Rocky Mountain Bank, a small regional bank in Wyoming, has been in the news recently because it sued Google to reveal the identity of the owner of a GMail account to which the bank accidentally sent customer data. In addition, the bank wanted Google to delete that email as well as deactivate the user’s account. Many articles I’ve seen about the incident focus on the privacy of the GMail user.

More concern should be focused on Rocky Mountain Bank’s 1,325 loan customers. The bank sent their names, addresses, social security numbers and loan balances to the “wrong” GMail address. There are just so many things wrong with that statement. Most glaring is how could this information ever be sent to the right GMail account. This bank has opened up 1,325 people to the possibility of the irreparable damage of identity theft.

As a financial institution, Rocky Mountain Bank is bound by regulations meant to protect consumers from having their personally identifiable information exposed. The bank was completely and utterly reckless in the way this was handled. It is likely that the bank could be fined. The bank may even face lawsuits.

What They Did Wrong

They emailed personally identifiable information.
First, personally identifiable information should never been emailed even if requested. The moment unencrypted data is transmitted over the internet, that data is practically available for all to see. Data is stored at each server it has to traverse to get to its destination. It can also be intercepted by anyone on that route. While RMB focused on that one email account, it is impossible to delete all traces of this data as it could be anywhere by now. If this user is in a country that does not cooperate with U.S. law enforcement and has already downloaded or otherwise saved the email, that user is not subject to any litigation originating from the U.S. This data could already be available on the black market.

They did not use encryption.
If there is no other way to transmit the information other than email it must be encrypted. That data must be encrypted whether it’s at rest (on a hard drive, in a database, on a floppy, etc.) or whether it’s in motion (emailed, FTPed, etc.). This is a very basic principle.

Does anything else matter?
The bank could have also used filtering on outgoing messages to recognize sensitive data being emailed. The bank could have also double checked the email address that the message was being sent to as well as the actual email attachment. Or the bank could have implemented a secure messaging system so sensitive information never leaves their network. I’m not so sure this is the point, however. The fact that the wrong file was sent and the wrong email address are beside the point. If the bank made a habit of encrypting data and not sending financial records via email, all the other “what ifs” regarding the incident wouldn’t matter.

They covered their butts first.
In requesting these court orders Rocky Mountain Bank wanted the lawsuit sealed. That to me looks like the bank was trying to protect itself hoping the details of this data breach would not be exposed. The bank has most likely reported the breach to its customers but likely not how the breach occurred. What they have done by getting the email deleted, receiving the GMail user’s identity and deactivating that account does nothing to remedy a situation that cannot be remedied. This bank should bear sole responsibility for releasing customer information in such a reckless manner and should be held accountable.

Rocky Mountain Bank found that the email containing the sensitive data was not read by the email account owner. Rocky Mountain Bank has dropped its lawsuit against Google. Bank representatives are certainly relieved but this hardly means the data is not available elsewhere.

You might also be interested in:

• CheckFree: A Case of Phishing, Pharming and Drive-Bys
• Data Loss, Identity Theft and Credit Card Fraud Links
• Mobile Websites Suck