The Legal Status of Sharing Passwords
Many consumers who are victims of a data breach or whose information is resold over the black market wonder: “Is it illegal for my information to be shared over the Internet?” Undoubtedly, one should rely on lawyers for a definitive answer to this legal question; however, the answer is that (within the United States), there are no federal laws governing this field of data protection or privacy. Many states have passed legislation governing data privacy — modeled after the General Data Protection Regulation of the European Union, these laws offer much more protection than the non-existent federal laws on the matter. Recently, Alabama became the last U.S. state to pass some form of data protection legislature. A list of state security breach notification laws is listed below, provided by the National Conference of State Legislatures, and sorted by citation concerning a data breach.
Alabama 2018 S.B. 318, Act №396
Alaska Alaska Stat. § 45.48.010 et seq.
Arizona Ariz. Rev. Stat. § 18–545
Arkansas Ark. Code §§ 4–110–101 et seq.
California Cal. Civ. Code §§ 1798.29, 1798.82
Colorado Colo. Rev. Stat. § 6–1–716
Connecticut Conn. Gen Stat. §§ 36a-701b, 4e-70
Delaware Del. Code tit. 6, § 12B-101 et seq.
Florida Fla. Stat. §§ 501.171, 282.0041, 282.318(2)(i)
Georgia Ga. Code §§ 10–1–910, -911, -912; § 46–5–214
Hawaii Haw. Rev. Stat. § 487N-1 et seq.
Idaho Idaho Stat. §§ 28–51–104 to -107
Illinois 815 ILCS §§ 530/1 to 530/25
Indiana Ind. Code §§ 4–1–11 et seq., 24–4.9 et seq.
Iowa Iowa Code §§ 715C.1, 715C.2
Kansas Kan. Stat. § 50–7a01 et seq.
Kentucky KRS § 365.732, KRS §§ 61.931 to 61.934
Louisiana La. Rev. Stat. §§ 51:3071 et seq.
Maine Me. Rev. Stat. tit. 10 § 1346 et seq.
Maryland Md. Code Com. Law §§ 14–3501 et seq., Md. State Govt. Code §§ 10–1301 to -1308
Massachusetts Mass. Gen. Laws § 93H-1 et seq.
Michigan Mich. Comp. Laws §§ 445.63, 445.72
Minnesota Minn. Stat. §§ 325E.61, 325E.64
Mississippi Miss. Code § 75–24–29
Missouri Mo. Rev. Stat. § 407.1500
Montana Mont. Code §§ 2–6–1501 to -1503, 30–14–1701 et seq., 33–19–321
Nebraska Neb. Rev. Stat. §§ 87–801 et seq.
Nevada Nev. Rev. Stat. §§ 603A.010 et seq., 242.183
New Hampshire N.H. Rev. Stat. §§ 359-C:19, 359-C:20, 359-C:21
New Jersey N.J. Stat. § 56:8–161 et seq.
New Mexico 2017 H.B. 15, Chap. 36 (effective 6/16/2017) New York N.Y. Gen. Bus. Law § 899-AA, N.Y. State Tech. Law 208
North Carolina N.C. Gen. Stat §§ 75–61, 75–65
North Dakota N.D. Cent. Code §§ 51–30–01 et seq.
Ohio Ohio Rev. Code §§ 1347.12, 1349.19, 1349.191, 1349.192
Oklahoma Okla. Stat. §§ 74–3113.1, 24–161 to -166
Oregon Oregon Rev. Stat. §§ 646A.600 to .628
Pennsylvania 73 Pa. Stat. §§ 2301 et seq.
Rhode Island R.I. Gen. Laws §§ 11–49.3–1 et seq.
South Carolina S.C. Code § 39–1–90
South Dakota S.D. Cod. Laws §§ 20–40–20 to -46 (2018 S.B. 62)
Tennessee Tenn. Code §§ 47–18–2107; 8–4–119
Texas Tex. Bus. & Com. Code §§ 521.002, 521.053
Utah Utah Code §§ 13–44–101 et seq.
Vermont Vt. Stat. tit. 9 §§ 2430, 2435
Virginia Va. Code §§ 18.2–186.6, 32.1–127.1:05
Washington Wash. Rev. Code §§ 19.255.010, 42.56.590
West Virginia W.V. Code §§ 46A-2A-101 et seq.
Wisconsin Wis. Stat. § 134.98
Wyoming Wyo. Stat. §§ 40–12–501 et seq.
While most of the legislature is in the nature of requirements for notification to consumers of a data breach containing their information, there are other related laws that both protect messengers of the leaked information from lawsuits (a notable precedent set by Supreme Court case Bartnicki v. Cooper), as well as restrict individuals from sharing their passwords (precedent set by Ninth Circuit U.S. Court of Appeals USA v. Nosal II). The International Comparative Legal Guides guide on data protection in the USA (2018) covers concepts such as territorial scope, individual rights, appointment of a data protection officer, marketing, etc. and is an extensive resource that can be used for a massive amount of information on American data protection. However, once the data breach is disclosed and reparations made, the said data is often sold in a variety of markets by a variety of vendors using channels including online stores, bulletin boards, and communication systems. These parties are often protected by American law regarding data protection: it has been generalized that obtaining the leaked information in the first place or being the cause of the data breach is an illegal act; secondary usages of the information are under legal scrutiny.
Concerning the distribution of leaked information, aggregators of the leaked data in the United States are less reliable for assuring the integrity of the data than in other countries. This year, the creator of the leak database named LeakedSource.com was arrested for selling the information on the public website by the Royal Canadian Mounted Police. Under Canadian law, the activity is prohibited under federal law, the operator being cited for making hundreds of thousands of dollars selling personal information, and up for a maximum of 10 years of prison time. The overwhelming message is that although no universal legislature exists to govern the complete privacy and protection of personal data, the avenues are a rapidly changing part of the Internet and need to be assessed in the near future.
There are no likely federal legislature within the United States to be passed, despite several recent proposals, mostly due to either partisan lawmaking or preempting state laws. A prudent conclusion is that instead of relying on the creation of legislation concerning data protection, new systems of authentication can be instituted to render the situation less dangerous. Regarding current public access to authentication records available on data sharing websites, users should follow well-written guides and advice on increasing their password security, and taking responsibility for the data that (inevitably with the current systems in place) falls into the hands of hackers and data traffickers.