Has it been Legally Confirmed that A Website is not Liable if passwords stolen from it are used on other sites?

Question

Security Experts the world around all agree that you should not reuse passwords across sites. This is simply a matter of best practice, and it protects you such that if your StackExchange password is stolen, they can't use that to access your bank account.

The general feeling I get from my security friends is that this "advice" is legally bulletproof, and that if their website is hacked, and plaintext passwords are stolen, they don't have to worry about someone suing them because the password that was stolen from their website was also used on that person's banking page. After all, "It's the user's fault for reusing a password!"

Has this belief actually been upheld in court yet? Or is this a firestorm waiting to happen when Amazon turns out to be the victim and they sue some smaller organization for every penny it has?

Answer 1

united-states

The argument you are making, restated in legal terms, is roughly as follows:

1. Users have a duty to not reuse passwords.
2. When a user reuses a password, and their password is subsequently stolen and used to fraudulently access the plaintiff's system, that password reuse becomes the proximate cause of the plaintiff's business injury.
3. Therefore, our storage of plaintext passwords cannot be the proximate cause, and so we cannot be liable.

This argument is mostly wrong. Leaving aside the fact that you're going to have a tough time convincing a jury of #1, a tort may have more than one proximate cause. Both the password reuse and the plaintext storage were but-for causes of the injury (i.e. if either had not happened, then the injury would not have happened). The injury was foreseeable, because it is well known in the security industry that many users in fact do reuse their passwords, professional advice notwithstanding. In most US states, that's enough to establish proximate cause. In the minority of states using the "direct causation" test, you might be able to characterize the user's password reuse as an intervening cause, and thereby avoid liability.

However, there are other elements of tort law which must be established aside from proximate cause, and so by itself this does not resolve the question of liability. Other defenses might be applicable; for example, the terms of service might contain an indemnification agreement, which (if upheld) would make the user(s) responsible. The defendant might also argue that there is no duty of care, that it was not breached, or that the injury was or should have been de minimis (i.e. that the plaintiff should have taken greater care to prevent damages arising from account hijacking).

Answer 2

If the customer is in the EU (or UK or EEA) and services were offered, targeted or marketed to that area, the GDPR applies. If the organization running the site has an establishment in the EU, the GDPR also applies. If the customer is in California, the CCPA applies. Other US states, including Colorado and Virginia, have recently passed data protection laws somewhat similar to the CCPA. Other jurisdictions may well pass such laws in future.

All these laws require that "appropriate" technical safeguards be used when storing personal data. And yes, passwords are almost surely personal data under these laws. Exactly what is an appropriate level of security is not defined in detail. It depends on the nature of the information involved, and the risks of a possible breach. It also changes with the current state of technology.

Given that security best practice is never to store plaintext passwords, but only salted one-way hashes of passwords, there might be an argument that any system that stores plaintext passwords is not taking appropriate security measures.

The CCPA gives consumers a private right of action if a data breach compromises their information through a failure to take appropriate precautions. This means that individual consumers can sue companies that have breaches due to poor practices for up to $7,500 per consumer. The GDPR allows consumers to complain to a supervisory agency, which can impose significant fines.

This CCPA Case Tracker lists several large data breach cases now in process. It does not say whether passwords were an element of the breach in all cases.

In "Litigating the CCPA in Court" from the law firm of Holland & Knight (July 2020) it is said that:

In the new wave of CCPA data breach cases, plaintiffs have generally pleaded a right to statutory damages, and also often seek restitution and an injunction against defendants' continued (allegedly) improper handling of personal information. Only a small percentage of cases allege actual damages as a result of the purported incident.

Answer 3

Bluntly, the argument is obviously nonsensical. It's so absurd that it can't even be made with a straight face.

Here is how you've described it:

"Security Experts the world around all agree that you should not reuse passwords across sites. This is simply a matter of best practice, and it protects you such that if your StackExchange password is stolen, they can't use that to access your bank account."

Let's try the equal and opposite version of the very same argument:

"Security Experts the world around all agree that you should not store passwords in plaintext. This is simply a matter of best practice, and it protects you such that if your StackExchange password is stolen from storage, they can't use that to access your bank account."

See the problem?

There are two things, both best practices, that everyone is supposed to do to protect from this scenario. You are saying that you can deliberately choose not to do one of them because you can rely on others to do the other. But if that were correct, that argument would apply equally well to users being able to rely on site operators not to store passwords in plaintext.

So anyone who thinks that argument is correct needs to explain why the user can't make the same argument. Because, obviously, they can't both be right.

No such explanation is possible.

And, of course, it would be the site who would have additionally somehow allowed its password database to get stolen. So arguing for a 50/50 split in responsibility won't even work here.