I can put a "not responsible for stolen items" sign in my restaurant, but if the coat check employee bolts out the door when you hand them your coat, I'm buying you a new one.
<devil's advocate>Yeah, but could the (ex) coat owner hold the restaurant's landlord liable? Isn't it the restaurant _managers_ problem?
I think there's a _lot_ of "grey areas" here, and while I feel sympathy for the guy who's out ~$13k worth of bitcoins, I can't help but think he was "doing the wrong thing" relying on the security of an inexpensive vps to keep them safe…
What would you recommend? Would you say the same thing if he'd been colocating and a data center employee had stolen his bitcoins? Because that seems far more analogous than any restaurant analogy, and I don't see any reasonable way for somebody who's not a huge corporation to avoid this kind of risk.
You have to trust somebody at some point unless you're keeping the server locked in your own closet. It seems really bizarre to me to say that a hosting provider doesn't have a responsibility not to steal your stuff.
Firstly, I'd start asking whether a $19.95/month shared hosting* account is a "reasonable" place to store $13k worth of (effectively) cash. I'd be _very_ careful if I had that sort of folding-money-type-cash on hand, and would under normal circumstances automatically deposit in a bank account to mitigate the risks involved with carrying it around. And I'd usually take steps to not ever have that sort of value of cash build up or be required - the only transaction I've ever done of that sort of value in cash is selling or buying a car from an individual - and that's always been a direct from transaction to the bank type of arrangement.
If I had enough bitcoin value that it'd hurt to lose it, I would not (at least now in hindsight) store that on a machine that other people I don't know/trust have root access to. Maybe I'd keep my wallet on a usb stick in my pocket or in a safe at home? I think though that at somewhere near the $13k value the "right" thing to do is convert it to cash and take advantage of the existing banking system and its time-tested security and insurability.
(* Which is fundamentally what a linode VPS is, at least from anyone with access to the hypervisors point of view.)
Would have to meet several tests. 1) Hosting company knew and agreed to the value of the things they had control over. 2) Employee did it and they were negligent in hiring that individual. 3) Reasonable and customary for that type of stuff to be in that situation given pricing and the practices of others.
With respect for #3 it would be reasonable for a bank safe deposit box to contain a $100,000 ring maybe but not to contain a 10,000,000 ring.
Then he should Colo with a hosting provider with a contract provision that specifically holds them liable for any losses related to problems caused by the host, and enumerates those possible losses beforehand.
Simply not going to happen at any reasonable rate.
There's a saying in many businesses with different variations:
"Price, quality, speed" pick any two.
So this would be:
"Price, security, bandwidth" pick any two.
People pick on price and bandwidth security is taken for granted to be commercially acceptable. The colo can easily figure out price and bandwidth they are clearly defined. Losses from a security breach not as easy - to many variables. Same reason insurance companies love to write life insurance but hate to write disability insurance. Life insurance is absolute (you know when someone is dead and tables exist to compute probabilities on when they will die). Disability is open to interpretation, fraud and other things. It's not black and white.
Sure but there is legal precedent for that as well as it's an easy concept for the everyday man to understand. (Employee and seeing them makes it a open and shut case.)
As an aside, signs like that are the same as ones that appear in auto shops that say "insurance regulations don't allow you in the shop". I owned a company that did manufacturing and said a similar thing because I didn't want anyone in the machine area. I've dealt with insurance companies for many years they don't dictate things like that at least from my experience.
Your example is correct though the restaurant would be liable in the situation you cited because you actually saw an employee steal the coat. If you saw someone else NOT connected to the restaurant AND the coat was expensive you are probably out of luck. It's your property and there is no assumption that a restaurant protects you from acts of god.
The key is was their negligence on the part of the restaurant.
On the other hand if there was a large party at the restaurant and normally a coat check girl that's a different story (devils in the details with this stuff).
In an actual court case, the reasonableness of everyone's actions would be evaluated, but it's hard to imagine a court finding it unreasonable that someone placed data worth $13,000 to them on a respected VPS provider.
That doesn't mean Linode has any legal liability in this case, just that your analogy is off the mark.
PCI doesn't specifically say anything about usage of a VPS. It does however speak about access to data.
If you have encrypted credit card information, you'll be asked to list those that have access to the encrypted information, they encryption key, and the key encrypting key. Then you'll be asked to justify their access.
I'm sure I could come up with with several other major violations, but this alone is severe enough that I can't envision a way that you'd pass a PCI audit.
Second, where are you getting $19.95/month from, anyway? I haven't seen the plan in question mentioned, and even if this particular VPS happened to be Linode's lowest-end, the last time I looked (a while back, granted), slush had multiple large VPSs with Linode.
Third, really, what does the price of the VPS have to do with it? You think as the cost of the VPS goes down, we're entitled to less assurance that an employee isn't going to bolt with our data?
Finally, HIPAA and PCI regulations are ginormously complex, but violations of them almost inevitably cost a hell of a lot more than $13k.
I'll freely admit I've only been thinking about this since reading this article, so I'm both not-fully-informed and I'm thinking about it as a response to some guy losing ~$13k, but to me it's _not_ reasonable.
(And my $19.95 number is perhaps hyperbolically chosen from their least expensive vps offering - but my assumption would be that the management/hypervisor back end would be shared across their entire infrastructure, so I think my argument holds, in that I'd expect the higher priced offerings to "only" have the employee-reliability-assurance of the cheapest vps…)
Why are you looking at it as "X has the same assurance as Y" instead of "Y has the same assurance as X"?
If you've got a vault that holds a massive diamond, and a little gold ring, do you become concerned because the diamond "only" has the protection of a little gold ring?
Linode plans (like those of other hosting/vps providers) are differentiated on storage/memory/bandwidth. Security isn't a factor. Compare that to an auto where "security" is definitely mentioned and part of the selling proposition and what you pay (they mention theft devices, crash stuff, airbags etc.)
I think there's a _lot_ of "grey areas" here, and while I feel sympathy for the guy who's out ~$13k worth of bitcoins, I can't help but think he was "doing the wrong thing" relying on the security of an inexpensive vps to keep them safe…