banks system failed, no one elses. As Scarr pointed out: “I haven’t seen anyone ask what this would mean if the email was accidentally sent to a personally owned URL”. Does this mean my website host has the same power as Google in this sort of case?

Overcast (profile) says:

Re: Re:

This whole thing has been an insipid waste of time, including ours for following it. Google should have seen the email was unread, and deleted it off its servers once validating the sender. Case closed.

But are there email clients that can ‘read’ the email and not mark it read (like as in the preview pane in Outlook)? Or can they tell if you change the email back to ‘unread’?

If it was my account, I would close it immediately.

Anonymous Coward says:

Re: Re:

I agree, I think everyone is making an entirely too big issue out of what Google did.

No matter what Google does they’re faced between a rock and a hard spot. If they do nothing they can be accused of allowing sensitive information to be revealed to someone unnecessarily. That can cost them damages. If they do something, like temporarily disable the account or delete the E – Mail, that can also be a privacy issue. Google, as far as I can tell, ALMOST did the right thing, the only thing they should have done better is instead of closing the account altogether, find the specific E – Mail (ie: write some software to look for it without anyone having to read any other E – Mail) and delete only that specific E – Mail after ensuring it hasn’t been read.

This isn’t rocket science. Google appealing the process opens the door to the recipient reading the E – mail since appeals waste more time. That can be more liability for Google. They have to mitigate the damages ahead of time and they did. Stop being so hard on Google. BANK OF AMERICA SCREWED UP, NOT GOOGLE!!!!

Eli (profile) says:

Since we’re not ever going to see the Doe come forward in this case to actually stand up for their rights, who has the right to file on their behalf for damages? It would be nice to see the bank and google each forced to pony up to fund a legal scholarship for someone wanting to study Copyright/IP law.

Of course, that raises the issue of ‘what are fair damages?’ – individuals and corporations are extremely different when it comes to what actual dollar figures represent so it seems the only fair way to determine this would be to say that the Doe was offlined for x days. The bank and Google should each be required to pay (x/365)*(GrossEarnings), effectively offlining them for those days as well.

If there’s no fiscal consequences, there’s no incentive for this not to become a DoS attack.

Graham says:

Banks responsibility

It seems to me that the bank should be held to account for lack of effective data protection measures? They should not be e-mailing that kind of detail to ANYONE. Furthermore they should not be ABLE to e-mail that kind of detail. A complete breakdown of IT security policy, practice and systems … THAT is what should be in the courtroom !!

Andrew says:

Missing the Point

This isn’t about what Google did. Any company would, it was a court order. The fact that the court issued the order is the disturbing part.

What if the email had been opened? Should they search this person’s personal computer? Perhaps the person printed it. Their house must be searched! Perhaps they gave a copy to their friend or YOU!

If the government ever needs probable cause to search you or your belongings they can now just text you something sensitive by “accident”.

In my opinion the gmail account holder has done nothing wrong and until they do something illegal with the data they should be left alone. If the user wants to save the data, or incorporate it into their latest work of art and hang it on their wall, or whatever, if it’s not illegal then the government should keep out.

Once the bank has suffered actual damages or a law has been broken then the courts should get involved.

Anonymous Coward says:

Re: Missing the Point

This isn’t about what Google did. Any company would, it was a court order.

Google happily choose to not exercise their legal option to contest the order. You’re saying any company would do that? I’m saying you’re full of it. Some companies would exercise their legal options.

The fact that the court issued the order is the disturbing part.

There’s more than one disturbing aspect to this story. Google’s behavior is also one of them.

Griff (profile) says:

Think your ISP is better ?

Google have the size and legal power to at least resist until court order.
Many small ISP’s would probably have rolled over with no court order when suits froma major bank came knocking.

I’m leaving my mail with Google where I can see they will at least hold out until forced by law.

(I think the law is what was at fault here, but Google have to follow it).

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...