Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password Security (more law)

From: Lee Weers <weersl () CENTRAL EDU>
Date: Thu, 25 Oct 2007 14:38:38 -0500
How does writing passwords or password hints down any worse than storing
them in a compromised password safe utility?  This is also assuming that
the paper is stored in a "secure" location ie locked desk, on their
person?  Can't it be argued that storing passwords in a password safe is
writing it down? 

-----Original Message-----
From: Valdis Kletnieks [mailto:Valdis.Kletnieks () VT EDU] 
Sent: Thursday, October 25, 2007 2:08 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Security (more law)

On Thu, 25 Oct 2007 10:53:25 PDT, Steven Alexander said:

Valdis said:
      "Prior notice may matter because "they were *told* it was a Bad
Idea  and they went ahead and intentionally did it *anyhow*" is the
sort of       thing that changes regular everyday negligence into the
sort that has         "reckless" and "egregious" attached to it, and

then the

punitive      damages come into play."


Damn.  At one point, I had "into the sort of behavior that has
'reckless..", and 2 words disappeared into the bit bucket, leading to
what's probably us actually being in agreement... :)


That's not how the law works.


You missed one point because of my mis-edit:  Before anybody told you it
was a bad idea, it's just negligence.  Once you *know* it's a bad idea,
it's harder to claim negligence for an intentional design feature - now
it's *intentional*, and all the adjectives come into play..


You tell a clerk about the spill and it doesn't get cleaned up.  Five 
minutes later, someone slips on the milk.  The store had prior notice 
of the defect/ condition and will probably be liable.


Of your milk examples, this is probably the closest fit to the situation
under discussion.  If anything, it's even worse - not mopping up milk is
an error of omission, going ahead and intentionally deploying something
known bad is an error of commission.


 Punitive damages are awarded when the defendant does something bad, 
not stupid. They usually come into play when the defendant acts 
intentionally, acts in bad faith, attempts to cover up, etc.


Right - and most of the stuff I found by googling for "punitive" and
"reckless disregard" agreed with that. For instance,

http://www.groklaw.net/articlebasic.php?story=20070507094824404

  "Conduct is in reckless disregard of plaintiff's rights if, under the
  circumstances, it reflects complete indifference to the safety and
rights of
  others."

At which point you're back in "punitive damages" territory.  Now - how
confident are you that the other side's lawyer won't be able to stretch
it into "You *knew* it was a Bad Idea, and you recklessly and
intentionally did it *anyhow*"? :)
Previous By Date Next
Previous By Thread Next

Current thread: