The Case for Negligence: Why Continued Password Use in Tech Could Be Legally Indefensible

Disclaimer: I am not an attorney, and the following represents my personal analysis based on publicly available information. I welcome input from legal professionals to further develop or critique this argument.

A recent article by Graham Cluley about a British man using genealogy websites to fuel an alleged hacking and insider trading scheme has highlighted a critical issue in cybersecurity. Thanks to Mike Wilkes for bringing this to my attention. This case exemplifies why the continued reliance on password-based authentication systems could be viewed as negligent behavior by tech companies. Here's my argument:

The Proposed Case for Negligence

Outdated Security Practices

Password-based authentication, especially when coupled with easily guessable security questions, is an outdated and inadequate security practice. The case of Robert Westbrook demonstrates how vulnerable these systems are to exploitation, even when targeting high-level executives of public companies.

Available Alternatives

More secure authentication methods, such as hardware security keys and other passwordless technologies, are readily available and proven to be significantly more effective in preventing unauthorized access.

Foreseeable Risks

The risks associated with password-based systems are well-documented and foreseeable. Westbrook's ability to use publicly available information from genealogy websites to answer security questions highlights the predictable nature of these vulnerabilities.

Legal Precedent: T.J. Hooper v. Northern Barge Corp.

This 1932 case established that adherence to industry standards is not always sufficient to avoid liability if those standards are inadequate. Judge Learned Hand's opinion stated:"Courts must in the end say what is required; there are precautions so imperative that even their universal disregard will not excuse their omission."This principle can be applied to the tech industry's continued reliance on password-based authentication:

1. Even if password use is still an industry standard, it may not be sufficient to meet the duty of care owed to users.
2. The availability of more secure alternatives suggests that companies should be adopting these technologies to meet their obligations.

Call to Action for Plaintiff's Counsel

Plaintiff's attorneys should consider applying the same level of scrutiny to tech companies that they do to pharmaceutical companies when it comes to user security and data protection.

Potential Legal Arguments

1. Breach of Duty: Tech companies have a duty to protect user data using reasonable and up-to-date security measures.
2. Failure to Adapt: Despite known vulnerabilities, many companies have failed to adopt more secure authentication methods.
3. Negligence Per Se: Violation of data protection regulations could be used to establish negligence per se in some jurisdictions.

Conclusion

The continued use of password-based authentication systems, despite their known vulnerabilities and the availability of more secure alternatives, presents a compelling argument for negligence. By drawing on legal precedents like T.J. Hooper and highlighting the foreseeable risks demonstrated by cases like that of Robert Westbrook, plaintiff's counsel has a strong foundation for holding tech companies accountable for inadequate security practices.This approach could serve as a catalyst for widespread adoption of more secure authentication methods, ultimately benefiting both users and the tech industry as a whole.I invite legal professionals and fellow cybersecurity experts to weigh in on this argument. Let's start a conversation about how we can push for better security standards in the tech industry.#Cybersecurity #LegalTech #PasswordlessSecurity #TechLiability

October is Cybersecurity Awareness month. If you want to try something a little different, consider listening to my song, Cyber Rhythms.