Bank Sends Confidential Email To Wrong Address, Hauls Google To Court To Figure Out Who Got The Email
from the grab-some-popcorn dept
Everyone does it at some point: you send an email to the wrong person. Hopefully the content isn’t that bad or important — but it happens. However, when a Wyoming bank, Rocky Mountain Bank, accidentally sent confidential and sensitive information to the wrong Gmail account, the bank ended up taking Google to court to find out the identity of the individual. The bank had tried emailing the wrong address again, but got no response. Google, naturally, refused to just give up the name of the person without a court order — so the bank went to court. It also tried to have the case sealed, but the judge has rejected that idea. You can certainly understand the bank’s concern here, but it does seem a bit silly to have to bring someone else to court after you screwed up and sent the wrong email.
Filed Under: bank, email, identity, privacy, security
Companies: google, rocky mountain bank
Comments on “Bank Sends Confidential Email To Wrong Address, Hauls Google To Court To Figure Out Who Got The Email”
WTF?
This makes no sense. What’s the blogger going to do? Send the original bits back? They’ve got to fix this frak-up on their end regardless.
Also, let’s say that there was a blogger who was critical of a corporation. Could they just ‘accidently’ send a sensitive email and then demand his identity?
Re: WTF?
I saw something like that in the signature of some corporate email where I contracted once. It said something to the effect of, “if you are not the intended recipient, you are required to return this email at once.”
it does seem a bit silly to have to bring someone else to court after you screwed up and sent the wrong email.
Ok, serious question for you Mike: How else would they find out who received the email?
Google, rightfully so, doesn’t want to give the info without a court order, and the bank, rightfully so, has to cover its ass(ets) and get the information.
What other course of action does the bank have?
This, for once, seems like a legit (pardon the pun) reason for using the court system.
–GJ–
Re: Re:
“the bank, rightfully so, has to cover its ass(ets) and get the information.”
Once they have the identity, then what, the bank still has to fix the problem. Possibly the bank is hoping the recipent did not read the email and then they do not have to do anything, is it possible to demonstrate whether an email was read or not ?
Re: Re:
The bank has no right to know who they sent that email to, but they have a responsibiliy to fix any losses incurred due to their own failures. Even if that information has ‘seemingly’ been used in identity theft the bank cannot prove it was due to this email, and if not then they have no rights to the email recipients information.
Re: Re: Re:
Drawing an analogy to the law of trade secrets, the Uniform Trade Secrets Act, which has been codified in the laws of the majority of states, does not permit a recipient of obviously secret information that was accidentally disclosed and the accident apparent to the recipient to proceed “full speed ahead” without worry.
See: Uniform Trade Secrets Act, Secion 1, Clause 2.
Re: Re: Re: Re:
“Drawing an analogy to the law of trade secrets, the Uniform Trade Secrets Act, which has been codified in the laws of the majority of states, does not permit a recipient of obviously secret information that was accidentally disclosed and the accident apparent to the recipient to proceed “full speed ahead” without worry. “
Forgetting for a moment that those are stupid laws (that fly in the face of the whole concept of the patent process) which are dubious at best in this case, IT DOES NOT MATTER whom the bank sent the info to, and EVEN LESS what may be lawfully done with it. . They have to assume it’s already compromised. I shudder to think that they’re hoping to somehow get the email back.
Re: Re: Re:2 Re:
” I shudder to think that they’re hoping to somehow get the email back.”
Sure, that’s what the second email was asking for… “We accidentally emailed you a file intended for someone else. Would you please be kind enough to email it back to us so we can send it to the correct person?”
Those bastards not only stole the identity of the intended recipient, they got his email as well!!
You think that's bad
http://www.pcpro.co.uk/news/security/351814/demon-ebill-blunder-exposes-thousands-of-passwords
Tricare dealt with this
A few years back (can’t remember actually when) Tricare had a bunch of medical records of military personnel stolen. At first, that was the absolute extent of their knowledge. So what did they do? They sent out official notices to anyone whose records were stored at that facility basically saying “Your records MIGHT have been compromised. Keep an eye on your shit.”
So to cover their asses, RMB just had to notify the originally intended recipient; possibly offer some sort of ID theft recovery as well. There. End of story. No lawsuits are needed.
“But DJ, that would require the bank to admit guilt!”
Uhh..yeah. And?
—
Disclaimer:
By sending an email to any of my addresses you are agreeing that:
1. I am by definition, “the intended recipient”
2. All information in the email is mine to do with as I see fit and
make such financial profit, political mileage, or good joke as it
lends itself to.
3. I may take the contents as representing the views of your company.
4. This overrides any disclaimer or statement of confidentiality
that may be included on your message.
Re: Re:
I need to add that as my signature to all my emails.
Re: Re:
For future reference, this legal notice trumps everyone else’s legal footers:
By sending an email to any of my addresses, or any lists that I am subscribed to, you are agreeing that:
1. I am by definition, “the intended recipient”
2. All information in the email is mine to do with as I see fit and make such financial profit, political mileage, or good joke as it lends itself to. In particular, I may quote it ruthlessly.
3. I may take the contents as representing the views of your company.
4. This overrides any disclaimer or statement of confidentiality that may be included on your message.
5. Even if you only see this legal notice once, it still applies to all our communications.
6. Unless the email is both signed and encrypted via PGP, with public/private key pairs that can only be attributed to two distinct owners, the real sender and recipient can never be determined with any certainty. All legal representations about any plain-text email are
thus null and void, including this one.
7. All hate mail will automatically be forwarded to please.arrest.me@fbi.gov
Loosely derived from:
http://discuss.joelonsoftware.com/default.asp?biz.5.588844.18
To all Banks, everywhere: if the message isn’t PGP encrypted using the intended recipients’ Public Key(s), you can’t be sure they will be the only readers. EMAIL IS NOT A MEDIUM FOR SENSITIVE INFORMATION, EVER. Email a link to an HTTPS/SSL encrypted site, and require secure authentication. You can’t fix a breach afterwards, especially if you committed the breach.
Re: Re:
This is going to be my e-mail server’s new TOS.
“but it does seem a bit silly to have to bring someone else to court after you screwed up and sent the wrong email.”
If I make a mistake someone else has to pay. That pretty much sums up the American legal system in a nutshell.
Re: Re:
You know the bank isn’t suing Google for monetary damages right?
Re: Re: Re:
Never said they were. Stop putting words in my mouth.
Re: Re: Re: Re:
AC1 -> “If I make a mistake someone else has to pay.”
AC2 -> “You know the bank isn’t suing Google for monetary damages right?”
AC1 -> “Never said they were. Stop putting words in my mouth.”
Re: Re: Re:2 Re:
Ok, let me help correct your reading comprehension problem.
Pay can have more than one meaning.
“11. to suffer in retribution; undergo: You’ll pay the penalty for your stubbornness! “
http://dictionary.reference.com/browse/pay?r=75
Given the context that should have been the meaning you chose.
There, I hope this helps you in the future, now go forth and read with better reading comprehension.
Re: Re: Re:3 Re:
Another example
“17. to suffer or be punished for something: The murderer paid with his life. “
http://dictionary.reference.com/browse/pay?r=75
There, are you happy? Do you not know that words can have more than one meaning in English. I know this is true in other language too, so I won’t buy the excuse that English is your third language either. In many languages one has to interpret the meaning of certain words based on the context. What, are you really that illiterate or something?
Re: Re: Re:2 Re:
If you really are struggling to understand the meaning of words based on context there are many colleges and universities that offer English courses. I suggest you enroll. I’ll even help you, give me your approximate location and I’ll find the nearest one for you via goolge maps.
Re: Re: Re:3 Re:
Better yet, somebody should just draw the guy a picture!
Re: Re: Re:
Never said they were. Stop putting words in my mouth.
Chances are the person that received it thought it was just phishing emails and deleted both emails without much thought.
Re: Re:
Or he never saw the emails because it got redirected into the spam folder.
Re: Re:
Or it was, like the vast majority of email accounts, an unused, abandoned, or “junk” mail account.
my question is why was the bank having this data in plain english upon an employees computer in the first place, isn’t there a data protection plan for their customers that doesn’t include distributing files throughout the office with customers social security numbers plainly available?
What if the bank had sent printed documents to the wrong recipient using the postal system, say, to the wrong PO Box (otherwise it’d be pretty obvious where to find the recipient)?
Everyone (including the bank no doubt) is assuming that the email recipient is a citizen of the USA.
Though its more likely they are than not, there is still the chance that they are not a US citizen and therefore not beholden to the Uniform Trade Secrets Act.
Not only that but if they are a citizen of the EU or AU/NZ then Privacy laws are absolute and the bank has no actionable way to even do anything to the individual who could for example place the whole email onto Wikileaks.
The Bank is liable and has a duty of care to its customers to assume that the data is now fully publicly available and to take all measures to secure further emails (encryption etc) to allay any fears that the customers have. The customers themselves have cause though to make a claim for negligence on the bank. That is most likely the real reason why the bank wanted the records sealed.
Re: Re:
“The Bank is liable and has a duty of care to its customers to assume that the data is now fully publicly available and to take all measures to secure further emails (encryption etc) to allay any fears that the customers have.”
I completely agree, but again, in America if I make a mistake someone else has to pay. That’s the mentality that our legal system has encouraged and that’s why all these entities hold such a mentality.
Re: Re: Re:
“in America if I make a mistake someone else has to pay. “
pay what? how much?
I thought the case was not about money
Re: Re: Re: Re:
Please understand the context of the conversation before you demonstrate your reading comprehension problems.
Given the context, payment wasn’t referring to paying money directly. It’s referring to the privacy that the E – Mail address owner gives up as a result of the banks mistakes. Other people have to suffer (pay) for the mistakes that the bank makes. The COST of the banks mistakes is our privacy.
Re: Re: Re:2 Re:
The made the mistake, the bank should have to pay to rectify the problem and ensure the users privacy. Yes, that means the bank may have to do a little work and spend some time (time = money) but why waste everyone else’s time (ie: Google’s time, and time = money so Google is paying for the banks mistakes, and the time of the ISP’s as well if Google has to give up a hostmask and the ISP must look up the name, the risk of both these entities being sued for giving up private information, and then the person with the E – Mail address suffers because his/her privacy is given away against his/her for a mistake the bank made, so s/he has to pay) for a mistake the bank made.
Because in America if I make a mistake someone else has to pay. That’s basically what the laws in this country encourage and so entities have acquired this mentality.
Re: Re: Re:3 Re:
sp/The made the mistake/They made the mistake
sp/against his/her for a mistake the bank made,/against his/her will for a mistake the bank made,
Re: Re: Re:3 Re:
Who’s getting paid now? Yoose guys keep confusing me. errrr.
Re: Re:
“Everyone (including the bank no doubt) is assuming that the email recipient is a citizen of the USA.”
Everyone?
That is quite an assumption. It only takes one person who didn’t think that in order to make the statement incorrect.
btw, I did not assume it went to any particular country
Whoever got it could embarrass the bank by simply posting something like:
OK you want my identity…here it is..and to prove this isn’t just a joke…here’s the entire email posted in plain text!
If I was the bank, I’d have sort of fessed up…asked google to contact the recipient without telling me who they were and then offered some sort of “reward” for the person contacting the bank to help them sort the problem out.
Obviously whatever has been lost goes way beyond a few bank account numbers or SN’s, because the banks losing this type of stuff has become a regular running weekly joke (and they simply don’t seem to care if its 1 account lost or 1,000,000), so I’m guessing its either a celebrities embarassing credit card statement or belongs to someone with real power that can do the bank A LOT of harm.
Or possibly something to do with the stealing money from the recent bailout (but banks would never do that sort of thing surely? ) 🙂
Every one assumes that this was an accident. What if it was not?
What if the accident part is bank management discovering that the information was sent out and the rest is a cover up of a theft of sensitive information that can and will be used?
Missing the point
I think the bigger point is that someone (or everyone) at this bank thinks that emailing sensitive information is secure. Even if they were smart enough to type the correct email address, it seems like a massive security problem to be sending unencrypted sensitive information in an email.
They have a much larger problem to worry about than finding the recipient of this information. They should be worrying about the hundreds of other emails full of sensitive information that could have been easily intercepted.
+1 for Google
At least Google’s stepping up to the plate for their users’ privacy. Many companies would just hand over that info.
BTW – This would make for a great phishing scam. Spam emails, then get the mail server host to release the names of all recipients.
What then?
Has anyone at the bank figured out what they’re going to do if they actually do get the person’s name?
Knock on his door and force him to delete the email? Have the police follow him around to make sure he doesn’t do anything with the info?
Assuming of course there’s anything more than an IP address of the login to that gmail account. When I signed up to gmail, the only thing I remember inputting was another email address in case I forgot my password.
That’s what I was thinking Josh – even if this guy/girl replies and said ‘sure, I deleted it’ – how is there any real proof it was done?
I guess the bank’s gonna have to pony up for ‘ID protection’ or change account numbers, etc to attempt to reduce liability.
If I would have gotten it, I really would just delete it – but who’s to say what someone else might do if they get mine?
Very questionable
It goes without saying that they can never get this information “back”. I’m very concerned about their methods, and hope this is not SOP throughout the US banking system, because they cannot possibly rectify the situation by contacting this individual; in fact, he next “logical” step along the path they appear to be pursuing is to lock the recipient of the message in a cage, which, I would dearly hope is legally impossible. This bank should have never even attempted to contact Google, much less have them ordered to disclose private information– a fact that should be recognized by any sane judge. They should have simply fessed up (even made up some kind of story), contacted their customers and changed their ABA#s, Acct#s and whatever info they could– SSNs are fairly easy to compromise anyway, from what I understand, so it’s safe to assume one could find that info elsewhere. As it stands, the recipient of that mail has been compromised every bit as much as the customers whose account information has been fumbled. He will be open to unwanted and undeserved scrutiny by government agencies when he should not even have to bother with this situation. Any information he might have should have been rendered useless by now.
pls give out my ID...
Google, pls give the bank my name and address. And tell the bank it will cost them $1m if they don’t want me to forward the email to the world. ha ha
I hate to say it but...
For once, Google should be defended for their actions in this case. Clearly, the bank screwed up and should have to come up with good cause before hauling Google into court to get the information.
Email companies should be fighting to protect the privacy of their customers, not revealing it at the drop of a hat. Sure, maybe if there were legal cause I could maybe see it in some very rare cases, but generally speaking, when people want private email communications they should be guaranteed the privacy they were promised by the email service so they don’t have their account compromised by advertisers, hackers, identity thieves or by the government or courts snooping in on one’s private conversations and data.
Although, the concept that Gmail could be considered a “private email” service is kind of a ridiculous thought to begin with. They regularly harvest users’ information for advertising and don’t provide much of a defense from spam, scams, and identity thieves.
I use PrivacyHarbor.com to avoid these sorts of issues all together. They don’t share your private information with anyone and don’t mine your data for advertising. I also never get spam or people phishing to get my private data. It’s a great service compared to what Gmail has to offer.
reply all
Why couldn’t that employee just send a suggestive email to a female employee after clicking “Reply All” like a normal person. All this trouble about tracking down where you leaked your data.