Educause Security Discussion mailing list archives
Re: Password Security (more law)
From: Steven Alexander <alexander.s () MCCD EDU>
Date: Thu, 25 Oct 2007 10:53:25 -0700
Valdis said: "Prior notice may matter because "they were *told* it was a Bad Idea and they went ahead and intentionally did it *anyhow*" is the sort of thing that changes regular everyday negligence into the sort that has "reckless" and "egregious" attached to it, and then the punitive damages come into play." That's not how the law works. I ended up writing a lot so I move a few key points to the top here for anyone who doesn't want to read my full explanation. * Prior notice is required where a person must be aware of a defect in order to be liable for it. * Notice that your behavior may not meet the standards of reasonable care isn't likely to make you liable for punitive damages. * Punitive or exemplary damages are intended to punish and deter. * Punitive damages are awarded when the defendant does something bad, not stupid. * Intent isn't a factor in negligence. * An act is not intentional because it is volitional. Prior notice is required where a person must be aware of a defect in order to be liable for it. For instance, say some milk gets spilled in a grocery store. You tell a clerk about the spill and it doesn't get cleaned up. Five minutes later, someone slips on the milk. The store had prior notice of the defect/condition and will probably be liable. If nobody tells the store about the spill and someone falls two hours later, the store will be assumed to have notice, because if they had used reasonable care they would have known, and will still be liable. If the milk is spilled and someone slips five seconds later, the store probably won't be liable for failing to clean up the spill because, again, they had no notice of the condition. Punitive or exemplary damages are intended to punish. They are awarded when a person or organization's conduct is so reprehensible that there is a need to deter further conduct of that sort. Punitive damages are only awarded in a few percent of the cases that go to trial. Punitive damages are awarded when the defendant does something bad, not stupid. They usually come into play when the defendant acts intentionally, acts in bad faith, attempts to cover up, etc. In BMW v. Gore, BMW was selling cars as "new" after they had been repainted. In State Farm v. Campbell, State Farm refused, in bad faith, to settle a case where their insured was liable, tried to leave him on the hook for the damages, and then tried to cover up. Puntive damages are more likely, and will be larger, when there is a pattern of bad activity. Notice that your behavior may not meet the standards of reasonable care isn't likely to make you liable for punitive damages. Intent isn't a factor in negligence; it applies to the "intentional torts" such as assault, battery, trespass, etc. In law, an act is intentional when it is substantially certain to bring about a particular result. If you start to sit down in a chair, I move the chair, and you fall, it doesn't matter whether I meant for you to fall; I knew you would fall when I moved the chair. Therefore, I "intended" a battery. Negligence comes about when there is a risk of harm but it is not substantially certain. If the grocery store in the above example doesn't clean up the milk, someone may fall, but it's not certain that someone will fall. An act is not intentional only because it is volitional. If I throw a baseball to someone, it is a volitional act. If the baseball hits you by accident, I may be liable for negligence, but not more, because I did not intend to hit you. If, on the other hand, I meant to hit you with the baseball, I'm liable for battery not negligence. Cheers, Steven -----Original Message----- From: Valdis Kletnieks [mailto:Valdis.Kletnieks () VT EDU] Sent: Thursday, October 25, 2007 2:49 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Security <snip> Prior notice may matter because "they were *told* it was a Bad Idea and they went ahead and intentionally did it *anyhow*" is the sort of thing that changes regular everyday negligence into the sort that has "reckless" and "egregious" attached to it, and then the punitive damages come into play. The easiest way to combat this - ask the people who are suggesting it: "How worried are you that if your wallet is lost, your ATM card would be used to drain your account before you got the bank on the phone? OK, now how worried would you be if you had written your PIN on the front of the card?"
Current thread:
- Re: Password Security (more law) Steven Alexander (Oct 25)
- <Possible follow-ups>
- Re: Password Security (more law) Valdis Kletnieks (Oct 25)
- Re: Password Security (more law) Lee Weers (Oct 25)
- Re: Password Security (more law) Valdis Kletnieks (Oct 25)
- Re: Password Security (more law) Roger Safian (Oct 26)