When the bank realized the mistake, it sent a message to that same Gmail address and asked the recipient to contact the bank and destroy the file without opening it. No one responded, spurring the bank to contact Google and ask for information about the account holder.
Google, as per its privacy policy, told the bank it would have to get a court order to obtain such data.
The bank then filed papers asking a court to order Google to disclose the information. And, in what proved to be yet another mistake, the bank tried to file those papers under seal.
Courts are presumptively open to the public, but litigants can sometimes keep documents secret when there's a good reason to do so. The Rocky Mountain Bank's justification? It didn't want to "needlessly panic" its customers. "Until the bank is able to determine the status of the Gmail account, there is no need for the bank to contact its account holders or needlessly panic its customers," the bank argued in legal papers.
U.S. District Court Judge Ronald Whyte in California had no patience for that line of reasoning. "An attempt by a bank to shield information about an unauthorized disclosure of confidential customer information until it can determine whether or not that information has been further disclosed and/or misused does not constitute a compelling reason that overrides the public's common law right of access to court filings," Whyte wrote.
He said that the bank could redact the Gmail address from its complaint, but that other documents should be made available to the public.
Aside from the bank's misguided attempt to keep its email mix-up a secret, there's also the question of what it expects a court can realistically do to remedy the situation. If the recipient is inclined to distribute the data, he or she can do so in seconds -- certainly in less time than it will take for the case to make its way through the legal system.
This incident doesn't just have the potential to haunt Rocky Mountain Bank. As with AOL's Data Valdez, the snafu also shows that any time a company collects information about consumers there's a risk that the information will be disclosed -- either intentionally or accidentally. And that risk is present whether the data is social security numbers held by banks, the digital books that consumers download, or logs showing their search queries.
At the risk of shamelessly plugging my company: SecureZIP, by PKWARE, encrypts email attachments as well as email bodies. Encrypting the email using SecureZIP and a digital certificate would have ensured that only the intended recipient would be able to open the email or the attachment.