14

Security Experts the world around all agree that you should not reuse passwords across sites. This is simply a matter of best practice, and it protects you such that if your StackExchange password is stolen, they can't use that to access your bank account.

The general feeling I get from my security friends is that this "advice" is legally bulletproof, and that if their website is hacked, and plaintext passwords are stolen, they don't have to worry about someone suing them because the password that was stolen from their website was also used on that person's banking page. After all, "It's the user's fault for reusing a password!"

Has this belief actually been upheld in court yet? Or is this a firestorm waiting to happen when Amazon turns out to be the victim and they sue some smaller organization for every penny it has?

David Siegel
  • 113,558
  • 10
  • 204
  • 404
Catachan
  • 283
  • 2
  • 7
  • 14
    I don't think that you could sue a company if the leaked passwords were misused somewhere else. But in the EU because of the GDPR you sue the company if the password database was not protected using state-of-the-art technology. As passwords are personal data they should be covered by the GDPR. – Robert Aug 24 '21 at 18:45
  • 1
    If your scenario happens, the website would have enough liability to financially ruin it (unless it was large enough to shoulder multiple fines and lawsuits) even without the question of password reuse…. –  Aug 24 '21 at 19:43
  • @Moo We're assuming that there are no legal regulations that your site must adhere to. The only truly sensitive data on the hacked site is the passwords it gave up. So there is no PII involved. – Catachan Aug 24 '21 at 19:49
  • 2
    There are very few cases on point. Most that are brought at all are settled prior to trial so there are even fewer resolved on the merits to provide guidance and there are fewer still that result in published appellate court decisions that can serve as precedents in future cases. It is an emerging area of law which is an issue of first impression in most jurisdictions. And the jurisdiction in question absolutely does matter, since this is not an area of longstanding uniformity in the law. – ohwilleke Aug 24 '21 at 20:14
  • @Catachan doesnt stop them being sued. –  Aug 24 '21 at 20:27
  • @Catachan and going by your question, the assumption here is that the username is also leaked because otherwise how would the matchup across sites happen? An attacker would have to be trying every password against every single email or username in existence, every where on every site... –  Aug 24 '21 at 20:29
  • I can't imagine that the user agreement does not include a limitation of liability. No business will take on liability of things outside its boundaries if they can help it. – Tiger Guy Aug 24 '21 at 21:34
  • @Tiger Such limitations of liability may not be effective, depending on the jurisdiction and the details. They surely do not immunize a company from data breech laws such as the CCPA. – David Siegel Aug 24 '21 at 21:52
  • 4
    Anyone storing passwords in plain text is criminally irresponsible. Anyone storing anything but a salted hash of the password is criminally irresponsible. It is a blatant violation of minimal security. And in the end, you should think about your customers’ security first. – gnasher729 Aug 24 '21 at 22:44
  • 1
    A password is very, very much Personally Identifiable Information. And just because it is a good idea not to rely on companies to avoid doing stupid things that they can be sued for doesn't mean they can't be sued for doing stupid things. – gnasher729 Aug 25 '21 at 08:46
  • 1
    This doesn't relate to the legal issue but I don't think it's worth worrying about Amazon suing some company into oblivion just because they have a lot more money for lawyers in this case. It would be hard to imagine a situation in which Amazon was the victim in a case like this unless someone on their staff used the same password which allowed them access to Amazon's internal data on some third party site, and Amazon has no additional security (such as two factor authentication) in place for connections like that. Amazon customers yes, Amazon no. – Eric Nolan Aug 25 '21 at 11:03
  • It was reported (https://nakedsecurity.sophos.com/2012/06/21/linkedin-slapped-with-5-million-class-action-suit-over-leaked-passwords/) that LinkedIn were sued after leaking user passwords. I don't know what the outcome of the case was. – Michael Kay Aug 26 '21 at 10:07

3 Answers3

31

The argument you are making, restated in legal terms, is roughly as follows:

  1. Users have a duty to not reuse passwords.
  2. When a user reuses a password, and their password is subsequently stolen and used to fraudulently access the plaintiff's system, that password reuse becomes the proximate cause of the plaintiff's business injury.
  3. Therefore, our storage of plaintext passwords cannot be the proximate cause, and so we cannot be liable.

This argument is mostly wrong. Leaving aside the fact that you're going to have a tough time convincing a jury of #1, a tort may have more than one proximate cause. Both the password reuse and the plaintext storage were but-for causes of the injury (i.e. if either had not happened, then the injury would not have happened). The injury was foreseeable, because it is well known in the security industry that many users in fact do reuse their passwords, professional advice notwithstanding. In most US states, that's enough to establish proximate cause. In the minority of states using the "direct causation" test, you might be able to characterize the user's password reuse as an intervening cause, and thereby avoid liability.

However, there are other elements of tort law which must be established aside from proximate cause, and so by itself this does not resolve the question of liability. Other defenses might be applicable; for example, the terms of service might contain an indemnification agreement, which (if upheld) would make the user(s) responsible. The defendant might also argue that there is no duty of care, that it was not breached, or that the injury was or should have been de minimis (i.e. that the plaintiff should have taken greater care to prevent damages arising from account hijacking).

Kevin
  • 4,659
  • 18
  • 35
  • Also, regarding the defenses you mentioned, let's assume that the breach was an extremely high profile breach, and it is possible to prove that the password obtained in the breach and used on the Plaintiff's system could only have come either directly from the user, or from the breach. – Catachan Aug 24 '21 at 20:36
  • and then there is the duty of care argument, by which the holder of the data must make proper efforts to properly saveguard that data. – jwenting Aug 25 '21 at 07:00
  • The injury through password reuse is NOT foreseeable to 80% of users. – gnasher729 Aug 25 '21 at 08:48
  • @gnasher729 I think the answer refers to the injury to users being foreseeable by the holder of passwords, not that the users themselves can foresee the injury (meaning, the holder knowingly took on a high risk of user injury). Though, in my opinion, the risk is foreseeable by users, it's just that 80% of them inexplicably refuse to think about it. – Clay07g Aug 25 '21 at 14:34
  • @Clay07g It's similar to people who drive excessively fast. Accidents are foreseeable, and we have reckless driving laws that are intended to deter it, but many people do it anyway. OTOH, we don't hold car manufacturers liable for producing cars that can go that fast. – Barmar Aug 25 '21 at 14:50
  • @gnasher729 yes it is, they're just not choosing to think it through. Just because something is complicated doesn't make it anyone else's responsibility. – Harper - Reinstate Monica Aug 25 '21 at 23:29
  • I don't think you mean it, but as written you are wrongly explaining "de minimis" damages in "de minimis (i.e. that the plaintiff should have taken greater care to prevent damages arising from account hijacking)" – Hasse1987 Aug 26 '21 at 00:08
  • 1
    @Hasse1987: That parenthetical is intended to clarify the entire sentence, and particularly the "should have been" link (for people who are deathly allergic to Wikipedia). – Kevin Aug 26 '21 at 00:10
  • @Kevin Well clarifying "the entire sentence" and a "particular" phrase are contrary goals, wouldn't you say? – Hasse1987 Aug 26 '21 at 00:12
  • @Hasse1987: Sticking a parenthetical in between the verb and the object is bad grammar and hard to read. – Kevin Aug 26 '21 at 00:17
  • @gnasher729 The fact that you yourself admit that it IS forseeable in 20% of users means it is forseeable – slebetman Aug 26 '21 at 08:24
14

If the customer is in the EU (or UK or EEA) and services were offered, targeted or marketed to that area, the GDPR applies. If the organization running the site has an establishment in the EU, the GDPR also applies. If the customer is in California, the CCPA applies. Other US states, including Colorado and Virginia, have recently passed data protection laws somewhat similar to the CCPA. Other jurisdictions may well pass such laws in future.

All these laws require that "appropriate" technical safeguards be used when storing personal data. And yes, passwords are almost surely personal data under these laws. Exactly what is an appropriate level of security is not defined in detail. It depends on the nature of the information involved, and the risks of a possible breach. It also changes with the current state of technology.

Given that security best practice is never to store plaintext passwords, but only salted one-way hashes of passwords, there might be an argument that any system that stores plaintext passwords is not taking appropriate security measures.

The CCPA gives consumers a private right of action if a data breach compromises their information through a failure to take appropriate precautions. This means that individual consumers can sue companies that have breaches due to poor practices for up to $7,500 per consumer. The GDPR allows consumers to complain to a supervisory agency, which can impose significant fines.

This CCPA Case Tracker lists several large data breach cases now in process. It does not say whether passwords were an element of the breach in all cases.

In "Litigating the CCPA in Court" from the law firm of Holland & Knight (July 2020) it is said that:

In the new wave of CCPA data breach cases, plaintiffs have generally pleaded a right to statutory damages, and also often seek restitution and an injunction against defendants' continued (allegedly) improper handling of personal information. Only a small percentage of cases allege actual damages as a result of the purported incident.

jcaron
  • 1,077
  • 8
  • 15
David Siegel
  • 113,558
  • 10
  • 204
  • 404
  • 1
    The German website knuddels.de was fined €20000 in 2018 when they had 808K email addresses and 1.87M unencrypted passwords stolen. See https://www.t-online.de/digital/sicherheit/id_84825494/passwort-panne-knuddels-de-muss-bussgeld-wegen-der-dsgvo-zahlen.html (in German). They were founded in 1998, I guess they started to store unencrypted passwords back then, and never updated their security. – Guntram Blohm Aug 25 '21 at 06:59
  • 4
    password are not personally identifiable data under the GDPR per se. Problem is many people use names of loved ones (or even their own) as passwords, which names ARE so classified under the GDPR. Email addresses of private individuals certainly are classified such under the GDPR, corporate ones only if the name of the individual can be known through them (thus john.doe@company.com is covered, servicedesk@company.com isn't). The GDPR is a mess and a minefield, I've spent the last several years struggling with its implications for various products. – jwenting Aug 25 '21 at 07:04
  • 1
    Typo: it's breach, not breech. – Steve Melnikoff Aug 25 '21 at 08:27
  • 12
    @jwenting: Using names in non-name fields does not magically make those non-name fields GDPR-protected. Don't spread FUD. This is well-known; if you struggle with simple things like this then you probably should ask your employer for GDPR training. – MSalters Aug 25 '21 at 08:31
  • @MSalters that's how the legal experts where I worked told us to do it... And I fully assume they were well versed in the legalities of the GDPR. An email address containing personally identifiable information is protected under the GDPR, one that doesn't isn't. And that doesn't just extend to the part before the domain name, it can be the domain name itself we were told. – jwenting Aug 26 '21 at 06:30
  • 1
    @GuntramBlohm Unrecoverable (i.e., one-way hashed) passwords were the industry standard for password security as far back as 1978. Problem was, that the many thousands of startups and lone programmers rarely bothered to research (let alone implement) any standards. – RBarryYoung Aug 26 '21 at 11:29
  • @jwenting Sure, content matters, but so does context. If my password at abcde.com were "Smith" (it's not), that wouldn't be personally identifiable information because Smith could be my last name, or one of my friends from primary school, some random guy I met on the street, or my college roommate's occupation. There's no context by which anyone could be identified. If, on the other hand, I put "Smith" as mother's maiden name, that would be PII. – A. R. Feb 22 '23 at 14:56
  • @jwenting A password may not be personally identifiable information (PII), but if it is "associated" with a specific person (as it normally will be) it is still personal data (PD) as defined in the GDPR, and also in the CCPA. PD is not limited to PII. Mishandling of PD can be grounds for fines under the GDPR, and suits under the CCPA – David Siegel Feb 22 '23 at 15:16
  • @Andrew Ray As I mentioned in my comment just above, PD is not limited to PII. And the GDPR specifically protects data that is associated with a natural person, even if it requires "additional data" perhaps from someone else, to maker the association clear. – David Siegel Feb 22 '23 at 15:19
  • @DavidSiegel playing devil's advocate here: if your website's passwords get leaked you as a website owner have far more serious problems than potential GDPR compliance issues, you now fall under EU laws surrounding data breaches (and of course the mess caused by your massive PR problems). Try to explain to both government agencies, the general public, and probably a court why you were storing passwords in plain text, as well as how you allowed them to get stolen... – jwenting Feb 23 '23 at 07:55
  • @jwenting Yes, all that is quite true. But I answered the question asked. GDPR issues might add to the problems of such a site operator. – David Siegel Feb 23 '23 at 17:48
2

Bluntly, the argument is obviously nonsensical. It's so absurd that it can't even be made with a straight face.

Here is how you've described it:

"Security Experts the world around all agree that you should not reuse passwords across sites. This is simply a matter of best practice, and it protects you such that if your StackExchange password is stolen, they can't use that to access your bank account."

Let's try the equal and opposite version of the very same argument:

"Security Experts the world around all agree that you should not store passwords in plaintext. This is simply a matter of best practice, and it protects you such that if your StackExchange password is stolen from storage, they can't use that to access your bank account."

See the problem?

There are two things, both best practices, that everyone is supposed to do to protect from this scenario. You are saying that you can deliberately choose not to do one of them because you can rely on others to do the other. But if that were correct, that argument would apply equally well to users being able to rely on site operators not to store passwords in plaintext.

So anyone who thinks that argument is correct needs to explain why the user can't make the same argument. Because, obviously, they can't both be right.

No such explanation is possible.

And, of course, it would be the site who would have additionally somehow allowed its password database to get stolen. So arguing for a 50/50 split in responsibility won't even work here.

David Schwartz
  • 3,244
  • 11
  • 22
  • This answer makes a good deal of sense from an ethical and logical POV, and I have upvoted it. It is a good response to the argument in the question. But it is not a good legal argument. The law often does not follow such apparently common sense logic. Instead one must look at whether the web site operator owes a duty of care to the user, and whether any specific law or general principle imposes liability on the operator. Those would be relevant issues in any actual suit over such an event. – David Siegel Aug 26 '21 at 16:12
  • @DavidSiegel There's a basic principle of law called the "straight-faced principle". It says that you may not make any argument to a court that you cannot make without smirking or cracking a smile. This argument fails that principle. It cannot be made as stated to a court for the reason that I explained. Your argument has to actually support the position you claim it supports to be made at all, otherwise it is an ethical violation to make the argument in the first place. – David Schwartz Aug 26 '21 at 16:49
  • I hate to tell you, but to the best of my understanding that is not a legal principle at all, and respected lawyers do often make arguments that seem quite ludicrous. In any case, even if the argument is bad, that does not mean the result is incorrect. The argument that it is the user's fault for not choosing different passwords is not legally sound, but that does not prove that the law in fact imposes liability on the site operator for security violations. One must show some law, specific or general, that actually imposes such liability. Otherwise there is no liability. – David Siegel Aug 26 '21 at 17:35
  • Wait. As a generalized principle, would you say if Person A and Person B both make mistakes, and those mistakes, taken together, allow Malefactor C to harm Person A, then Person A has a cause of action against Person B? – Michael Lorton Aug 26 '21 at 22:58
  • @Malvolio It depends upon the jurisdiction. There are actually some where showing any fault on the part of the person suing negates any recovery. In most, proportional recovery is possible. But none of that supports the nonsensical argument the OP asked for comment on. (The argument made is that there's no obligation to protect against some bad outcome so long as something else that can make this exact same argument also protects against it. That's obviously wrong both legally and logically.) – David Schwartz Aug 26 '21 at 23:35
  • @Malvolio If Person A makes a mistake that contributes to the ability of Malefactor C to harm Person B, then B may have a claim against A, even if B's own errors also contributed. This will depend on the law of the particular jurisdiction, and on the circumstances. For example, if A has a "duty o care" in the situation, then B is more likely to have a valid claim. – David Siegel Aug 27 '21 at 18:18