[everforward]

> My guess (not a lawyer just guessing) is that if they followed all best practices and someone bruteforced an RSA 2048 key which is currently understood to not be (reasonably) possible - that might be covered? However if they left a S3 bucket open without a password, that would be under negligence?

Not a lawyer either, but to me, since users have no means to protect themselves against a backend breach, it seems like it would inherently be the fault of the business.

My chosen parallel would be owning a dog. Owning a dog has some inherent risk, because even if you take all precautions, there's always a chance it gets off it's leash or breaks out of the yard and bites someone. "I had a fence" shouldn't free you from liability; the fence was insufficient because someone still got bit. The only way to be free of that small risk is to not own a dog.

I view data the same way. Storing sensitive data comes with an inherent risk that it will be compromised. By asking for and keeping that data, companies assume the risk of that data being breached, and any resulting damage. If that risk is unacceptable, don't ask for or keep the data. Or find some way to make it so the data can't cause damage even if it's stolen (e.g. by using some kind of public tax ID).

[Retric]

The standard with dog bites is “reasonable precautions” to prevent them, thus a good fence that failed because it was hit by a meteor could be a perfectly reasonable defense. People don’t build structures with rocks falling from the sky in mind. On the other hand a fence the dog can open or climb over is not, which of course depends on the dog.

I suspect the same would be considered for computer security. Hacker News and a Bank have very different bars for what’s reasonable.

[everforward]

36 states and DC have strict liability for dog bites. For most the only exceptions are if the person was trespassing when they were bitten, if they were provoking the dog, or it's a police/military dog doing its job. Some of those states have carve outs where they only have liability for expenses if they didn't know the dog was dangerous (I'm presuming that means no emotional/punitive damages).

Doesn't matter what precautions the person took, if the dog gets out and bites another person, they're liable in most states.

[Retric]

Interesting, my state is not on that list.

But that 36 state list includes many exceptions. Provocation is an exception in the majority of those 36 states, and trespassing is almost universally an exception. Nebraska excludes harm cases when the dog is being playful etc.

[sporedro]

Genuine question, would you not be held responsible in the US if a meteor hit your fence allowing your dog to get out and bite someone? I know that it was unpreventable but isn’t it still your dog and your responsibility?

[bombcar]

You can be sued for anything but I suspect in this case the “Act of God” clause would come into pay and insurance would (or wouldn’t) cover it.

Eg if you had a known dangerous dog that had bitten twelve babies before but you didn’t destroy it, you’re up the creek even if it got out because of the meteor.

But if the dog only but because it’s tail got singed by the meteor, you’d probably be ok.

[Retric]

Nothing is absolutely guaranteed in the US legal system, but as I understand it it’s not legally your responsibility.

In the same way you may generally be responsible if you rear end someone, but if it was caused by someone rear ending you then that’s not your fault. That may seem obvious, but if someone stoped several car lengths back to lower the risk of someone getting hit if you’re rear ended. Thus the standard is reasonable precautions rather than requiring people to do absolutely anything possible.