I'm working as a technical advisor to a start-up company. The company licenses its product (a web and mobile application) to large groups of people who then use it for a relatively short period of time.
As part of my technical review I noticed that the development team is storing user credentials in clear text. I immediately advised my client of this and recommended that passwords be encrypted securely using any of a number of well-documented best practices.
It turns out that the software has a few features that would be considerably difficult - although not impossible - to implement without having access to the raw password. One example is printing "user passes" that have a user name and password on them for easy access to the system. I've also advised against this practice, but let's for the moment assume I'm going to lose that battle.
My concern for my client is that a number of things could happen with this information that may result in litigation troubles.
- A disgruntled employee may leave the company and easily export this information before doing so. It doesn't help that the development works remotely in another country and can be difficult to supervise.
- Since user account names are email addresses, it's possible for some users of the system to utilize a common password across all their accounts. This would be an easy attack vector to script and try to gain access to email accounts, and in turn much more sensitive information.
- I believe that by now most users of web applications have some implicit trust in administrators to keep their private information securely stored.
Ethical issues are, sadly, less of a concern here at the moment. What immediate legal responsibility does my client have when it comes to this?