Educause Security Discussion mailing list archives
Re: Password Security (more law)
From: Lee Weers <weersl () CENTRAL EDU>
Date: Thu, 25 Oct 2007 14:38:38 -0500
How does writing passwords or password hints down any worse than storing them in a compromised password safe utility? This is also assuming that the paper is stored in a "secure" location ie locked desk, on their person? Can't it be argued that storing passwords in a password safe is writing it down? -----Original Message----- From: Valdis Kletnieks [mailto:Valdis.Kletnieks () VT EDU] Sent: Thursday, October 25, 2007 2:08 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Security (more law) On Thu, 25 Oct 2007 10:53:25 PDT, Steven Alexander said:
Valdis said: "Prior notice may matter because "they were *told* it was a Bad Idea and they went ahead and intentionally did it *anyhow*" is the sort of thing that changes regular everyday negligence into the sort that has "reckless" and "egregious" attached to it, and
then the
punitive damages come into play."
Damn. At one point, I had "into the sort of behavior that has 'reckless..", and 2 words disappeared into the bit bucket, leading to what's probably us actually being in agreement... :)
That's not how the law works.
You missed one point because of my mis-edit: Before anybody told you it was a bad idea, it's just negligence. Once you *know* it's a bad idea, it's harder to claim negligence for an intentional design feature - now it's *intentional*, and all the adjectives come into play..
You tell a clerk about the spill and it doesn't get cleaned up. Five minutes later, someone slips on the milk. The store had prior notice of the defect/ condition and will probably be liable.
Of your milk examples, this is probably the closest fit to the situation under discussion. If anything, it's even worse - not mopping up milk is an error of omission, going ahead and intentionally deploying something known bad is an error of commission.
Punitive damages are awarded when the defendant does something bad, not stupid. They usually come into play when the defendant acts intentionally, acts in bad faith, attempts to cover up, etc.
Right - and most of the stuff I found by googling for "punitive" and "reckless disregard" agreed with that. For instance, http://www.groklaw.net/articlebasic.php?story=20070507094824404 "Conduct is in reckless disregard of plaintiff's rights if, under the circumstances, it reflects complete indifference to the safety and rights of others." At which point you're back in "punitive damages" territory. Now - how confident are you that the other side's lawyer won't be able to stretch it into "You *knew* it was a Bad Idea, and you recklessly and intentionally did it *anyhow*"? :)
Current thread:
- Re: Password Security (more law) Steven Alexander (Oct 25)
- <Possible follow-ups>
- Re: Password Security (more law) Valdis Kletnieks (Oct 25)
- Re: Password Security (more law) Lee Weers (Oct 25)
- Re: Password Security (more law) Valdis Kletnieks (Oct 25)
- Re: Password Security (more law) Roger Safian (Oct 26)