New zero-liability policy

[Steve Sokolowski]

Chris, you should force it as a matter of good policy. I'm not sure you can have a zero liability policy since most states do not let you waive your own negligence. It is very likely that a lawyer will argue that you were negligent in not securing the network and but-for your action, they would have not lost their money.

******* The statement above should not be construed as legal advice as I am only barred in North Carolina. I am not authorized to give legal advice in any state but North Carolina. This statement should not be construed to be protected under attorney-client privilege. ***********

It is true that, if we were to allow anyone to log into an account and take money and then claim that we were innocent, then we would be liable.

However, passwords have long been considered the standard of security, and I'm not aware of any cases where someone has been able to win by claiming that the plantiff's reusing a password from another site is negligence by the site operator. What's happened in every case so far reported is that the customer has created an account with the same username and password (s)he uses at many other sites. In the bitcoin field alone, there are many databases of usernames and passwords floating around. While we can't legally investigate this ourselves since it would require buying the database, there are rumors that Michael Marquadt's bitcointalk.org forums were hacked and that database is for sale.

Plus, we offer two-factor authentication and have big red letters next to people who have it disabled to warn them about it. People are being provided all the tools necessary to secure their accounts, but it's up to them to not reuse passwords and to enable two-factor authentication.

Even if a customer chooses not to activate two-factor authentication, near-perfect security can be obtained by simply generating a random 12-character password and using that. We'll obviously take responsibility if we discover that there is a bug in our own site. The money being stolen in most cases is small enough that we could simply eat the costs, but it's much more expensive to investigate. The larger purpose of this policy is simply to state that we cannot remain profitable by having to pay someone to perform investigations to track down criminals, beyond ensuring that no bug has been discovered in the system.

[3Moose]

Chris, you should force it as a matter of good policy. I'm not sure you can have a zero liability policy since most states do not let you waive your own negligence. It is very likely that a lawyer will argue that you were negligent in not securing the network and but-for your action, they would have not lost their money.

******* The statement above should not be construed as legal advice as I am only barred in North Carolina. I am not authorized to give legal advice in any state but North Carolina. This statement should not be construed to be protected under attorney-client privilege. ***********

It is true that, if we were to allow anyone to log into an account and take money and then claim that we were innocent, then we would be liable.

However, passwords have long been considered the standard of security, and I'm not aware of any cases where someone has been able to win by claiming that the plantiff's reusing a password from another site is negligence by the site operator. What's happened in every case so far reported is that the customer has created an account with the same username and password (s)he uses at many other sites. In the bitcoin field alone, there are many databases of usernames and passwords floating around. While we can't legally investigate this ourselves since it would require buying the database, there are rumors that Michael Marquadt's bitcointalk.org forums were hacked and that database is for sale.

Plus, we offer two-factor authentication and have big red letters next to people who have it disabled to warn them about it. People are being provided all the tools necessary to secure their accounts, but it's up to them to not reuse passwords and to enable two-factor authentication.

Even if a customer chooses not to activate two-factor authentication, near-perfect security can be obtained by simply generating a random 12-character password and using that. We'll obviously take responsibility if we discover that there is a bug in our own site. The money being stolen in most cases is small enough that we could simply eat the costs, but it's much more expensive to investigate. The larger purpose of this policy is simply to state that we cannot remain profitable by having to pay someone to perform investigations to track down criminals, beyond ensuring that no bug has been discovered in the system.

Edited to give a more complete answer:

You are free to do as you choose. But if you think people are not sued every day (and lose - Note: we can never really be sure of numbers due to settlements) because it can be shown that some other highly accepted procedure could have blocked the intrusion, we will just agree to disagree. We don't see the cases that settle. Most cases settle.

The key is always notice. You are on notice that you have been hacked and lost money. Your post shows your concerns. That is important to a legal analysis.

To your points: Your arguments around security are correct and are what you would argue in court. Breaches happen. You are giving people the tools. They need to protect themselves. They are on notice of the dangers. It would be hard public policy to hold everyone liable for a breech. However, the goal of your attorney would be to KEEP YOU OUT of court. These arguments while valid don't keep you out of court.

I am not trying to give you hard time - just trying to give you something to consider. If someone (or a class) lost $20K, they would likely sue you.... and you may pay $50K to defend yourself. Being "right" does not get you out of court, it just helps you win once you are there.

I have the two factor enabled. I think its just good policy.

[Steve Sokolowski]

Chris, you should force it as a matter of good policy. I'm not sure you can have a zero liability policy since most states do not let you waive your own negligence. It is very likely that a lawyer will argue that you were negligent in not securing the network and but-for your action, they would have not lost their money.

******* The statement above should not be construed as legal advice as I am only barred in North Carolina. I am not authorized to give legal advice in any state but North Carolina. This statement should not be construed to be protected under attorney-client privilege. ***********

It is true that, if we were to allow anyone to log into an account and take money and then claim that we were innocent, then we would be liable.

However, passwords have long been considered the standard of security, and I'm not aware of any cases where someone has been able to win by claiming that the plantiff's reusing a password from another site is negligence by the site operator. What's happened in every case so far reported is that the customer has created an account with the same username and password (s)he uses at many other sites. In the bitcoin field alone, there are many databases of usernames and passwords floating around. While we can't legally investigate this ourselves since it would require buying the database, there are rumors that Michael Marquadt's bitcointalk.org forums were hacked and that database is for sale.

Plus, we offer two-factor authentication and have big red letters next to people who have it disabled to warn them about it. People are being provided all the tools necessary to secure their accounts, but it's up to them to not reuse passwords and to enable two-factor authentication.

Even if a customer chooses not to activate two-factor authentication, near-perfect security can be obtained by simply generating a random 12-character password and using that. We'll obviously take responsibility if we discover that there is a bug in our own site. The money being stolen in most cases is small enough that we could simply eat the costs, but it's much more expensive to investigate. The larger purpose of this policy is simply to state that we cannot remain profitable by having to pay someone to perform investigations to track down criminals, beyond ensuring that no bug has been discovered in the system.

Edited to give a more complete answer:

You are free to do as you choose. But if you think people are not sued every day (and lose - Note: we can never really be sure of numbers due to settlements) because it can be shown that some other highly accepted procedure could have blocked the intrusion, we will just agree to disagree. We don't see the cases that settle. Most cases settle.

The key is always notice. You are on notice that you have been hacked and lost money. Your post shows your concerns. That is important to a legal analysis.

To your points: Your arguments around security are correct and are what you would argue in court. Breaches happen. You are giving people the tools. They need to protect themselves. They are on notice of the dangers. It would be hard public policy to hold everyone liable for a breech. However, the goal of your attorney would be to KEEP YOU OUT of court. These arguments while valid don't keep you out of court.

I am not trying to give you hard time - just trying to give you something to consider. If someone (or a class) lost $20K, they would likely sue you.... and you may pay $50K to defend yourself. Being "right" does not get you out of court, it just helps you win once you are there.

I have the two factor enabled. I think its just good policy.

I understand your concerns, but I'm not sure exactly what additional action could be taken. We've never had a security breach or been hacked.
We tell people to use strong passwords, we offer two-factor authentication, we warn people when it's not enabled, and (most importantly) nobody could ever lose $20k because payouts are mandated before the amount is reached. Using a strong password or two-factor authentication has been 100% effective at preventing issues. Two-factor authentication is good enough for banks, after all.

On a different note, if you are a lawyer, perhaps you can find someone who is knowledgeable in cryptocurrencies and tax law. One of the reasons we can't move forward is because it took a month to find a lawyer, and then another month for that lawyer to accomplish very little and suggest we hire someone else. The #1 issue facing us right now is finding a competent lawyer, because we aren't willing to invest any money until we get an analysis from him or her.

[AppleMiner]

I understand your concerns, but I'm not sure exactly what additional action could be taken.

Force the 2-factor to be enabled at account creation. and for everyone logging in after the 2-factor update goes in.

They either have to verify it to continue.
Or read the statement, I accept by turning off 2-factor authorizations I give up any rights to money lost via my account being hacked and account info changed.

And I agree, if you are going to have a zero-liability, it needs to be ON by default, and make the user accept their actions if THEY turn it off.

[3Moose]

Chris - if you send me a private message as what you specific question(s) is... I will see if I can find you one.

Yes, I am a lawyer.

[Brandonloves2fly]

I had to learn the hard way. I lost 3.77 LTC because my account was affected. I have since updated my password and enabled 2FA. I wish we could "lock" a payout address with a notification of any address changes like other pools. oh well, You live and you learn.

[Aura89]

I had to learn the hard way. I lost 3.77 LTC because my account was affected. I have since updated my password and enabled 2FA. I wish we could "lock" a payout address with a notification of any address changes like other pools. oh well, You live and you learn.

Locking wouldn't be a bad idea, but realistically shouldn't be an issue with 2FA either. Or at least give an e-mail of confirmation to anyone changing their address.