Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Cybersecurity & Data Breaches

Rocky Mountain Bank Settles Gmail Disclosure Case: Controversial Case Sought to Avoid Breach Notification and Froze User’s Account

It appears that Rocky Mountain Bank v. Google (ND CA), a dispute over the disclosure of a Gmail users’ account, has been settled according to this newspaper report. When an employee of the bank sent a file containing names, addresses, tax ID numbers and loan information on more than 1,000 customers to a Gmail account by mistake, the Bank sued Google to get the transmittal back and to confirm that the information sent was not inappropriately accessed. The bank obtained a court order preventing Google or its unknown Gmail account holder from accessing the file, which froze e-mail access for the unknown user. This order created some controversy, as reflected here.

One of the purposes of the lawsuit was to determine whether data security breach notification obligations had been triggered. The bank sought to seal the entire record of the case but the district court refused to seal the proceedings regarding the Gmail account. A copy of the District Court’s decision is here. Sealing the record was something the plaintiff bank wanted in order to avoid prematurely (and prehaps unnecessarily) announcing a data security breach. Indeed, a major goal of the lawsuit was to seek information that would allow the Bank to avoid announcing a data security breach, but that goal was undermined by the court’s refusal to seal the fact of the lawsuit (although parts of the record itself were sealed).

For many companies who misdirect e-mails containing PII, it has been a given that the misdirection alone constitutes a "breach" requiring notification to the person whose PII was in the e-mail. This case suggests that even where e-mail is misdirected, if the facts reveal that the unauthorized recipient never opened the e-mail, or for other reasons did not access the information under the definitions in the breach laws, then notice may not be required.