The problem is, banks have too many humans.

What do you call the sacrifice of one person's privacy in an attempt to save the privacy of over 1300? If you're a bank, you call it collateral damage.

When I was a kid I earned my first paycheck passing out fliers for a neighbor who was starting a pool cleaning business. With my first $13 in hand, my grandfather took me to the a bank in walking distance to my home, got me a tour of the vault from the branch manager, a neat pouch to hold all my coin, a full explanation of the principals of savings and loans, and helped me open my very first savings account. Believe it or not, back then, all my account information was stored on a double-sided index card behind the teller.

Today, things are much more complicated. Gone are the index cards and passbooks, most of the employees, tellers and branches, a good deal of the service, interest-bearing accounts with only $13 in them, and a lot of the customers' money. Today, it's all computerized, and most banks even attach various penalties to discourage human contact.

I know an awful lot about electronic data systems, but I don't pretend to fully understand how the modern banking system works. Sometimes, I think I do--from a mechanical (as opposed to financial) perspective. But then something convinces me that I don't. For instance, you know how every so often your bank emails its customers' names, addresses, Social Security numbers, and loan information to Gmail?

To be completely honest, I didn't know they did that either, until I found out recently that The Rocky Mountain Bank in Wyoming had sent 1,325 such records to the wrong Gmail account. (Mind you, most would have trouble imagining who could possibly be the right recipient.) Once the error was noticed, the bank attempted to contact the recipient to request immediate destruction of the email and its attachment. When the bank received no response, a request was made to Google for the recipient's identity. Citing its privacy policy, Google refused to provide the information requested, and the bank filed suit.

According to court documents:

"On August 12, 2009, Plaintiff received a request from one of its customers for Plaintiff to send certain loan statements to a third-party representative of that customer. That same day, an employee of Plaintiff attempted to send the requested information to the customer’s representative via email. The next day, Plaintiff discovered that its employee had inadvertently sent the email to the wrong Gmail email address. In addition, Plaintiff discovered that attached to the email was a file containing confidential customer information for 1,325 individual and business customer accounts for customers other than just the customer who requested information. The confidential information includes names, addresses, tax identification numbers, and loan information for each of the 1,325 customer accounts.

After learning of its inadvertent disclosure of confidential customer information, Plaintiff tried to recall the email without success. It then sent another email to the Gmail address, instructing the recipient to immediately delete the prior email and the attached file in its entirety without opening or reviewing it. Plaintiff also requested that the recipient contact Plaintiff to discuss his or her actions. The recipient has not responded to Plaintiff’s email."

Ironically, in a case that pits the privacy interests of innocent parties against each other, the protagonists of this story had some privacy concerns of their own. The Bank's lawyers attempted to file their suit under seal -- which was denied by the U.S. District Court. Though not mentioned in the court's ruling on this issue, most states have security breach notification laws that require disclosure of any records that may have gotten into the hands of unauthorized individuals. Wyoming does, indeed, have such a law (40-12-502. "Computer security breach; notice to affected persons"). It states:

"(a) An individual or commercial entity that conducts business in Wyoming and that owns or licenses computerized data that includes personal identifying information about a resident of Wyoming shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal identifying information has been or will be misused. If the investigation determines that the misuse of personal identifying information about a Wyoming resident has occurred or is reasonably likely to occur, the individual or the commercial entity shall give notice as soon as possible to the affected Wyoming resident."

While the bank was compounding errors by ignoring its obligations to its customers and state law, their case against Google was being reviewed by another judge who ordered Google to disable the account, and disclose the recipient's identity.

The Rocky Mountain Bank maintains that it contacted the recipient more than once and requested that the individual respond to requests to "discuss his or her actions". The implication is that, had the recipient responded, this whole matter could have been handled amicably and honorably -- among gentlemen, as it were. I wonder if, from the perspective of the bank, its customers, or even the email recipient, a "discussion" would have really sufficed. I know, as a bank customer, John Doe's word that he had deleted all my personal information from his Gmail account wouldn't satisfy me at all. If I were in charge of bank security, I don't think I'd be very satisfied either. In either case, I suppose I would be demanding proof that had been deleted, never copied, forwarded, or printed, and probably some kind of connotative memory-wipe.

Years ago, I was consulted by a judge after a District Attorney's office "accidentally" obtained access to a defense lawyer's hard drive (quotes inserted to cite the provided explanation, not my personal feelings about the explanation). The negotiated remedy and order was an extensive forensic search of the DA's hard drives, and a complete wipe of their contents -- even when the search turned up no conclusive evidence that the DA had ever examined any privileged materials. But I doubt any accidental recipient would agree to that -- especially a civilian. And why should they?

Of course, no one knows, at this point, if the recipient ever saw the message. Many reading this web site would likely have dismissed it, and any subsequent messages from the bank as a phishing scam. The Rocky Mountain Bank even has a link to an oddly nondescript PDF addressing the subject of phishing scams.

There's really no reason to believe that the bank ever considered litigation to be an entirely avoidable option, no matter how cooperative the recipient might have been. Nor am I convinced that the court's decision has provided any comfort to the individual's who's privacy has been sacrificed -- including the one who's email account has been disabled, and personal information shared with a bank that's already demonstrated that they can't be trusted with the information.

So, if suing Google won't assure its customers' privacy and financial security, what should the bank have done? That's an easy one. Ask any programmer. They'll tell you: The only way to fix a 1D10T error is to upgrade your wetware and reboot.

About Jeff M. Fischbach

Jeff Michael Fischbach is founder and President of SecondWave Information Systems (SecondWave.com), a consulting firm specializing in Forensic Technology. Since 1994, he has served as a board member and technology adviser to numerous professional organizations and corporations. Mr. Fischbach has been engaged as a litigation consultant and Forensic Examiner, offering expert advice and oversight on matters involving intellectual property, computers, information systems, satellite, tracking and wireless communications technologies. He has advised law enforcement, foreign government representatives, judges, lawyers and the press.