Rocky Mountain Bank reveals “oops” in court papers

As  noted on yesterday, Thomas Claburn of Information Week reports that when Rocky Mountain Bank tried to get a court to seal its lawsuit against Google to compel disclosure of  information on the recipient of an errant Gmail containing sensitive customer information, the court declined.

It looks like the Streisand Effect has struck again, as now the media are not only reporting details of the breach that were included in the judge’s ruling denying the seal, but Rocky Mountain Bank may get a worse reputation for trying to perhaps justify not disclosing their error to the 1,325 customers whose details were mis-sent to the wrong Gmail address.

So in the absence of an actual breach disclosure notification by the bank, this site views the court order as a breach disclosure. A copy of the judge’s order (pdf, courtesy of Threat Level) indicates that the court did not agree that determining whether the email had been opened was necessary in order to inform customers of the breach:

Plaintiff argues that if its complaint and motion papers are not filed under seal, all of its customers may learn of the inadvertent disclosure. Plaintiff further argues that publication of the disclosure before it determines whether the Gmail account is active or dormant will unnecessarily create panic among all of its customers and result in a surge of inquiry from its customers. In his declaration, Mark Hendrickson, states that “until there is a determination that the Confidential Customer Information was in fact disclosed and/or misused, the Bank cannot advise its customers on whether there was an improper disclosure.” (See Declaration of Mark Hendrickson in Support of Motion to File Under Seal, filed herein on September 18, 2009, ¶ 18.)

An attempt by a bank to shield information about an unauthorized disclosure of confidential customer information until it can determine whether or not that information has been further disclosed and/or misused does not constitute a compelling reason that overrides the public’s common law right of access to court filings. Plaintiff is already able to advise its customers that there has been an unauthorized disclosure of confidential customer information, and inform them of the steps it is taking to rectify the situation.4 And Plaintiff has not shown that disclosure of the information contained in its complaint and motion papers “could result in improper use of the material for scandalous or libelous purposes or infringement upon trade secrets,” or invasion of any personal privacy rights that might warrant protection under Federal Rules of Civil Procedure 26(c). Plaintiff has not disclosed any actual customer information in its pleadings or motion papers.5

4 The possibility that the email has not been opened, or that the information has not been misused, does not change the fact that there already was an unauthorized disclosure of the information to an unknown third party.

Image credit:

About the author: Dissent