Bank sues Google for ID of Gmail user

Computerworld - A bank that inadvertently sent confidential account information on 1,325 of its customers to the wrong Gmail address is suing Google for the identity of the Gmail account holder.

The case, filed in the U.S. District Court for the Northern District of California, involves Rocky Mountain Bank of Wyoming. According to court documents, the bank in August received a request from one of its customers asking for certain loan statements to be sent to a third-party. An employee of the bank, responding to the request, sent the documents to the wrong Gmail address.

In addition to the requested loan information, the bank employee also inadvertently attached a file containing names, addresses, tax identification numbers and other details on 1,325 account holders to the same address. When it discovered the error, the bank immediately sent an e-mail to the Gmail address asking the recipient to delete the previous email and the attachment. The bank also asked the recipient to contact the bank to discuss what actions had been taken to comply with the bank's request.

When it received no reply, the bank sent an e-mail to Google asking whether the Gmail account was active or dormant and also what it could do to prevent unauthorized disclosure of the inadvertently leaked information. When Google refused to provide any information on the account without a formal subpoena or court order, the bank filed a complaint asking the court to force Google to identify the account holder.

Rocky Mountain Bank also requested that its complaint and all of the pleadings and filings in the case be sealed. The bank said it hopd to prevent unnecessary panic among its customers and a "surge of inquiry from its customers." The bank argued that if the complaint and motion papers are not sealed, all of its customers would learn of the inadvertent disclosure.

U.S. District Court Judge Ronald Whyte dismissed that request, saying there was no need for the proceedings to be sealed. "An attempt by a bank to shield information about an unauthorized disclosure of confidential customer information until it can determine whether or not that information has been further disclosed and/or misused does not constitute a compelling reason," Whyte wrote last week.

This is the third time in recent weeks that Google has faced a similar issue. Earlier this month, the Associated Press reported that a resort developer in Miami had obtained a court order requiring Google to disclose the identities of anonymous contributors to an online newspaper in the Turks and Caicos Islands. The man alleged that the contributors to the paper had unfairly linked him to government corruption. In that case, Google indicated that it would disclose the data only after first informing the paper about the request and giving it a chance to appeal for the court order to be quashed.

In the other incident, a court in New York compelled Google to disclose the identity of a blogger who had made disparaging comments about a Vogue model in her blog "Skanks in NYC."

Read more about security in Computerworld's Security Knowledge Center.