Rocky Mountain Bank v. Google, Inc.

Last updated
Rocky Mountain Bank v. Google Inc.
US DC NorCal.svg
Court United States District Court for the Northern District of California
DecidedSeptember 23, 2009
Docket nos.09-cv-0438503
Court membership
Judge(s) sitting James Ware

Rocky Mountain Bank v. Google Inc. was a decision by the United States District Court for the Northern District of California holding that Google had to reveal the account information of a Gmail user who had been mistakenly sent sensitive information from Rocky Mountain Bank.

Contents

In August 2009, a Rocky Mountain Bank employee was asked by a customer to forward loan reports to the customer's agent. Instead, the employee mistakenly sent the email to a different account and mistakenly included a file of sensitive loan details from 1,325 individual and business customers. He emailed the Gmail user, asking the user to contact the bank and delete the email. Because the user was unresponsive, the employee asked Google to divulge the user's identity. Pursuant to its privacy policy, Google refused, noting that the bank needed to obtain a court order to obtain the information.

After the bank sued Google, judge James Ware ruled that Google had to lock the Gmail account and divulge the user's account information to the bank. If the user had accessed the sensitive email, Google also had to reveal the user's identity. After Google revealed the account information, both parties filed a joint motion requesting that the judge's ruling be vacated. They explained that Google's disclosures mooted the order. The Gmail user had marked the email as spam without opening it and the email had been deleted unread on September 19, 2009.

Background

In August 2009, an employee of the Wilson, Wyoming-based Rocky Mountain Bank was asked by a bank customer to email loan reports to the customer's agent. [1] However, on August 12, 2009, the employee accidentally emailed the information to an incorrect Gmail account when he misspelled one letter in the email address. [2]

His second blunder was including an attachment in the email that had private details for 1,325 individual and business customers. The attachment comprised loan details from 2008, such as "customers' names, addresses, Social Security or tax ID numbers, loan numbers, balances, interest rates and principal amounts". [3] Upon discovering his mistake, the employee unsuccessfully attempted to rescind his email. He then sent a second email to the Gmail account, ordering the individual to expunge both the email and the attachment and refrain from looking at the attachment's contents. Directing the Gmail user to respond to him to "discuss his or her actions", the employee received no response. [1] The bank asked Google to divulge the unresponsive account holder's identity. Pursuant to its privacy policy, the company denied the request, telling the bank that it needed to get a court order. [4]

To preclude the error from occurring again, the bank added a second tier of security access barriers. [3] It also apprised by telephone and writing all clients whose confidential information was sent in the email. The bank also gave customers the option to have credit monitoring for a year without charge. [5]

Rocky Mountain Bank sued Google to force the company to delete the email account and reveal the account holder's identity. [6] It stressed that speedy action was needed to protect its clients from "irreparable" and "unnecessary" danger. [7] The bank attempted to file the case under seal because it wanted to preclude consternation from its customers and a "surge of inquiry". [6] The motion to seal was denied by U.S. District Court Judge Ronald M. Whyte. [4] Whyte wrote that "[a]n attempt by a bank to shield information about an unauthorized disclosure of confidential customer information until it can determine whether or not that information has been further disclosed and/or misused does not constitute a compelling reason that overrides the public's common law right of access to court filings". [1]

The case was later transferred to James Ware of the United States District Court for the Northern District of California. [4] The judge placed an ad interim restraining order mandating Google to shut down the Gmail address. Ware forbade Google and the Gmail user from reviewing or dispensing the sensitive information. He also granted the bank's request to have Google reveal if the Gmail user had looked at the sensitive email or "otherwise manipulated" it and if the account was inactive or recently used. If the account had been recently used, Ware required Google to reveal to the bank the account holder's identity. [8]

Following Google's disclosures to the bank in adherence to Ware's order, Rocky Mountain Bank and Google requested in a joint motion that the restraining order be vacated. Telling the judge that the order had been mooted by Google's revelations, the motion requested that Google be allowed to restore the Gmail account. The motion did not enumerate Google's disclosures. [8]

In a report filed in late September with the U. S. District Court for the Northern District of California, Google wrote that the confidential email was sent on August 12. Without entering the email, the Gmail user sent it to the account's spam folder. Google noted that the user could no longer access the email since it had been automatically deleted on September 19. Although Google had apprised the user of Rocky Mountain Bank's lawsuit on September 21, the company noted though that "with suspension of the Gmail account, the user now will be precluded from retrieving that notice, other communications about this matter or any other e-mail of importance to the user". [2]

Reactions

Opinions on the Internet from privacy advocates were divided. A number of commentators chastised the bank for trying to block the guiltless Gmail user from entering his or her account. Some said that with limited options, the bank had responsibly tried to contact the user to erase the confidential email; when no answer was forthcoming, the bank rightfully attempted to have the account locked. [5]

Related Research Articles

Phishing Attempt to trick a person into revealing information

Phishing is a type of social engineering where an attacker sends a fraudulent message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious software on the victim's infrastructure like ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. As of 2020, phishing is by far the most common attack performed by cybercriminals, the FBI's Internet Crime Complaint Centre recording over twice as many incidents of phishing than any other type of computer crime.

Gmail Email service provided by Google

Gmail is a free email service provided by Google. As of 2019, it had 1.5 billion active users worldwide. A user typically accesses Gmail in a web browser or the official mobile app. Google also supports the use of email clients via the POP and IMAP protocols.

Google Desktop Computer program

Google Desktop was a computer program with desktop search capabilities, created by Google for Linux, Apple Mac OS X, and Microsoft Windows systems. It allowed text searches of a user's email messages, computer files, music, photos, chats, Web pages viewed, and the ability to display "Google Gadgets" on the user's desktop in a Sidebar.

James Ware (judge) American judge

William James Ware is a retired United States District Judge of the United States District Court for the Northern District of California.

History of Gmail Email service from Google

The public history of Gmail dates back to 2004. Gmail, a free, advertising-supported webmail service with support for Email clients, is a product from Google. Over its history, the Gmail interface has become integrated with many other products and services from the company, with basic integration as part of Google Account and specific integration points with services such as Google+, Google Calendar, Google Drive, Google Hangouts, Google Meet, YouTube, and Google Buzz. It has also been made available as part of G Suite. The Official Gmail Blog tracks the public history of Gmail from July 2007.

Google Pay Send Mobile payment system developed by Google

Google Pay Send, previously known as Google Wallet, was a peer-to-peer payments service developed by Google before its merger into Google Pay. It allowed people to send and receive money from a mobile device or desktop computer.

A Google Account is a user account that is required for access, authentication and authorization to certain online Google services. It is also often used as single sign on for third party services.

Google Workspace is a collection of cloud computing, productivity and collaboration tools, software and products developed and marketed by Google. It consists of Gmail, Contacts, Calendar, Meet and Chat for communication; Currents for employee engagement; Drive for storage; and the Google Docs suite for content creation. An Admin Panel is provided for managing users and services. Depending on edition Google Workspace may also include the digital interactive whiteboard Jamboard and an option to purchase such add-ons as the telephony service Voice. The education edition adds a learning platform Google Classroom and today has the name Workspace for Education.

Data breach Intentional or unintentional release of secure information

A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, information leakage, and data spill. Incidents range from concerted attacks by individuals who hack for personal gain or malice, organized crime, political activists or national governments, to poorly configured system security or careless disposal of used computer equipment or data storage media. Leaked information can range from matters compromising national security, to information on actions which a government or official considers embarrassing and wants to conceal. A deliberate data breach by a person privy to the information, typically for political purposes, is more often described as a "leak".

Outlook.com Microsoft web app

Outlook.com is a personal information manager web app from Microsoft consisting of webmail, calendaring, contacts, and tasks services. Founded in 1996 by Sabeer Bhatia and Jack Smith as Hotmail, it was acquired by Microsoft in 1997 for an estimated $400 million and relaunched as MSN Hotmail, later rebranded to Windows Live Hotmail as part of the Windows Live suite of products. Microsoft phased out Hotmail in October 2011, relaunching the service as Outlook.com in 2012.

The multinational Internet corporation Yahoo! has received criticism for a variety of issues.

Gmail interface Overview of the interface of Googles email service Gmail

The Gmail interface makes Gmail unique amongst webmail systems for several reasons. Most evident to users are its search-oriented features and means of managing e-mail in a "conversation view" that is similar to an Internet forum.

A recent extension to the cultural relationship with death is the increasing number of people who die having created a large amount of digital content, such as social media profiles, that will remain after death. This may result in concern and confusion, because of automated features of dormant accounts, uncertainty of the deceased's preferences that profiles be deleted or left as a memorial, and whether information that may violate the deceased's privacy should be made accessible to family.

Sparrow (email client) Email client

Sparrow was an email client for OS X and iOS. After a 4-month beta period, Sparrow went on sale in the Mac App Store on February 9, 2011 and became the top paid and top grossing app in less than one day. On July 20, 2012, the company announced that it had been acquired by Google and was ceasing continued development of the application except for critical bug fixes.

Zorpia is a social networking service with customers in China. Zorpia is one of the few international social networks with a Chinese Internet Content Provider license. The social networking site reports 2 million unique users per month and a total worldwide user base of 26 million. Jeffrey Ng is the company's founder and CEO of Zorpia. The privately funded company is based in Hong Kong and has 30 employees.

Mailbird is a desktop email client for Windows 7, 8, 10, and 11 for sending and receiving emails, managing calendar events and contacts from different email providers, including Outlook, Gmail, Yahoo Mail, etc. Social media, task management, file share, and video-conferencing integrations are also included.

<i>United States v. Google Inc.</i>

United States v. Google Inc., No. 3:12-cv-04177, is a case in which the United States District Court for the Northern District of California approved a stipulated order for a permanent injunction and a $22.5 million civil penalty judgment, the largest civil penalty the Federal Trade Commission (FTC) has ever won in history. The FTC and Google Inc. consented to the entry of the stipulated order to resolve the dispute which arose from Google's violation of its privacy policy. In this case, the FTC found Google liable for misrepresenting "privacy assurances to users of Apple's Safari Internet browser". It was reached after the FTC considered that through the placement of advertising tracking cookies in the Safari web browser, and while serving targeted advertisements, Google violated the 2011 FTC's administrative order issued in FTC v. Google Inc.

Zix Corporation (ZixCorp) was a security technology company that provides email encryption services, email data loss prevention (DLP) and mobile applications designed to address bring your own device (BYOD) corporate technology trend. Before being acquired by OpenText, Zix was headquartered in Dallas, Texas, and served customers that include divisions of the U.S. Treasury, federal financial regulators, health insurance providers and hospitals, and financial companies. As of December 2011, the company has served over thirty Blue Cross Blue Shield organizations, 1,200 hospitals, 1,600 banks, credit unions and associations. Federal Financial Institutions Examination Council (FFIEC) regulators are also the customers of the company. CIPROMS has signed a three-year renewal for the company in 2014.

Google's changes to its privacy policy on March 16, 2012 enabled the company to share data across a wide variety of services. These embedded services include millions of third-party websites that use AdSense and Analytics. The policy was widely criticized for creating an environment that discourages Internet-innovation by making Internet users more fearful and wary of what they put online.

SpyEye is a malware program that attacks users running Google Chrome, Opera, Firefox and Internet Explorer on Microsoft Windows operating systems. This malware uses keystroke logging and form grabbing to steal user credentials for malicious use. SpyEye allows hackers to steal money from online bank accounts and initiate transactions even while valid users are logged into their bank account.

References

  1. 1 2 3 Zetter, Kim (2009-09-21). "Bank Sends Sensitive E-mail to Wrong Gmail Address, Sues Google". Wired . Archived from the original on 2011-05-07. Retrieved 2011-04-28.
  2. 1 2 Gallob, Joel (2009-09-29). "E-mail with bank information was deleted, Google says". Laramie Boomerang . Archived from the original on 2011-04-28. Retrieved 2011-04-28.
  3. 1 2 "E-mail with personal info never opened". Billings Gazette . 2009-09-28. Archived from the original on 2011-04-28. Retrieved 2011-04-28.
  4. 1 2 3 Davis, Wendy (2009-09-24). "Judge Orders Google To Deactivate User's Gmail Account". MediaPost. Archived from the original on 2011-08-12. Retrieved 2011-04-27.
  5. 1 2 Provost, Ruffin (2009-09-29). "Bank gets attention with Google lawsuit". Billings Gazette . Archived from the original on 2011-04-28. Retrieved 2011-04-28.
  6. 1 2 Metz, Cade (2009-09-23). "Bank sues Google for identity of Gmail user". The Register . Archived from the original on 2011-10-08. Retrieved 2011-04-28.
  7. Mintz, Howard (2009-09-23). "Bank Sues Google to Get Missent Email Back". San Jose Mercury News . Archived from the original on 2011-04-28. Retrieved 2011-04-28.
  8. 1 2 "Google, bank end dispute over Gmail account". Computerworld . 2009-09-28. Archived from the original on 2012-03-22. Retrieved 2011-04-28.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.