Should Software Makers Be Liable For Security Holes?
from the back-to-the-big-question dept
In the wake of the Slammer worm, here’s an editorial piece from the San Jose Mercury News repeating the popular position from Bruce Schneier that software makers need to be held liable when there are security holes in their products. He repeats the claim that this would also open up a whole new area of insurance protection, which would put pressure on software companies to improve their security. I can see how this could help improve security, but I can also see how it would stifle small, indepenedent (and individual) software developers by adding a ridiculous cost layer on top of creating the actual software. It would also bring up questions about who gets sued for a security hole in open source software. What about software that is set up incorrectly? Then is it the software company’s fault or the company that set it up? I think it’s easier to just hold companies responsible to the claims they put forth. If they claim a product is “trustworthy” or “unbreakable”, and it isn’t – then, there’s a case for liability. However, if no such claims are made, it’s tough to enforce liability. Update: Meanwhile, in somewhat related news, the price of hacker insurance is soaring, as it is often no longer covered by general liability insurance.
Comments on “Should Software Makers Be Liable For Security Holes?”
how would liability have worked in this case?
In this particular case, Microsoft had issued a patch for the problem six months before. So would they still have been liable for Slammer?
I don’t know the exact laws about product safety, but I think if a product has been recalled, and the manufacturer has made it reasonably easy for people to replace the item or correct the problem, then they are more-or-less immune from fault from then on (modulo the fact that in the US, you can sue anyone for anything at anytime). Making a free patch available over the Internet would seem to qualify as making it “reasonably easy” to fix the software.
Sure there are tons of patches and its a pain to apply them etc., and Microsoft has huge holes in its software development process that need to be fixed — but what else could the company have done in this case, once the software was out there with the bug in it?
– adam
Re: how would liability have worked in this case?
Umm… I don’t know, maybe not blame their customers right off the bat? They got hit as well, so I suppose they could also file a claim with their insurance against themselves to recover their own damages.
God, I hope they don’t read that – they could find a whole new way to get insance profits from their software.