Re: Password Security (more law)

[Steven Alexander <alexander.s () MCCD EDU>]

Valdis said: 
        "Prior notice may matter because "they were *told* it was a Bad
Idea    and they went ahead and intentionally did it *anyhow*" is the
sort of         thing that changes regular everyday negligence into the
sort that has   "reckless" and "egregious" attached to it, and then the
punitive        damages come into play."

That's not how the law works.  

I ended up writing a lot so I move a few key points to the top here for
anyone who doesn't want to read my full explanation.

* Prior notice is required where a person must be aware of a defect in
order to be liable for it.  
* Notice that your behavior may not meet the standards of reasonable
care isn't likely to make you liable for punitive damages.
* Punitive or exemplary damages are intended to punish and deter.
* Punitive damages are awarded when the defendant does something bad,
not stupid.  
* Intent isn't a factor in negligence.
* An act is not intentional because it is volitional.



Prior notice is required where a person must be aware of a defect in
order to be liable for it.  For instance, say some milk gets spilled in
a grocery store.  You tell a clerk about the spill and it doesn't get
cleaned up.  Five minutes later, someone slips on the milk.  The store
had prior notice of the defect/condition and will probably be liable.
If nobody tells the store about the spill and someone falls two hours
later, the store will be assumed to have notice, because if they had
used reasonable care they would have known, and will still be liable.
If the milk is spilled and someone slips five seconds later, the store
probably won't be liable for failing to clean up the spill because,
again, they had no notice of the condition.

Punitive or exemplary damages are intended to punish.  They are awarded
when a person or organization's conduct is so reprehensible that there
is a need to deter further conduct of that sort.  Punitive damages are
only awarded in a few percent of the cases that go to trial.  Punitive
damages are awarded when the defendant does something bad, not stupid.
They usually come into play when the defendant acts intentionally, acts
in bad faith, attempts to cover up, etc.  In BMW v. Gore, BMW was
selling cars as "new" after they had been repainted.  In State Farm v.
Campbell, State Farm refused, in bad faith, to settle a case where their
insured was liable, tried to leave him on the hook for the damages, and
then tried to cover up.  Puntive damages are more likely, and will be
larger, when there is a pattern of bad activity.  Notice that your
behavior may not meet the standards of reasonable care isn't likely to
make you liable for punitive damages.

Intent isn't a factor in negligence; it applies to the "intentional
torts" such as assault, battery, trespass, etc.  In law, an act is
intentional when it is substantially certain to bring about a particular
result.  If you start to sit down in a chair, I move the chair, and you
fall, it doesn't matter whether I meant for you to fall; I knew you
would fall when I moved the chair.  Therefore, I "intended" a battery.
Negligence comes about when there is a risk of harm but it is not
substantially certain.  If the grocery store in the above example
doesn't clean up the milk, someone may fall, but it's not certain that
someone will fall.   

An act is not intentional only because it is volitional.  If I throw a
baseball to someone, it is a volitional act.  If the baseball hits you
by accident, I may be liable for negligence, but not more, because I did
not intend to hit you.  If, on the other hand, I meant to hit you with
the baseball, I'm liable for battery not negligence.

Cheers,

Steven

-----Original Message-----
From: Valdis Kletnieks [mailto:Valdis.Kletnieks () VT EDU] 
Sent: Thursday, October 25, 2007 2:49 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Security

<snip>

Prior notice may matter because "they were *told* it was a Bad Idea and
they
went ahead and intentionally did it *anyhow*" is the sort of thing that
changes
regular everyday negligence into the sort that has "reckless" and
"egregious"
attached to it, and then the punitive damages come into play.

The easiest way to combat this - ask the people who are suggesting it:

"How worried are you that if your wallet is lost, your ATM card would be
used to drain your account before you got the bank on the phone?  OK,
now
how worried would you be if you had written your PIN on the front of the
card?"