Below is an article printed in a recent "InformationWeek.com" reporting on a federal civil case involving a Wyoming bank and Google Inc. The core issue running underneath the case is the definition of a data breach and when it should be disclosed. The plaintiff, (Rocky Mountain Bank) wished to seal the court documents to prevent the publicizing of the breach.
A Rocky Mountain Bank employee inadvertently emailed a list of bank customers along with account information to a Gmail account belonging to an unknown party. The error was discovered the next day and the bank employee attempted to re-mediate the problem by recalling the email and then sending a follow up email informing the unknown recipient to delete the email and file immediately.
Question: Do the account holders of the 1,325 individual and business accounts that were breached in error, have an established right to notification before the bank can determine whether or not any illegality on the part of the recipient has occurred? The bank argued that there is no reason to panic. The court ordered otherwise. (a footnote to the denied order establishes that a breach occurred whether or not the data will be used for fraudulent purposes or with or without a determination on the active or inactive status of the account).
Question: Does Google have a mandate to inform the bank about the status of the email account and possibly additional contact information on file for the email account holder? What if that action could prevent the illegal use of the mistakenly sent data or does the privacy of the email account user force Google to maintain a policy of requiring a court order to take such action which would result in a significant delay by the custodian of the information in possibly seeking the assistance of law enforcement?
The court's denial of the request by the bank to seal the docket was made in deference to established precedent that court documents are public record and should be sealed only when absolutely necessary. Breaches, the court found - do not qualify as absolutely necessary. Google, for its part merely requested its procedures for release of information be followed. Wouldn't Google's pre-mature release upon request of an email holders name, while not qualifying as a "breach" of personally identifying information constitute a breach of trust? Email accounts are provided, as most software, with a fine print user's agreement.
However Google's privacy policy reads as follows:
Information sharing
Google only shares personal information with other companies or individuals outside of Google in the following limited circumstances:
· We have your consent. We require opt-in consent for the sharing of any sensitive personal information.
· We provide such information to our subsidiaries, affiliated companies or other trusted businesses or persons for the purpose of processing personal information on our behalf. We require that these parties agree to process such information based on our instructions and in compliance with this Privacy Policy and any other appropriate confidentiality and security measures.
· We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against harm to the rights, property or safety of Google, its users or the public as required or permitted by law. Google Privacy Policy
It seems from their stated privacy policies that the request for a court order goes above and beyond what they state in their published privacy policy. Nowhere does it say "must" have a court order to release information. Therefore, if fraudulent activity does occur as a result of this breach, it is possible to hold Google, Inc. somewhat liable for delaying action which could have (possibly) prevented or limited the resultant fraud.
The trade-offs in this case are not pleasant. The email account that received that transmission may not have been logged into in many months and could have been a "throw away" email. Which group of people has the greater claim to privacy - the bank account holders or the Google email user?
Lawsuit Tied To Bank Gmail Error Can't Be Secret, Judge Says
A lawsuit seeking to identify a Gmail user who accidentally received confidential bank information must proceed in public.
By Thomas Claburn, InformationWeek
Sept. 21, 2009
URL: article link
A bank's effort to prevent the disclosure of information about a data breach arising from an errant Gmail message has been rejected by a federal judge in San Jose, California.
On Friday, Judge Ronald M. Whyte of the United States District Court for the Northern District of California, acting on behalf of another judge, denied a motion by the Wyoming-based Rocky Mountain Bank to seal its lawsuit against Google.
An attempt by a bank to shield information about an unauthorized disclosure of confidential customer information until it can determine whether or not that information has been further disclosed and/or misused does not constitute a compelling reason that overrides the public's common law right of access to court filings, the judge said in his ruling.
The lawsuit seeks to force Google to reveal information about a Gmail account holder who received a misdirected e-mail sent by a bank employee.
The message, intended for a bank customer, included an attachment that should not have been sent containing confidential customer information for 1,325 individual and business accounts, according to the court's summary of the case. The data is question is said to include names, addresses, tax identification numbers, and loan information.
According to the facts summarized in the judge's order -- the actual complaint has not yet been made available in response to the judge's ruling -- the bank employee attempted to e-mail loan statements to one of the bank's customers who had requested them. But the message went to the wrong person, with a confidential file.
After learning of its inadvertent disclosure of confidential customer information, Plaintiff tried to recall the e-mail without success, the court's summary states. It then sent another e-mail to the Gmail address, instructing the recipient to immediately delete the prior e-mail and the attached file in its entirety without opening or reviewing it. Plaintiff also requested that the recipient contact Plaintiff to discuss his or her actions. The recipient has not responded to Plaintiff's e-mail.
Representatives of Rocky Mountain Bank, based in Wilson, Wyoming, did not return repeated calls seeking either confirmation or denial of the bank's involvement in the lawsuit.
Neil Arney, an attorney for the plaintiff with the Denver, Colorado branch of law firm Kutak Rock, declined to provide any information about the case. Separately, a spokesperson for the firm said he had been instructed by attorneys working on the Rocky Mountain Bank case not to respond to media inquiries.
A clerk for the court said that the case was still sealed until the parties responded to the judge's order and declined to provide further information. The judge has allowed the Gmail address of the accidental recipient of the bank's data to be redacted in court documents.
Rocky Mountain Bank filed its lawsuit because it asked Google to provide information about the account holder who received the errant message and Google declined to provide any information without a court order.
Google said that it is waiting for the bank to comply with the judge's order that it resubmit its filing before deciding on a response.
When Google receives legal process, such as court orders and subpoenas, where possible we promptly provide notice to users to allow them to object to those requests for information, a company spokesperson said in an e-mailed statement. In this case, RMB must comply with proper court process, and the court has required it to resubmit its papers. Once we have a chance to review these papers, we will determine our response.
The judge's ruling sets Monday, September 21, as the deadline for the plaintiff to resubmit the filing.