

To what extent is an organisation liable when they get security wrong? - mikeevans
http://www.troyhunt.com/2014/01/to-what-extent-is-organisation-liable.html

======
dctoedt
A few points that might help put this into context (oversimplifying a bit):

1\. In general, negligence law works to prevent people and companies from
imposing the _costs_ of their actions on others, that is, externalizing those
costs, while retaining the _benefits_.

For example, suppose that a pizza delivery guy drives too fast. Perhaps he
wants to make more deliveries during his shift and thereby earn more money.
Whatever the reason, suppose also that the pizza guy hits a parked car with no
one in it (to simplify the example).

In that situation, the pizza guy (and his employer, but that's another
discussion) likely will have to pay to have the other car fixed, and for a
rental car for the other car's owner. The rationale is that the pizza guy and
his employer shouldn't be able to retain the benefits from his fast driving
while making others, i.e., the owner of the car he hit, bear the resulting
costs.

(That, incidentally, is why drivers in many jurisdictions are required by law
to carry liability insurance -- so that if a driver does negligently get into
an accident, there will be a pre-established pool of money that can be tapped
to pay for the resulting damage, even if the driver himself happens to be
broke at the time.)

\--------

2\. Negligence can be loosely paraphrased as a failure to use due care _when
there 's a duty to do so_. In any given case, it might be debatable whether a
duty of care existed, and if so, whether the defendant complied with that
duty. In assessing these questions, courts generally look at, for example:

\+ the likelihood and magnitude of the potential loss from the conduct in
question (i.e., the expected loss);

\+ the incremental cost of additional measures to prevent the expected loss;

\+ in the case of a business, whether that incremental cost can be amortized
across the business's customer base by the business's buying insurance (or
self-insuring) and then increasing its price accordingly;

\+ which party is in a better position to take measures to prevent the
expected loss, and/or to bear the loss if it comes to pass.

For the mathematically-minded: A famous case studied by all U.S. law students
is _United States v. Carroll Towing Co._ [1], where the opinion was written by
the legendary judge Learned Hand (yes, that was his name). Judge Hand put it
in algebraic terms:

 _" Since there are occasions when every vessel will break from her moorings,
and since, if she does, she becomes a menace to those about her; the owner’s
duty, as in other similar situations, to provide against resulting injuries is
a function of three variables:

"(1) The probability that she will break away;

"(2) the gravity of the resulting injury, if she does;

"(3) the burden of adequate precautions.

"Possibly it serves to bring this notion into relief to state it in algebraic
terms: if the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by P: i.e., whether
B < PL."_

\--------

3\. So how does this apply to criminal hacker break-ins? Suppose that: (A) a
company fails to use "due care," whatever that means, by way of security
precautions; and (B) as a result, third parties are damaged in ways that
"reasonable people" would have foreseen. In that situation, it's not hard to
imagine that the company might well be held liable for such damage.

As a practical matter, in a negligence trial, the plaintiff's lawyers will
often think up additional precautions that the defendant supposedly could have
taken without undue cost or burden. The defendant's lawyers are then in the
position of having to convince the judge or jury that the cost or burden would
indeed have been "undue." That can be an uphill battle, especially when the
plaintiff is a sympathetic sort and the damage is something that judges and
jurors can identify with.

[1]
[http://en.wikipedia.org/wiki/United_States_v._Carroll_Towing](http://en.wikipedia.org/wiki/United_States_v._Carroll_Towing)

~~~
thrush
I believe this area of the law is considered a tort. In a tort case, it's up
to the company to perform reasonably. The biggest difficulty that the court
has is creating a bar for what is reasonable. Much of the time reasonable is
defined by what similar firms (latest and greatest) are doing. One of the most
famous tort cases is the McDonald's case where a woman sued the company
because she burned herself from their coffee. She ended up winning the case
and now McDonald's has to label every coffee cup with: 'Caution: Contents is
hot'. I'm not sure how this relates to getting a ticket for not closing your
window, but this definitely relates to the Snapchat security vulnerability.

[http://en.wikipedia.org/wiki/Tort](http://en.wikipedia.org/wiki/Tort)

------
belorn
It would only be healthy for the industry if organizations was liable for
loosing sensitive information. If there is no economic risk to be lost, then
no serious amount of budget will ever be spent on security. It is basic
economics.

There is always the opinion that liability might threaten innovation. That can
however be mitigated by having less sensitive information stored on ones
servers, or by regular insurance if such information is critical to have.

~~~
ds9
That would be the right policy, IMHO, if it were defined in the right way.

The crucial distinction is between software providers and businesses storing
data related to customers. If the software providers were liable, there would
be a devastating effect on the business world and society - basically it would
become so that the only way to obtain software would be from giant
corporations, and every coder would have to get licensed and buy insurance.

So let's not go there - but businesses selling products or services to the
public and storing customer data should not be able to opt out of liability by
putting some fine print in their boilerplate terms. Instead they should have
to pay the full cost of repairing "identity theft" (so-called, it is actually
impersonation) for every customer whose data they lose control of. (Think of
Target, TJM etc. rather than Snapchat - i.e. cases where the attackers get
personal details and maybe CC data)

This would establish the right incentives, but it would not impair business
because with competent staff and best practices, it is possible to get good-
enough security for the purpose.

------
robmclarty
I think the "leaving the windows open" argument is wrong. As far as what's
right and wrong is concerned, I should be able to leave the door wide open if
I so choose. It's my car. If someone comes along and steals my car, however, I
would call that wrong and the thief is at fault. Obviously, I don't want my
car stolen (because I need its utility) so I take preventative insurance
measures to avoid the potential burden of losing use of my car, talking to the
police, and hunting down the thief. But, imho, that's my choice and I don't
think I'm actively causing others harm by leaving my windows down.

To add some genderism to the fire: if a woman choses to wear clothes that some
would consider "provocative" is it her fault that she gets raped because she
was inviting undue male attention? Is she simply "asking for it"? I don't
think so. And I think it's a human's right to freely express him or herself as
s/he choses. If I want to leave the window to my car down, that's up to me,
the owner of the car. If someone steals my car, that's their fault.

As far as software security is concerned, I think there are definitely
reasonable and unreasonable steps that can be taken in the development of it.
But I don't expect the developers of the software I use to be on the edge of
their seats watching the internet for the every single security exploit that
pops up so that they can instantly apply a patch. I do expect them to take
reasonable steps to reasonably secure the software, and when something becomes
obvious, to deal with it. When I entrust the storage of my personal details
with a website, I have certain expectations about how that information is
handled, but I don't expect it to be 100% impervious to attack.

I also think there lies some responsibility with the user to choose to use
software they trust (trust being a spectrum, not a binary distinction). For
example, I wouldn't expect a lot of security from some kind of seedy porn
software, and would actually expect the software to actively compromise my
system. If I chose to install such software, I think I'd be partly liable for
installing something that is obviously insecure. But I have different
expectations from my banking software. I think those expectations, which are
relative to particular industries and markets, and which are fuzzy and ill-
defined, are partly a user's responsibility (but not wholly... I still expect
my bank to reimburse me if someone breaks into their database and steals my
money).

My point is that liability in software security, to me, is a fluctuating grey
area, and that the areas are defined differently for different kinds of
software which should, at least partially, be apparent (and avoidable) to the
end user.

I'm not trying to defend Snapchat or say that you should leave your car
unlocked, just that I think these kinds of issues are not black and white, nor
that one party is 100% wrong and another party is 100% right.

~~~
kenrikm
Would the police fine a convertible owner who leaves the top down? interesting
concept and incredibly flawed.

------
jchung
I've been wondering the same thing about Snapchat. Acknowledging a security
risk publicly and then not addressing it sounds like negligent conduct. Then
again, I'm not a lawyer, and I'd guess if there was money to be made in a
class action lawsuit someone would have started those wheels turning already.
It does raise a concerning proposition: if any of us can be held liable for
"leaving the windows open", who gets to decide when the windows are left open
or not? Having to launch each and every app with a whole slew of security
features before opening it to the public could end up stifling innovation.

~~~
bob_loblaw
The fact that the courts sided with AT&T and not weev, I am guessing a class
action lawsuit wouldn't get very far. The problem is that people who don't
really understand this stuff will be asked to set up guidelines on "leaving
the window open." I could easily see a "solution" that makes things worse.

------
droopybuns
A responsible CEO is going to have to think very hard about publically
accepting responsibility for an event like this. Accepting responsibility
publically puts you in a difficult situation if there is a lawsuit.

I feel like the writer is a bit naieve about the realities of "insecure"
software in writing this article for more than just being unaware of why a ceo
has to frame the discussion as abuser-centric.

Writing secure software is not easy. Putting liability in place for writing
secure code would open every software company in the world to risk of lawsuits
and there would never be any real resolution. The best in the world still get
security wrong and on top of that you are architechting solutions on top of
layers and layers of abstraction. An attack against a lower layer is usually
how you end up getting hacked.

You might as well write a law that says everyone gets free unicorns.

------
jsun
I mean let's put this in perspective on the whole snapchat issue - they lost a
list of usernames.... which could theoretically be used to match to the
person's other usernames from other sites.

It's just not crazy useful... you can do the same thing by scrapping facebook
or linkedin without even having to "hack" them. There's companies that expose
as much through open APIs.

~~~
lost_name
As was pointed out in a thread when this first happened, there's more
important and valuable information in a phone book than what was leaked here.

If we're talking about the content, then I feel it's a pointless argument. If
we're saying that it should have been avoided regardless of content, I agree,
but the media time and the severity at which it's been advertised is probably
a bit overboard.

------
yourapostasy
The answer in the US for a stock brokerage is "categorically no regulatory-
based liability". If there is nothing for a fiduciary that handles your money,
there is no hope for customers of any other kind of company. I know this for a
fact from first-hand experience witnessing someone's large 6-figure retirement
account at Dxxxxxs (name disambiguation available upon request, post an email
here and I'll send it to you, but most can guess who it is after this hint:
BNY) get zeroed out from an information security attack, and helping with
their subsequent attempts to recover funds.

The fiduciary admitted they do not suspect the victim drained the account on
their own, and admitted there was no laxity on the victim's part they are
aware of (no claim of password has too little entropy, for example). We
suspect only a few accounts were hit, and all were drained due to an
information security breach of some kind (the victim has some ties to sources
who work on Wall Street who indicated they've heard about the breach).

The fiduciary proactively notified the victim of unusual account activity.
That was the ONLY positive reaction to date (14 months ago now as of the time
of this writing). The fiduciary then proceeds to:

* Lock out the victim from their own online account. Even read-only access to review historical transactions was denied.

* Mark the account "under internal security review", refuse any further discussion pending results of review.

* Make no effort to communicate with victim (my guess is they are likely expecting to lawyer up and go to litigation).

* Refuse at the local branch office to print off historical transactions (victim had switched to paperless a long time ago).

List of agencies contacted and who have refused to assist due to lack of
jurisdiction:

* local police

* state banking commission

* state financial regulatory commission

* FBI

* SEC

* FINRA

* CFPB

I am waiting for the victim to give up all hope and give me permission to
politely go through my attorney and if rebuffed out this publicly to any
financial news reporter who wants the detailed information (account numbers,
what little paper history trail exists, etc.), while giving the fiduciary a
fixed amount of time to resolve. I might also involve the IRS after
consultation with a tax attorney; there are some interesting tax laws that
might be relevant from some basic research I did.

------
0xdeadbeefbabe
I know liability and laws are all the rage, but here is a different take:

I'm disturbed by car == snapchat software. They didn't get the security wrong
either. Whatever people can do to abuse the system, at least the system exists
in the first place. I fear that if you try to regulate software in terms of
right and wrong or in terms of open car windows etc. you will end up with
goofy standards that will stifle innovation. I'm sure someone could mention
one of those standards.

The software is just doing what it does. You could call this "attack" a
feature for power users.

