It is true that, if we were to allow anyone to log into an account and take money and then claim that we were innocent, then we would be liable.3Moose wrote:Chris, you should force it as a matter of good policy. I'm not sure you can have a zero liability policy since most states do not let you waive your own negligence. It is very likely that a lawyer will argue that you were negligent in not securing the network and but-for your action, they would have not lost their money.
******* The statement above should not be construed as legal advice as I am only barred in North Carolina. I am not authorized to give legal advice in any state but North Carolina. This statement should not be construed to be protected under attorney-client privilege. ***********
However, passwords have long been considered the standard of security, and I'm not aware of any cases where someone has been able to win by claiming that the plantiff's reusing a password from another site is negligence by the site operator. What's happened in every case so far reported is that the customer has created an account with the same username and password (s)he uses at many other sites. In the bitcoin field alone, there are many databases of usernames and passwords floating around. While we can't legally investigate this ourselves since it would require buying the database, there are rumors that Michael Marquadt's bitcointalk.org forums were hacked and that database is for sale.
Plus, we offer two-factor authentication and have big red letters next to people who have it disabled to warn them about it. People are being provided all the tools necessary to secure their accounts, but it's up to them to not reuse passwords and to enable two-factor authentication.
Even if a customer chooses not to activate two-factor authentication, near-perfect security can be obtained by simply generating a random 12-character password and using that. We'll obviously take responsibility if we discover that there is a bug in our own site. The money being stolen in most cases is small enough that we could simply eat the costs, but it's much more expensive to investigate. The larger purpose of this policy is simply to state that we cannot remain profitable by having to pay someone to perform investigations to track down criminals, beyond ensuring that no bug has been discovered in the system.