I found a very interesting article in Network World that I just had to share. A bank employee from Wyoming bank "accidentally" sent confidential information to the wrong Gmail account. The bank sent the recipient several e-mails explaining what happened, but the customer failed to acknowledge the e-mails. The bank then sued Google, requesting that it surrender the recipient's contact information. Google has a policy that it first tries to contact the customer to give them the opportunity to fight the court disclosure of their identity. The court is considering the bank's request.
Let's look at this problem from four angles: the business, the technology, the security, and the legal. We have to ask the question, is it good business policy to send confidential information to a customer's public e-mail account? It's a rhetorical question. Will the bank pay for a credit check for the customer in the future? From a security perspective, maybe it would have been more prudent to have a bank e-mail account if a customer opts to have information sent to them electronically.
From a technology angle, the bank might have considered a VPN for its customers. From a security perspective, how did confidential information get past the firewall? I would have to assume that the bank is not using any type of outgoing data filtering software. From a legal perspective, is it Google's responsibility to turn over the recipient's contact information? The recipient did nothing wrong and Google did nothing wrong. So who is to blame?
First, we need more information about the employee who sent the e-mail and the details of the event. Second, I think the policy of sending confidential information through e-mail has to change, if in fact that was an activity sanctioned by policy. Third, I would be very disappointed if the courts forced Google to give up that customer's personal contact information. If the customer does nothing with the information, then they have not broken any laws.
This is a very important case because it could happen to any business.
For a more in-depth legal analysis, I am going to ask IT Business Edge legal contributor Lora Bentley to weigh in with her perspective.