4

Even if most of the developers nowadays understand the necessity of encryption, a consequent amount of websites still store the user's password as plain-text. It can be easy to spot : just asking for a password recovery and see if they send back your old password in the email, or harder trough pen-testing in order to see how are the password stored.

If by any method someone had to find a website like this, is it possible to sue the company for "voluntary making the information system weak" ? Or should we be more "nice" and politely ask for the webmaster to remove the concerned user from its DB ? (let's keep in mind that some people just disable accounts without removing them, c.f. Ashley Madison's hack).

Can the law change on this kind of issues according to the country hosting the DB ? to the country where the webmaster is from ? to the country the user is from ?

Thanks for reading.

MedAl
  • 150
  • 1
  • 8

2 Answers2

2

Yes a company can be sued (since anyone can sue anyone). But in order to win a lawsuit, you have to have damages as a result of some action, AND you must prove that the action was done with intent to harm or was otherwise negligent.

So following your website example, a lot of things would have to happen:

  1. The website would have to be hacked.
  2. If the passwords are encrypted instead of hashed (which still qualifies as "plain-text" once they email it to you), the hacker would have to figure out how to decrypt the passwords. (Which a good hacker could probably do.)
  3. The hacker would have to take those passwords and do something with them that causes damage to their owners.

Even if all of those things happened, you would still also have to prove negligence on their part which would be pretty difficult to do because the flaw that was hacked would be the focus of negligence discussions moreso than what was stolen.

That being said, if your goal is simply to get them to fix the problem, rather than receive monetary damages, then you could still sue for an action to be taken. You'd have to pay by the hour for the attorney since they wouldn't have a chance of winning monetary damages. But in all likelihood the website owner, upon seeing the lawsuit, would fix the problem before it gets to court, so I could see that having the desired effect. That is if you think it's worth the cost of filing the lawsuit in the first place. Perhaps you could save yourself the cost of an attorney and just threaten to sue if they don't fix the problem.

TTT
  • 339
  • 1
  • 2
  • 9
1

The somewhat facetious answer to the question is "a company can be sued for anything".

The more useful answer is that if you were to sue a company for storing plain-text passwords, you would need to rely on some legal authority in the jurisdiction to establish and support a cause of action. This might be negligence on the part of the company, which might require that actual damages be shown. It could also be codified in a statute of the jurisdiction.

So in answer to your questions:

is it possible to sue the company for "voluntary making the information system weak"?

Yes, subject to the above.

Or should we be more "nice" and politely ask for the webmaster to remove the concerned user from its DB ?

That's not really a legal question; unless there are laws that may coerce the safe storage of credentials.

Can the law change on this kind of issues according to the country hosting the DB ? to the country where the webmaster is from ? to the country the user is from ?

These are all factors and may change the applicable laws.

jimsug
  • 12,380
  • 6
  • 46
  • 82