An employee is using some easy guessable reused passwords well known to Have I Been Pwned.
OUCH.
Something bad happens.
Can an employee be sued?
Option A: An organization does not have password policy.
Option B: An organization has a policy but does not enforce it
