Cloud Computing & Bad Behaviour

Cloud service providers need to remember the relationships that they have with their customers, we're the custodians of our customer's data - not the owners.

Take the recent case of an employee at the Rocky Mountain Bank sending confidential personal information about 1,800 of its customers in error to a Google Mail account - a case of the wrong attachment sent to the wrong recipient.

A customer requested that his loan statements be sent to his Google Mail account, instead the bank employee attached a document containing the names, addresses, Social Security numbers and loan details of over 1,300 customers.....to the wrong Google Mail account.

After first attempting to recall the email, then contact the recipient, the bank then contacted Google and succeeded in getting them to delete the account.  Now this case raises three important questions:

Firstly,why did an employee even consider sending the original documents to the customer that requested them?  Email is a clear-text protocol and sending even the loan statements is far from best practice.  This is an example of how an ad-hoc procedure can go terribly terribly wrong.

Secondly, why did the bank not have a Data Leak Prevention capability in place to look for Personal Identifiable Information (PII) embedded in emails and enforce a policy preventing its transmission outside of authorised recipients - or at least to encrypt its transmission?

Thirdly, initially Google refused to provide any information on the account without a court order which Rocky Mountain Bank obtained a court order from a California judge to order to temporarily suspend the recipient's account.  This sets a terrible precedent - especially considering Google's operation of commercial accounts.  If you are the recipient of confidential information accidently sent to you - your account can be suspended.