Last week Rocky Mountain Bank (according to reports) emailed, unencrypted, social security numbers and personal financial data on 1300+ customers, to the wrong address (link below):
The e-mail, sent by an employee of Jackson, Wyo.-based Rocky Mountain Bank on August 12, contained names, addresses, Social Security numbers, and loan information of more than 1,300 bank customers.
From court documents (PDF):
The confidential information includes names, addresses, tax identification numbers,3 and loan information for each of the 1,325 customer accounts.
That email, with the customers’ information, went to a gmail address. A frantic skirmish ensued, with Rocky Mountain Bank actually getting a court order to force Google to lock the email address. That part got the attention of the tech community, but what about the part about Rocky Mountain Bank leaking customer social security numbers? Why wasn’t that part sensational? And the part about Rocky Mountain Bank filing a request to seal the court order, on the grounds that it was not good for the bank, with an assertion that the confidential information may not have been actually “disclosed”:
Plaintiff argues that if its complaint and motion papers are not filed under seal, all of its customers may learn of the inadvertent disclosure. Plaintiff further argues that publication of the disclosure before it determines whether the Gmail account is active or dormant will unnecessarily create panic among all of its customers and result in a surge of inquiry from its customers. In his declaration, Mark Hendrickson, states that “until there is a determination that the Confidential Customer Information was in fact disclosed and/or misused, the Bank cannot advise its customers on whether there was an improper disclosure.”
It gets worse. Now that Rocky Mountain Bank (of Jackson, Wyoming) has confirmation from Google that the owner of the gmail account had not yet read the email, we are asked to accept that all is well in Rocky Mountain Bank Security Land:
“As a result, no customer data of any sort has been viewed or used by any inappropriate user during this data lapse,” Martinez wrote. “Rocky Mountain Bank acted to protect its customer’s confidential information. That objective was accomplished. The matter is now closed and the TRO (temporary restraining order) entered on September 23, 2009 is now vacated.”
Seriously? Unencrypted emails are stored on numerous servers on their way to their destination. An email sent from Rocky Mountain Bank in Wyoming to a Gmail account, is not “secure” along the way. Just because Google says the email has not been read via the gmail account, does not mean the email has not been copied, stored, archived, or even read on numerous cooperating servers in the public path between Rocky Mountain Bank and Google’s GMail servers. I don’t even trust that Google’s determination is accurate. Without details, who knows if the email and been read and marked as unread? Or forwarded? Or accessed outside of the web interface? Has anyone looked to see just what Google specifically examined? Or is Rocky Mountain Bank just hoping we’ll all forget this “mistake”?
Not to mention the tougher questions. Is it standard Rocky Mountain Bank procedure to email confidential customer data unencrypted, every day? Is it only when they realize they sent it to the wrong address, that it becomes news?
I expect a name change for Rocky Mountain Bank in the near future, for Reputation Management purposes, but really… when will we start demanding more from our banks and their inept managers and executives?