Hacker News new | ask | show | jobs
by thewataccount 1205 days ago
> Imagine going to an amusement park and signing a waiver that the park takes no responsibility for your injuries. If you climb aboard a rollercoaster that hasn't seen any maintenance in 20 years and you get decapitated, I'm pretty sure the park is still legally responsible

I don't know Canadian law, just for fun this is my understanding of it under US laws which are likely similar although Canada usually has more consumer protections.

You generally can't waive negligence. Those waivers can be useful for things like a trampoline park - someone lands on their ankle wrong and injurs it, the waiver deals with assumption of the risk - landing incorrectly is a reasonable risk due to the nature of the event. However if a net was missing and you hit the concrete floor - that would be under negligence of the premises owner.

My guess (not a lawyer just guessing) is that if they followed all best practices and someone bruteforced an RSA 2048 key which is currently understood to not be (reasonably) possible - that might be covered? However if they left a S3 bucket open without a password, that would be under negligence?
1 comments
everforward 1205 days ago
> My guess (not a lawyer just guessing) is that if they followed all best practices and someone bruteforced an RSA 2048 key which is currently understood to not be (reasonably) possible - that might be covered? However if they left a S3 bucket open without a password, that would be under negligence?

Not a lawyer either, but to me, since users have no means to protect themselves against a backend breach, it seems like it would inherently be the fault of the business.

My chosen parallel would be owning a dog. Owning a dog has some inherent risk, because even if you take all precautions, there's always a chance it gets off it's leash or breaks out of the yard and bites someone. "I had a fence" shouldn't free you from liability; the fence was insufficient because someone still got bit. The only way to be free of that small risk is to not own a dog.

I view data the same way. Storing sensitive data comes with an inherent risk that it will be compromised. By asking for and keeping that data, companies assume the risk of that data being breached, and any resulting damage. If that risk is unacceptable, don't ask for or keep the data. Or find some way to make it so the data can't cause damage even if it's stolen (e.g. by using some kind of public tax ID).

link
Retric 1205 days ago
The standard with dog bites is “reasonable precautions” to prevent them, thus a good fence that failed because it was hit by a meteor could be a perfectly reasonable defense. People don’t build structures with rocks falling from the sky in mind. On the other hand a fence the dog can open or climb over is not, which of course depends on the dog.

I suspect the same would be considered for computer security. Hacker News and a Bank have very different bars for what’s reasonable.

link
everforward 1205 days ago
36 states and DC have strict liability for dog bites. For most the only exceptions are if the person was trespassing when they were bitten, if they were provoking the dog, or it's a police/military dog doing its job. Some of those states have carve outs where they only have liability for expenses if they didn't know the dog was dangerous (I'm presuming that means no emotional/punitive damages).

Doesn't matter what precautions the person took, if the dog gets out and bites another person, they're liable in most states.

link
Retric 1205 days ago
Interesting, my state is not on that list.

But that 36 state list includes many exceptions. Provocation is an exception in the majority of those 36 states, and trespassing is almost universally an exception. Nebraska excludes harm cases when the dog is being playful etc.

link
sporedro 1205 days ago
Genuine question, would you not be held responsible in the US if a meteor hit your fence allowing your dog to get out and bite someone? I know that it was unpreventable but isn’t it still your dog and your responsibility?
link
bombcar 1205 days ago
You can be sued for anything but I suspect in this case the “Act of God” clause would come into pay and insurance would (or wouldn’t) cover it.

Eg if you had a known dangerous dog that had bitten twelve babies before but you didn’t destroy it, you’re up the creek even if it got out because of the meteor.

But if the dog only but because it’s tail got singed by the meteor, you’d probably be ok.

link
Retric 1205 days ago
Nothing is absolutely guaranteed in the US legal system, but as I understand it it’s not legally your responsibility.

In the same way you may generally be responsible if you rear end someone, but if it was caused by someone rear ending you then that’s not your fault. That may seem obvious, but if someone stoped several car lengths back to lower the risk of someone getting hit if you’re rear ended. Thus the standard is reasonable precautions rather than requiring people to do absolutely anything possible.

link