In the annals of misdirected emails, this one's particularly embarrassing. On Aug. 12, the Rocky Mountain Bank in Wilson, Wyo. attempted to send information about a customer's loan to his/her
representative via email. Instead, the bank sent a message to the wrong Gmail address. Worse, the message included an attachment with the names, addresses, social security numbers and loan information
of 1,325 other customers.
When the bank realized the mistake, it sent a message to that same Gmail address and asked the recipient to contact the bank and destroy the file without opening it.
No one responded, spurring the bank to contact Google and ask for information about the account holder.
Google, as per its privacy policy, told the bank it would have to get a court order to
obtain such data.
The bank then filed papers asking a court to order Google to disclose the information. And, in what proved to be yet another mistake, the bank tried to file those papers
under seal.
Courts are presumptively open to the public, but litigants can sometimes keep documents secret when there's a good reason to do so. The Rocky Mountain Bank's justification? It
didn't want to "needlessly panic" its customers. "Until the bank is able to determine the status of the Gmail account, there is no need for the bank to contact its account holders or needlessly panic
its customers," the bank argued in legal papers.
U.S. District Court Judge Ronald Whyte in California had no patience for that line of reasoning. "An attempt by a bank to shield information
about an unauthorized disclosure of confidential customer information until it can determine whether or not that information has been further disclosed and/or misused does not constitute a compelling
reason that overrides the public's common law right of access to court filings," Whyte wrote.
He said that the bank could redact the Gmail address from its complaint, but that other documents
should be made available to the public.
Aside from the bank's misguided attempt to keep its email mix-up a secret, there's also the question of what it expects a court can realistically do to
remedy the situation. If the recipient is inclined to distribute the data, he or she can do so in seconds -- certainly in less time than it will take for the case to make its way through the legal
system.
This incident doesn't just have the potential to haunt Rocky Mountain Bank. As with AOL's Data Valdez, the snafu also shows that any time a company collects information about consumers there's a risk
that the information will be disclosed -- either intentionally or accidentally. And that risk is present whether the data is social security numbers held by banks, the digital books that consumers download, or logs showing their search queries.