Goldman Sachs Asks Court To Have Google Delete An Email With Client Info; Google Blocks Access To The Email
from the this-again dept
Five years ago, we wrote a story about how Rockey Mountain Bank in Wyoming accidentally sent a bunch of confidential information to the wrong Gmail account, then took Google to court to try to find out who received the email. Google demanded a court order first, leading a judge to (ridiculously) order the company to shut down the entire email account. It appears that something somewhat similar may have just happened with a more recognizable bank name: Wall Street giant Goldman Sachs went to court recently to order Google to delete an errant email containing confidential client information. According to the filing (which most news sites haven’t posted, for reasons unknown):
On June 23, 2014, an employee of the consulting firm was testing changes to Goldman Sachs?s internal reporting and validation process. The employee intended to send a copy of the internal report to the email address provided to her by Goldman Sachs, which is in the form ?[first name].[last name]@gs.com,? but instead mistakenly sent a copy of the internal report to an address in the form ?[first name].[last name]@gmail.com.? She is not the owner of the gmail address.
The mistakenly sent email contains certain account and client related information (the ?Confidential Client Information?). Goldman Sachs?s clients have a right to maintain the confidentiality of the Confidential Client Information. Furthermore, Goldman Sachs has an obligation to protect the privacy of its customers? confidential information.
Goldman Sachs has made efforts to retrieve, have deleted or otherwise protect the mistakenly sent Confidential Client Information. As part of those efforts, on June 26, 2014, Goldman Sachs sent an email to the gmail address to which the information was mistakenly sent requesting that it be promptly deleted and that the recipient confirm in writing that s/he had done so. There has been no response.
Goldman also contacted Google directly, and as in the Rocky Mountain case, Google told Goldman to go to court first. Late yesterday, Goldman Sachs noted that Google has told the company that it has blocked access to that particular email and that the email in question had not yet been accessed by anyone. It appears that Google did this despite the lack of a court order, which may seem a bit questionable. Given the nature of the situation, and the fact that Goldman has actually gone to court and requested this, it does seem a bit more reasonable that Google agreed to at least temporarily block access to that particular email until a court decides if it needs to continue blocking it permanently.
Filed Under: confidential info, court order, email, gmail
Companies: goldman sachs, google
Comments on “Goldman Sachs Asks Court To Have Google Delete An Email With Client Info; Google Blocks Access To The Email”
Think about it for a minute...
Let’s assume that google peeked into the account to look at its last accessed date. It hadn’t been accessed since June 23; that means it probably hadn’t been accessed for far longer than that.
If Google sees that this is a dead account, and GS has already gone to court, there’s no real harm done here. Yes, we’d prefer that Google fought to the last ounce of blood; yes, this worries us about what google might do if it were a LIVE account. However, at its heart there’s nothing wrong with Google looking at the situation and acting reasonably about it; it’s what I’d recommend were I advising them.
Re: Think about it for a minute...
there’s no real harm done here
I’d prefer that Google not mess with my email regardless of how long it has been since I last accessed it.
How specifically would you define a “live” account? Is there a cut-off date in the Gmail TOS that I have not noticed that makes my inactivity indicate that I don’t care if they stop me from accessing email sent to me?
Now, this is Google, and it is their service, and they have the right to do things like this (their TOS lets them prevent you from accessing anything they want), but it is bad form for a service provider.
Re: Re: Think about it for a minute...
Indeed, as soon as Google starts digging into an account holder’s specific emails to locate and block – it opens the door to further abuses.
It’s just a matter of time before our government starts “accidentally” sending messages to people they don’t like, and then requesting that Google freeze or otherwise go through their email boxes and block the emails that they “accidentally” sent for “reasons”.
How long before this becomes such a huge problem that the government simply seeks the power to do this on their own?
Re: Re: Re: Think about it for a minute...
That seems a little paranoid to me, Google seems to usually do a pretty good job of not letting blatant abuse happen like that, but I still think this is not a good idea for them.
Now, if they wanted to implement an “email recall” that actually worked and give people the ability to cancel an email that has not yet been read – great. This would be a nice feature for email, but doing one-offs like this for a big company is sketchy.
Re: Re: Re:2 Think about it for a minute...
Given what we’ve learned over the last year, is there any reason not to be paranoid?
Re: Re: Re:3 Think about it for a minute...
The tinfoil hat may increase your likelihood of being hit by lightning.
Re: Re: Re:4 Think about it for a minute...
Re: Re: Re:2 Think about it for a minute...
Re: Re: Re:2 Think about it for a minute...
It’s not paranoia if they are out to get you!
Re: Think about it for a minute...
Google has been haled into court, and they must pay their attorneys. Those attorneys might have been occupied in other matters if they were not spending time on this Goldman Sachs affair.
Google has been damaged.
Perhaps they had to fly one of their attorneys across the country to appear. Should Google have to pay that airfare? Google did no wrong. Goldman Sachs should pay that money.
Confidential Paragraph
Could someone leave a link where it would show whether those “confidential” paragraphs at the bottom of an email are binding? I don’t see how anyone can demand a 3rd party delete, remove, not forward, etc… an email they received incorrectly.
Wouldn’t it be along the lines of not having to pay for items delivered to you that you never requested? Its yours and you can do with it what you want.
So if I work for one of these banks and I want an E-Mail account taken down (for political or revenge or whatever reasons) all I have to do is send ‘confidential’ information to it and suddenly I can have a court shut down the E-Mail address of anyone I want. Sounds like a nice denial of service attack.
Re: Re:
(well, at least in this case it appears the entire E-Mail account wasn’t shut down so that’s an improvement).
Interestingly, I’ve been receiving mistargeted (Russian names are easy to confuse, right?) emails from a Dominican bank. First I thought it was a spam, but it turned out to be real. Transactions and stuff. I notified the bank a couple of times, but no one there seemed to care, so I simply setup a delete filter…
Re: Re:
Contact the person the transactions are regarding (if you can?) and I guarantee you will find someone that cares.
Now I know that this email is valuable! Any tips how to blackmail a financial institution without being caught are appreciated.
Re: Re:
Tip #1: Don’t announce you are planning to do it in the comments on a blog.
Re: Re: Re:
Hah, just tell the bank they owe their customer some monetary compensation for behaving carelessly with their confidential information, and that you require reporting and facilitating fees.
Re: Re:
To not get caught –
Step 1 – don’t ask for advice on how to commit a crime on a public website.
Step 2 – If you fail to perform step 1, by all means, do not mention that you have a Russian name, or that the institution you plan on blackmailing is a Dominican bank.
Step 3 – do not mention that you already notified the bank multiple times regarding their error.
Step 4 – If you’ve failed to perform steps 1, 2, and 3 – After sending your blackmail notice, please walk into your nearest law enforcement office and turn yourself in. You have no hope of getting away.
Re: Re:
Don’t leave your Facebook account logged in when you leave the drop off location.
Re: Re:
Oops: I see what I’ve done here. My bad: it was meant as a joke unrelated to the Dominican bank. Should have started “Yesterday I received a strange email from Goldman Sachs…”
Re: Re:
First step is to not request help on blackmailing a financial institution in a public forum…
😉
Goldman Sucks
1. they outsourced work to some computer illiterate who thinks Goldman Sachs uses gmail
2. confidential information was sent via _un_ encrypted email to an unverified account
3. they take the mail provider to court
4. ?
5. Profit
Re: Goldman Sucks
#2 is what I am more appalled at. Really? Sending confidential email via a insecure method? Forget the fact that they are automating it?
Recklessness
It is reckless to send “highly confidential client information” in plaintext, without routine encryption.
It’s widely known that internet email transmission occurs hop-by-hop, over channels and through servers which are controlled by neither sender nor recipient. The vulnerability of email to eavesdropping has been well-discussed.
PGP was initially released in 1991, and other products with similar capabilities have been available for years. Thus, failure to use those encryption products cannot be attributed to lack of availabile software.
Sending highly confidential information over internet email without encryption is reckless.
Re: Recklessness
1) It was an email that was SUPPOSED to be destined for another GS employee being sent from a GS employee.
2) Most medium/large (and small) organisations have their own, internal, email servers, such that if an employee sends an email to another employee, that email never leaves the departmental network to go over ‘the internet’, therefore doesn’t need encryption.
3) In most large organisations that are multi-site (e.g. banks with many remote branches etc), or that closely deal with other organisations interchanging sensitive data (e.g. government departments communicating with other government departments), there are internal routing policies that send, say, emails destined for particular endpoints to hardware VPN routers, that have encrypted secure VPNs to the other organisation/office, therefore the data is fully encrypted before it leaves the organisation, sends it across the internet fully encrypted, till it hits the destination organisation/office, which routes it to its own internal hardware VPN encrypting service based on the source, then decrypts it before putting it into the receipients mailbox. All fully/highly encrypted, all transparent to the end-users.
4) There is no protecting against a stupid fckup by an obviously incompetent moron who manages to bypass all that encryption by sending it to gmail which would not be in the “forward to encrypting VPN service to use secure tunnel to other office” routing rules.
This fckup shows that no matter how you try to insulate the ‘dumb average’ user from the complexities of technology (in this case encryption) by putting in transparent encryption systems, in the end if you want a (relatively) secure system, you should’t be insulating the user and relying on transparent VPN’ing, you should be teaching them how to encrypt their emails ‘manually’, thus teaching them to always manually encrypt any email they think is sensitive (but then you’ve gotta train them on identifying what is sensitive too!), or any email they aren’t sure whether it’s sensitive or not, before sending. Thus if it’s sent to the right place it get’s a 2nd level of encryption via the VPN, or if it’s sent to the wrong place then at least the receipient can’t open it due to the manual encryption.
But as we all know, the average user is either too fking stupid (abot 30% of the users out there) or too fking lazy (about 68% of the users out there) to learn and do this.
Re: Re: Recklessness
Not so.
Note paragraphs 1 and 7 of the complaint embedded above.
From para 1:
From para 7:
There’s a significant difference between a regular Goldman Sachs employee compared with an employee of a consulting firm employed by Goldman Sachs. The complaint does not allege that an internal employee was following internal procedures for internal mail. Rather, an outside consultant would normally be expected to use external procedures.
Re: Re: Re: Recklessness
It is quite likely that the contractor was given VPN access and an account on the local domain or was even working on site at GS on their internal network. Furthermore, this mistake was likely caused by an autocomplete failure that was not caught until after the message was sent. That said, although there are specific situations where email CAN be secure, such as mail that never leaves the network, mistakes like this make it way too easy to compromise that security, and for that reason alone sensitive information should never be sent through email anyway as a matter of best practices.
What precedent does this set?
Now other corporate parties will want Google to un-send emails? These requests will be for things of increasingly less importance.
First corporations will demand a direct, automatated access to un-send emails sent by anyone whose email address they know of.
Because of the controversy this will create, the EU will pass a law recognizing a basic human right to un-send emails.
The French and/or maybe Germans will pass a law requiring Google by force of law to make people be able to un-read and un-remember emails they already read. Legislators and Judges will think this is all quite reasonable.
After all, it’s Google’s email service, they will argue. (The french won’t even bother with the pretense of an argument — it will be to preserve french culture.)
If you think this sounds crazy, you haven’t been following along here for the last decade.
Re: What precedent does this set?
No. Don’t be ridiculous. This special favor is only available to corporations with over a billion dollars. Maybe even ten billion dollars. A hundred billion? Somewhere in there. At any rate, it’s an exclusive club.
Not kidding. That’s how the world works.
Re: Re: What precedent does this set?
Re: Re: Re: What precedent does this set?
I think his point is it is much easier to find a corrupt or crazy judge that will bend the law to do your bidding when you are a corporation with billions of dollars.
An ID-10-T error if I've ever seen one....
1 – you don’t “test” with live client data!
2 – Would GS expect to be able to call the USPS and say “ummm, we mailed a statement to the wrong user, will you make sure it isn’t delivered for us?”
3 – you don’t “test” with live client data!!
4 – email should NEVER be assumed to be secure during transit unless you fully encrypt it
5 – you don’t “test” with live client data!!!
6 – Once you’ve sent it to the wrong address, YOU sent it to the wrong address.
7 – see steps 1, 3 and 5!!!!
I don't have much of a problem with this.
Presumably the email contain legally sensitive data, and the Bank could have a fully legitimate legal requirement/duty to request this.
The account wasn’t shut down.
Google required a court order
Only a specific message FROM THE BANK was checked and deleted.
The Bank did not get any information about the account holder, other emails, etc.
Where I to receive a court order to do this on my mail server, I would take similar actions.
And if you’re wondering about Google looking at your e-mails, then maybe you better use something else. If you don’t trust your email administrator (local or hosted), you get another one.
Re: I don't have much of a problem with this.
I don’t have a problem with this instance.
But I do have a problem with the precedent it sets.
Where this will lead, and where it ends up is not a good place.
Re: Re: I don't have much of a problem with this.
Well, if the precedent is that only a single email can be deleted by the original sender under court order, that’s not too bad as we agree. It’s if someone thinks it sets more of an expansive precedent, then we all have a problem.
Re: Re: Re: I don't have much of a problem with this.
How much compensation should the court order Goldman Sachs to pay Google for the service?
Bear in mind that Goldman Sachs did not take the measures which were within their control to encrypt the email. If Goldman Sachs had not been so reckless, the action by Google would have been unnecessary.
How much should Goldman Sachs pay Google for salvaging their reckless course?
Re: Re: I don't have much of a problem with this.
I have a problem with this because sometimes stupidity needs to hurt in order for the stupid to learn. This is one of those times. Sensitive information should never be sent via email, even internally. Period. A secure internal system needs to be implemented for this type of information that prevents this sort of mistake from occurring. Allowing them to get away with un sending a message means they likely won’t learn a damned thing from the mistake and continue the same bad practices in the future.
Re: I don't have much of a problem with this.
If the bank is legally required to ensure that the information is only accessed by the intended recipient, then why isn’t the bank routinely taking reasonable measures within their control? Why isn’t the banking routinely encrypting email so that it can only be read by the intended recipient?
Alternatively, if the bank doesn’t have real duty sufficient to require encryption, then they don’t have a real duty.
The bank is capable of encrypting email so that only the recipient can read it. It’s not a lack of capability. The bank is in control of whether they choose to take reasonable measures on a routine basis or not.
Re: Re: I don't have much of a problem with this.
Yes, the bank was stupid – and depending on the information, there could still be some liability there. I’ve worked with HIPAA places, and they don’t send anything sensitive via email. They may send a notification of “log in our web site so you can see this important stuff!”, but that’s it.
Re: Re: Re: I don't have much of a problem with this.
Exactly.
Re: Re: I don't have much of a problem with this.
What happens when a bank demand that their clients set up to receive encrypted emails, and provide them with the necessary keys, and use the banks key to send emails to the bank. Note the more senior a person is in a company the more resistant they are to any inconveniences in their secretaries use of technology.
Re: Re: Re: I don't have much of a problem with this.
I’m sorry, I don’t understand whether you’re asking a question or making some kind of statement. If you are indeed asking a question, would you please rephrase it?
Re: I don't have much of a problem with this.
Re: Re: I don't have much of a problem with this.
WTF happened…
Anyhow, I was going to ask: What if this was physical mail? Would you be OK with USPS coming back to your house, opening your mailbox, and removing mail that was addressed to you just because some corporation realized after-the-fact, that they didn’t want to send it?
What you’re suggestion is insane – that corporations can decide AFTER THEY’VE SENT SOMETHING, that they made a mistake and can take it back by going crying to a judge and asking for some order forcing an unbiased 3rd party to interject and create distrust with their customers.
It sounds like for you, a “court order” is good enough to not ask questions, and I guess that’s your opinion, but this sets some seriously bad precedent.
Re: Re: Re: I don't have much of a problem with this.
USPS has a worse problem, in that they mis-route mail that’s addressed correctly. It’s pretty rare that an e-mail will fall into the wrong Inbox.
You are also forgetting that the USPS effectively owns your mailbox. So there’s nothing preventing them from doing something like that even without a court order (doubtful it would be effective, since you probably pick up your mail long before a court order would get through). And once you get your mail out of the mailbox, it’s out of the USPS hands. So, basically, it’s possible a court COULD order that, but it’s more unlikely to be effective.
Re: Re: Re: I don't have much of a problem with this.
The document embedded at the top, though, is not a court order.
It is a summons, demanding that a corporation headquartered in California appear in a court in New York.
Do the airlines give away free airfare? If one of Google’s attorneys, meaning to fly from California to New York, mistakenly buys a ticket to Miami, and gets on the plane, and then gets somewhere over flyover country before realizing his mistake… is the airline on the hook to turn the plane around, or divert it?
Surely the airline is not kidnapping the confused passenger. The airline would not be at fault.
Who pays?
Re: Re: Re: I don't have much of a problem with this.
There’s no question that a physical letter is tangible, movable property. If someone wrongfully has possession of that chattel, then that specific item may be recovered.
But Goldman Sachs presumably does not want to recover the actual electrons or photons that were sent. Even if they did, those electrons or photons are not physically distinguishable.
Goldman Sachs has no rightful claim to the physical disks or other tangible media which stores the intangible information.
Re: I don't have much of a problem with this.
What are ‘legally sensitive data’, as opposed to ‘sensitive data’?
Re: Re: I don't have much of a problem with this.
Not answering your question (I didn’t make the assertion), but on a related note…
I understand that New York has NOT enacted the Uniform Trade Secret Act (UTSA).
Once delivered, the courts are impotent.
Doesn’t matter whether the mail was addressed wrong or not, once it is delivered, you are under no obligation to act in any particular way. Goldman Sachs could bluster and bellow all they like, they would have no standing. Same with spam that says “confidential information” at the bottom.
However, if you want to assert that right you may need a mail client that downloads to your local system.
And, of course, you would need to receive it in the first place. Which is why Google even enters the picture; the mail wasn’t delivered (accessed) yet.
And re the Dominican bank emails, talking to the bank more than once is obviously the wrong thing. Well, naming the bank publicly and then emailing them to point to said public naming might get a response. Also, notifying the “correct recipient” of the bank’s error might get a response from the bank once said customer raises a stink. Of course, notifying the bank in google-translated spanish is also a possibility. Their CS people might just be monolingual to enhance account security!
“Given the nature of the situation, and the fact that Goldman has actually gone to court and requested this, it does seem a bit more reasonable that Google agreed to at least temporarily block access to that particular email until a court decides if it needs to continue blocking it permanently.”
Ahhh… as expected, toward the end, some weasel words from Mike. If this had been anyone else but the Googlez, they would have been crucified.
auto- forwarding
So you have a Gmail email account and it’s not set to automatically forward to some other email account, thence
retrieved to a computer/etc under you direct control as soon as possible. So much for living ‘in the cloud’. Had the Gmail account holder done such a configuration then sender would of been quite SOL!.
Note: the article said that Google blocked access to this ONE particular email. Google did not block access to the account.
Beating the drum
Yet another point of evidence that it is a mistake to trust third parties to handle important data such as email.
Stored Communications Act
The Stored Communications Act is notoriously tricky. See Orin S. Kerr’s 2004 article, “A User’s Guide to the Stored Communications Act, and a Legislator’s Guide to Amending It“.
But, in the situation at hand, it’s necessary to remember that Google does not have complete freedom to just “return” to some third party an email sent between two other parties.
18 U.S.C. 2702 — Voluntary disclosure of customer communications or records
If Goldman Sachs were simply asking for the destruction of their outside consultant’s misdirected email, it wouldn’t implicate the SCA’s “knowingly divulge”. But Goldman Sachs is asking for the email’s “return”. Presumably, they believe that they’re the “intended recipient” of the email which their outside consultant wrote.
Wrong target
What should happen is that GS files a suit against the recipient to not disclose the information. Not against Google!
Google could – maybe, at most – be asked to help GS in identifying the recipient, but I’m not sure they would be much help (depends on the info in the account).
And the fact that GS has that obligation to keep confidential information out of the wrong hands? Yeah, right, they screwed up! Their mistake, their problem, their lawsuit for negligence… not Google’s.
Google is dead.