MediaPost is reporting that Rocky Mountain Bank, a small institution in Wyoming, accidentally e-mailed the names, Social Security numbers, addresses, and loan information to a Gmail address. When it realized its mistake, it e-mailed the address again and got no response–so it went to court, and a California appellate court judge has told Google that it must deactivate the Gmail address in question. Even though nobody’s accused the e-mail recipient of doing anything wrong.
MediaPost’s story leaves multiple obvious questions unaddressed, so I’m cautious about expressing any opinion at all about this story. The biggest one: Does anyone know who the Gmail account belongs to, and has anyone made any attempt to contact its owner other than Rocky Mountain’s initial e-mail? Do we know that the recipient is using the account at all? Do we know who this person is?
The temptation to heap scorn upon District Court Judge James Ware is obvious, but I’m most appalled by the reported initial actions of Rocky Mountain Bank. Why was anyone there e-mailing Social Security numbers to anyone? The company has a security statement on its site explaining the measures it takes to protect customers’ Social Security numbers, but I find no acknowledgement of this Gmail incident. (“Dear customer: We accidentally leaked your private information to a random stranger, and we’re not sure what he or she is doing with it. Our apologies, etc., etc.”)
While I was rummaging around the Rocky Mountain site hoping to find useful information, I clicked on the Letter From CEO link, and got this:
Doesn’t exactly inspire vast amounts of confidence, does it?