So now 400,000 Yahoo/xtra passwords should be changed!
We've looked at this debacle for a worried client.
His business depends on customer disclosure of personal confidences. Many customers have now had odd emails purporting to be from him. But that is merely embarrassing. What about the growing view that the hackers may have accessed sent emails. Should he be preparing his clients for the possibility that their personal confidences might be known to the world?
He must adhere to the principles in section 6 of the Privacy Act. Should he warn customers that Principle 5 may have been breached, and that they should take steps to minimise any damage.
Telecom should be telling us:
(a) What is known about what was accessed by hackers? If they still don't know now, when do they expect to know? How likely is it that email content has been accessed?
(b) Are accounts now secure?
(d) What should our client say to customers worried that his correspondence may have been copied?
(e) Should Yahoo!/Xtra account holders change passwords for third party services?
Liability? It is too early to calculate costs, and whether Telecom/Yahoo might be liable for more than fixing the system. But the potential scale of the losses highlights the importance of the liability limitation and exclusion clauses in standard contracts.
Slogan thinking would say "of course they should compensate".
But case-law and carefully considered old legislation have dealt with similar issues for centuries. Common carriers are usually allowed to shelter behind limitation clauses.
Limitation clauses justified? The reasoning is simple, and common sense. The consequential losses could be astronomical from damage or theft of goods in carriage. Carriers' liability would in effect force them to be the insurers for people who have property and transactions that are critically dependent on being carried securely, or delivered on time. The cost of such insurance could be very high. ISPs are like physical carriers in this regard given what can be lost when messages are too late, or corrupted, or get into the wrong hands.
That cost would have to be spread across the service. But most messages are routine. Losing them would will not hurt anyone. So the huge majority of us, who want our carrier to carry most of our messages for next to nothing, would be mulcted to subsidise the few.
In addition, the law tries to leave liability with the person who is in the best practical position to minimise loss. Only the originator knows whether the next message is trivial, or vastly important. We do not want the ISP to have to know what is in our messages, so they can take care with the valuable ones, just as we do not want carriers to have to know what is in our parcels.
So the law (and most standard terms) therefore say 'user beware'.. If your business is exceptionally vital, or fragile, then insure it yourself, or send it by a special service that guarantees security, and presumably charges accordingly. Don't ask the rest of us to subsidise your sensitivity.
Another reason for uholding limitation clauses, is that without them the provision of such services might be confined to maga companies. Start-ups could be too risky. And in fast developing sectors we rely on start-ups, often small and under-capitalised, to protect us from exploitation by the early entrants and the majors. Respect by courts and governments for standard form contracts can be a major factor in new entrant ease of entry.
Political expediency a threat: These common carrier principles are almost universal. Sadly consumer zealotry and weak political judgment have combined in a law going through the New Zealand Parliament now that undermines the simplicity of the principles. Carriers of goods and carriers of electricity are affected by the Consumer Law Reform Bill. It could enable owners of home theatres and computer gadgetry to collect for power spike damage they could prevent with their own protectors. Ordinary familes, many of whom could never afford such high end gear, will face higher line charges to cover avoidable losses for richer people, or to gold plate the network.