Goldman Sachs Demands Google Unsend One of Its E-mails

rudy_wayne (414635) writes A Goldman Sachs contractor was testing internal changes made to Goldman Sachs system and prepared a report with sensitive client information, including details on brokerage accounts. The report was accidentally e-mailed to a 'gmail.com' address rather than the correct 'gs.com' address. Google told Goldman Sachs on June 26 that it couldn't just reach into Gmail and delete the e-mail without a court order. Goldman Sachs filed with the New York Supreme Court, requesting "emergency relief" to avoid a privacy violation and "avoid the risk of unnecessary reputational damage to Goldman Sachs."

Too late now

[itzly]

If this is interesting information, it has already been copied from the Google server to somebody's personal computer.

E-mail?

[Scutter]

Massive privacy breach....e-mailed a report...containing sensitive details...e-mailed...

The problem here isn't that it was sent to the wrong account. It's that it was e-mailed AT ALL.

Re:E-mail?

[MikeBabcock]

Good luck explaining this to companies ... I'm still working over people who insist on sending confidential Excel spreadsheets by E-mail.

Re:E-mail?

[Dr. Evil]

"testing internal changes... with sensitive client information"

Should violate all security policies right there.

Re:Disclaimer?

[blane.bramble]

The problem with that is, is if was sent to your email address, you are the intended recipient.

Re:why?

[Anrego]

This all seems fairly reasonable to me.

You have enough people doing enough things, eventually someone is going to make a stupid mistake. In hindsight there is probably plenty of stuff that could have or should have been in place to prevent this, but then there always is when looking back at a problem.

Google seems to be acting reasonably. Putting a process in place where companies can quickly and conveniently "take back" emails seems like a bad idea. Requiring a court order ensures that this goes through a strict process and is well documented. Google doesn't seem to be "fighting" this so much as saying "get a court to tell us to and we'll happily do it for you".

And I don't get the impression that Goldman Sachs is pounding their fists on the desk here either. They are doing everything they can to repair or prevent damage caused by a mistake they made. They are seeking out the court order and probably other stuff internally.

Re:Disclaimer?

[u38cg]

These disclaimers are worthless (legally), as you can't accept conditions just by receiving something; none of the heads of contract are satisfied. However, if they motivate the receiving party to do what you want them to then they serve their purpose.

Re:Non-story.

[mwvdlee]

Just because an issue was quickly resolved doesn't make it a non-story.

If Goldman Sachs uses the insecure SMTP protocol to transmit highly sensitive unencrypted data, they deserve the reputation damage (and a security audit).

Re:Disclaimer?

[blane.bramble]

I've also seen a creditable argument that because the disclaimer is at the end of the email, and you would have to read the email and therefore all of it's content before reading the disclaimer that warns you not to, that they are particularly worthless.

Re:why?

[oh_my_080980980]

Step back and see what Goldman Sachs is asking. What if they are lying? How does Google know what Goldman Sachs is asking is valid. What would happen if the user was suppose to get email, suddenly finds that email not longer present because Goldman Sachs or someone else asked Google to delete it.

Think Potsy, think.

Re:why?

[JaredOfEuropa]

The real question is: should the court order such an action, and under what conditions?

Analogy alert: GS mistakenly sends me a letter by physical mail, then asks the post office (or asks a judge to order the post office) to send a mailman round, break into my house, and retrieve the letter. That clearly won't happen; worst case is that the judge would order me to surrender the letter. In case of email, is Google (under their terms & conditions and the letter of the law) allowed to "break into" my mailbox and remove the offending letter? And should they be?

Re:why?

[gman003]

Well, that's what the court is for. They get to decide if deleting this email is the right thing to do or not.

Who else would you suggest? Goldman Sachs is out, obviously. Would you rather Google be the one to decide?

Re:why?

[Anrego]

Or what if this email was going to be evidence in a case against Goldman Sachs.

This is exactly why this goes through the courts. Sorting stuff like this out is kinda why courts exist.

Re:why?

[rolfwind]

Is google gonna have to run tech support everytime someone mistakenly sends an email?

Should the USPS intercept a letter upon request everytime someone made a mistake in sending it out?

No, it's not doggone reasonable. In fact, it's so unreasonable, that only a company with the pull of Goldman Sachs can demand it.

Do you think you go to google with the same request, they'll bow down to you? Do you think the courts would have granted it so fast?

Of course not, because it's a drain on their resource to help some dumbass rectify his own damn mistake.

Re:Non-story.

[mwvdlee]

Assuming the data was in some attachment (of could have been easily put in an attachment), how about just encrypting the attachment if it contains information so incredibly sensitive that it warrants a court order if it ever leaks out.

You don't need PGP, IMAP or any specific OS, just a small bit of common sense.

Re:why?

[Pieroxy]

As always, the analogy is flawed.
If the court ordered someone to break into your house and delete the attachment you saved locally, your analogy would hold. As it is, what GS is asking would be analogous to the court ordering the post office to remove the letter from your PO Box. Seems much more reasonable to me.

So can I

[Kardos]

make the same request when I accidentally reply-all to save myself 'reputational damage'? Or does this only work for large companies with lots of money?

Re:why?

[Anonymous Coward]

Here is a lesson from this:

This is why divisions with critical info use some form of IRM/RMS. A mistake with a document being sent results in an encrypted document landing in the destination mailbox. Not a good thing, as the name and length of the file is readable... but not a complete leak either -- damage is mitigated. Plus, in Outlook this is as simple as clicking "do not forward" when attaching a document.

The parent has it right. These are two companies doing proper process/procedure to deal with a fuck-up, and nothing more.

Re:why?

[Imagix]

Unfortunately your analogy is also flawed... the mail _was_ addressed to the recipient. GS "wrote" the wrong address on the envelope.

Re:E-mail?

[Charliemopps]

Don't put anything in an email that you wouldn't put on a postcard. If you MUST email sensitive information, encrypt it before sending -- the encryption is the envelope.

No... encryption doesn't work either. If the data is only sensitive in the short term then you can encrypt it. So, for example, a configure file that wont matter in a month when you change it. But if the data is actually sensitive, like your financial records, eventually that encryption will be worthless and if anyone saved that file, they'll be able to decrypt it.

Re:Reputational Damage

[Em Adespoton]

What this also indicates is that "Joeblow@gmail.com" was already in the employee's address book, which means it is someone they correspond with. Given this, did the employee then contact that person and ask them to delete the previous email? I presume they did, and got a "fat chance" in reply. And if THIS was the case, you can rest assured that "Joeblow@gmail.com" has already saved the email elsewhere and likely forwarded it to other email addresses; so this attempt at a court order, while it may show that the employee was attempting to do the right thing (so protecting their job), won't actually accomplish anything in the name of privacy or "name polishing".

It's like Barbara Streisand has suddenly requested the world forget about her... and they have.

Re:why?

[meerling]

Can, Should, and Will Only Due So With A Valid Court Order are very different things.

Sure they can, but how do you think every user of Google products will think if any company out there can say, "oops, didn't mean to send that, google, go fix my screw up and delete that from peoples inboxs."?

Should they do it? Maybe, but again, at this point we only have Goldman Sachs word that they 'should'. Maybe their entire story was fabricated and it was proof sent out by a whistleblower. Maybe it wasn't sent by a whistleblower, but it is proof of illegal activity that should be turned over to the appropriate legal or regulatory agency. We only have the companies word for it, and do companies ever lie about stuff like that?

So Google is going with "Will only due so with a valid court order" on this. Good choice. You won't piss off the customers because a court made you do it, and you won't get yourself in legal trouble because a court made you do it. Yep, this is the right choice if they have any functioning brain cells at all.

There's also a fourth option of just plain refuse. Claim the mail system is sacrosanct and it won't be messed with. Of course there are two big problems with this. First is almost nobody will believe you. Second is you are then looking at a big as legal battle you probably won't win because you are not the federal government. That's why I didn't list this one in the beginning, though I did mention it at the end to avoid having a million responses pointing this one out.

That's my say, disagree or whatever ;)

Email Insecure

[Roger W Moore]

Through a combination of carelessness and cluelessness, this employee managed to put hundreds of millions if not billions of dollars of customer funds at risk.

Sending information like this via email is where the mistake happened, not mistyping the address. Email is not secure even if it is sent to the right address you have no control over how it gets there and it could be easily intercepted and read enroute. Their reputation loss has already occurred by admitting that they use email for highly sensitive information like this.