Rocky Mountain Bank v. Google, Inc.

Rocky Mountain Bank v. Google Inc. was a decision by the United States District Court for the Northern District of California holding that Google had to reveal the account information of a Gmail user who had been mistakenly sent sensitive information from Rocky Mountain Bank.

In August 2009, a Rocky Mountain Bank employee was asked by a customer to forward loan reports to the customer's agent. Instead, the employee mistakenly sent the email to a different account and mistakenly included a file of sensitive loan details from 1,325 individual and business customers. He emailed the Gmail user, asking the user to contact the bank and delete the email. Because the user was unresponsive, the employee asked Google to divulge the user's identity. Pursuant to its privacy policy, Google refused, noting that the bank needed to obtain a court order to obtain the information.

After the bank sued Google, judge James Ware ruled that Google had to lock the Gmail account and divulge the user's account information to the bank. If the user had accessed the sensitive email, Google also had to reveal the user's identity. After Google revealed the account information, both parties filed a joint motion requesting that the judge's ruling be vacated. They explained that Google's disclosures mooted the order. The Gmail user had marked the email as spam without opening it and the email had been deleted unread on September 19, 2009.

Background
In August 2009, an employee of the Wilson, Wyoming-based Rocky Mountain Bank was asked by a bank customer to email loan reports to the customer's agent. However, on August 12, 2009, the employee accidentally emailed the information to an incorrect Gmail account when he misspelled one letter in the email address.

His second blunder was including an attachment in the email that had private details for 1,325 individual and business customers. The attachment comprised loan details from 2008, such as "customers' names, addresses, Social Security or tax ID numbers, loan numbers, balances, interest rates and principal amounts". Upon discovering his mistake, the employee unsuccessfully attempted to rescind his email. He then sent a second email to the Gmail account, ordering the individual to expunge both the email and the attachment and refrain from looking at the attachment's contents. Directing the Gmail user to respond to him to "discuss his or her actions", the employee received no response. The bank asked Google to divulge the unresponsive account holder's identity. Pursuant to its privacy policy, the company denied the request, telling the bank that it needed to get a court order.

To preclude the error from occurring again, the bank added a second tier of security access barriers. It also apprised by telephone and writing all clients whose confidential information was sent in the email. The bank also gave customers the option to have credit monitoring for a year without charge.

Legal proceedings
Rocky Mountain Bank sued Google to force the company to delete the email account and reveal the account holder's identity. It stressed that speedy action was needed to protect its clients from "irreparable" and "unnecessary" danger. The bank attempted to file the case under seal because it wanted to preclude consternation from its customers and a "surge of inquiry". The motion to seal was denied by U.S. District Court Judge Ronald M. Whyte. Whyte wrote that "[a]n attempt by a bank to shield information about an unauthorized disclosure of confidential customer information until it can determine whether or not that information has been further disclosed and/or misused does not constitute a compelling reason that overrides the public's common law right of access to court filings".

The case was later transferred to James Ware of the United States District Court for the Northern District of California. The judge placed an ad interim restraining order mandating Google to shut down the Gmail address. Ware forbade Google and the Gmail user from reviewing or dispensing the sensitive information. He also granted the bank's request to have Google reveal if the Gmail user had looked at the sensitive email or "otherwise manipulated" it and if the account was inactive or recently used. If the account had been recently used, Ware required Google to reveal to the bank the account holder's identity.

Following Google's disclosures to the bank in adherence to Ware's order, Rocky Mountain Bank and Google requested in a joint motion that the restraining order be vacated. Telling the judge that the order had been mooted by Google's revelations, the motion requested that Google be allowed to restore the Gmail account. The motion did not enumerate Google's disclosures.

In a report filed in late September with the U. S. District Court for the Northern District of California, Google wrote that the confidential email was sent on August 12. Without entering the email, the Gmail user sent it to the account's spam folder. Google noted that the user could no longer access the email since it had been automatically deleted on September 19. Although Google had apprised the user of Rocky Mountain Bank's lawsuit on September 21, the company noted though that "with suspension of the Gmail account, the user now will be precluded from retrieving that notice, other communications about this matter or any other e-mail of importance to the user".

Reactions
Opinions on the Internet from privacy advocates were divided. A number of commentators chastised the bank for trying to block the guiltless Gmail user from entering his or her account. Some said that with limited options, the bank had responsibly tried to contact the user to erase the confidential email; when no answer was forthcoming, the bank rightfully attempted to have the account locked.