2009-09-25

Rocky Mountain Bank - Our Mistake = No Gmail For You

This is just beyond ridiculous and insulting.

Wyoming-based Rocky Mountain Bank made a big error, sending a list of highly personal information (including names, social security numbers, and loan information) to the wrong Gmail account. A rather big whoops, but there it is.

When they discovered their mistake, they sent another message to that account to ask the owner not to view the previous message. Probably not the most correct course of action — could they trust the person to be honest, even if they said they deleted it without reading it? It would've been wiser to consider the information already compromised, and to take steps to protect the compromised accounts and their owners' identities (e.g., one of my lenders paid for credit monitoring for me for a time when they had a security breach).

When they didn't get a reply from the Gmail account owner, they asked Google for the owner's personal information (presumably so they find another way to contact them). Google did the right thing and refused to turn over personal information about one of their customers without a court order.

The bank then filed for that court order to not only disclose the Gmail account holder's information, but to have that user's Gmail account shut downand the court granted it.

This is disgusting on a number of levels.

First of all, it would be as if, if they mailed the wrong document to your house, they got the court to order the USPS to come and destroy your mailbox.

Secondly, it's not unlikely the user in question never saw the email. I get emails allegedly from banks all the time that I never do business with — they're phishing scams looking for me to enter my password. I delete them without a second thought. If I got a random email from some "Rocky Mountain Bank", I'd delete that, too. Assuming these emails even made it past Gmail's spam filters, it's not outside of possibility the account owner deleted them himself.

Third, to deactivate the user's entire email account because of their screw-up goes way beyond their bounds. I use my Gmail for a lot, including business-related correspondence (not to mention it's my credentials other services, including this blog). What right does some third party have to shut off my business activities because they sent me something by mistake and that I probably never even looked at?

They made a mistake. Fine. It happens. Heck, I remember when I used to get emails detailing AOL's plans to expand dialup service in South America (it was entertaining, but not particularly useful — the emails I mean, although the same could be said about AOL). But suing to shut down an innocent person's email for their mistake is, at best, bullying and heavy-handed, and, at worst, a violation of Constitutional rights. Shame on you, Rocky Mountain Bank. If I ever have the opportunity to do business with you, it will only to be to tell you "No way."

I hope this Gmail account is owned by someone who does use it and has a brain, because I really want to see a counter-suit filed on this.

3 comments:

JediChric said...

Good Post! I SO can't wait to see how this plays out!

Yakko Warner said...

Hmm. According to this follow-up report, "The companies said in a joint motion that Google had complied with the order. They also said they lodged a separate report to the court showing that the bank's original request was now 'moot.' Therefore, they argued, Google should be allowed to restore the user's access to the Gmail account."

I could see a few different possibilities why they might consider the request "moot":

1) RMB did what they should've done in the first place: considered the data compromised, invalidated all information where possible (i.e. changed account numbers or closed affected accounts), and set up credit and identity monitoring services for affected customers.

2) RMB got a hold of the account holder (either through a returned email or through contact information that Google was forced to turn over), made him promise to delete and not divulge the information (the nature of this promise is left to the imagination of the reader), and consider the matter closed.

3) RMB sent their hit squad (a.k.a. their "Leaked Information Containment Unit") and terminated the account holder.

Still, this is something that never should've happened in the first place, and I still think both Rocky Mountain Bank and the judge should be sanctioned appropriately to make sure it never happens again.

Yakko Warner said...

And to close the story, apparently the email was "never read" and Google was able to delete the email and reactivate the user's account.

Not that it doesn't leave a whole lot of questions on the table — not the least of which being when Rocky Mountain Bank intends to admit fault in this matter. (Actually, the answer to that appears to be the same as when I'll do business with them: never.)