The Legal View: When Google Grabs And Posts Your Password, Can You Sue?
Written by Mark RaschAttorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.
When something bad happens, whether it is a data breach or some other type of attack, it is common for a retailer to meet with its counsel and, in addition to determining its legal obligations, ask the stupidest question any client can ask a lawyer, “Can I sue?” The answer to that question is, of course, always “Yes.” The more difficult questions are, “Who can I sue?” and “Will I win”
Almost always with a data breach or hack some other party has contributed in some way, to either facilitate or exacerbate the breach. The question is, is it worth it to sue? Unfortunately, in most cases, the answer is no.
A few recent breaches may be illustrative. Last week, we wrote about a .pdf document of a company that was placed in a Web-accessible location that was not intended to be public. Think of this as leaving an important document in an unlocked office adjacent to your retail location. The public “can” but “shouldn’t” go there.
The document would have remained blissfully obscure (security through obscurity), but a Google crawler “found” the document and then indexed it. The crawler essentially went through everything that is “accessible” and indexed words, phrases, etc., making it much easier to find. Although the crawler itself did not “publish” the document, it effectively allowed anyone searching for that type of document to find it. Absent the index, the document would likely have remained unknown. The damages from its exposure would have been minimal—if any. What the crawler did, essentially, was expose the secret to the world. So, the retailer meets with the lawyer and asks if it can sue.
The first issue is the practical problem of suing Google. Sure, it has deep pockets. Very deep pockets. That’s a good thing, if you want to sue. But, because of those deep pockets, Google also has lots of lawyers. That’s a bad thing, if you want to sue.
The next thing is to decide on what Google did “wrong,” if anything. Typically, you can sue for things like publishing a defamatory statement or article, infringing a trade secret or, potentially, some type of tortious (wrongful) conduct. It doesn’t appear that Google did any of these things.
-Marc
April 7th, 2011 at 5:35 pm
Google indexing turns up a multitude of sins. For example the well published fact that because many credit cards share the first eight digits, try googling the first 8 digits of your own card, and you will in all likelyhood find a few lists of cards completely un-secure. The other is googling somethign like “drivers licence” or “passport” in images.google.com and see how many people have scanned their passport or drivers licence and published it on the web (and of course, some US states use social security numbers as passport numbers”.
April 11th, 2011 at 11:37 pm
Google didn’t “post” the password, they did.
The analogy of putting the document in an unlocked office is flawed. Everything on a public facing web server is the same as putting it on a bulletin board on the outside of your retail location. Google is nothing but a photographer, driving by and taking pictures of whatever they see on the bulletin board, and making that information available.
If they didn’t want their non-world-facing data exposed, they should have at least posted the web-equivalent of a “No Photographs” sign: a robots.txt file. Not that these are in any way enforceable, and should never be mistaken for a security measure, but at least Google obeys them.
Having login credentials in a document posted on a public web server is as negligent as leaving your car keys in your running vehicle while you hop in for a soda at the sketchy 7-11 in a bad neighborhood. In many jurisdictions, it’s actually illegal to be that negligent. This is from a recent Texas ad campaign: http://www.txdmv.gov/protection/auto_theft/hold_key.htm
In this case the web shouldn’t be treated much different.