Jonathan Stempel reports:
(Reuters) – Goldman Sachs Group Inc said a contractor emailed confidential client data to a stranger’s Gmail account by mistake, and the bank has asked a U.S. judge to order Google Inc to delete the email to avert a “needless and massive” breach of privacy.
The breach occurred on June 23 and included “highly confidential brokerage account information,” Goldman said in a complaint filed last Friday in a New York state court in Manhattan.
Goldman did not say how many clients were affected, and wants Google’s help in tracking down who might have accessed the data. The Wall Street bank also said Google “appears willing to cooperate” if there is a court order.
Read more on Reuters.
Update: Because this case has some disturbing implications for user privacy and control, I’ve been searching to find other cases that might be similar. So far, I’ve found one case in 2009 that TechDirt and TechSpot reported.
From a breach perspective, suppose the Gmail account had an automatic forward to a non-Gmail account set up. Google could delete the email from the recipient’s inbox under court order, but that wouldn’t delete the copy that had been forwarded. Does the company’s wish to recover/delete the email trump the individual’s right to privacy? Should Google be ordered to reveal the forwarding email address? And does it matter (it should) whether the email had already been opened or not in terms of the company’s responsibility to disclose the breach or notify regulators and individuals?
Lots of questions here…
Update2: Reuters reports that Google has blocked access to the email:
“Google complied with our request that it block access to the email,” Goldman spokeswoman Andrea Raphael said. “It has also notified us that the email account had not been accessed from the time the email was sent to the time Google blocked access. No client information has been breached.” A Google spokeswoman declined to comment.
Google will not delete the email, however, without court order. But should Google have even given this much info to Goldman Sachs? And will they tell Goldman whether there are any forwarders set up on the account?
Wouldn’t another question be “Why are Goldman Sachs contractors emailing massive amounts of confidential information around? Surely GS has better ways of doing this.”