Lawsuits: Are software developers liable for security breakdowns?

TechRepublic is asking an interesting question:  should software developers be sued for security failures in their code?

They point out that if a restaurant serves you food that makes you sick, you can sue.  You might not win, but you can file a lawsuit.

the LawAnd you’re probably already imagining a host of other scenarios like this – if a car is defective and you’re in a crash as a result, or if you’re on an elevator and it shuts down unexpectedly and you’re thrown forward, etc.  For any of these, you can sue.

So what if a software system upon which you rely – fails in its promise, implied or explicit, to protect your information from unauthorized access?

A lot of software license agreements include declarations from vendors that they are not responsible for security breakdowns.  You know this, of course, because you carefully read the several dozen pages of license agreements that pop up every time you want to download an MP3 file containing your favorite pop song for 99 cents.

European bodies are beginning to take legal action to overturn these waivers, opening up software developers to legal liability.  TechRepublic reports:

… a House of Lords committee recommend[ed] such a measure be implemented in 2007 and European Commissioners argu[ed] for the requirement in 2009 – however agreements to this effect have not been passed

Do you think these agreements will be passed?  And if Europe passes these agreements, is the U.S. far behind?

And if so, what will that do to software vendors?

I have a theory:  if these laws come into being, I predict that software will stop offering password protection of any kind whatsoever. If they don’t write it into the software, they won’t be held liable for any implied protection.  After all, by omitting any protection whatsoever, what could someone sue them for?

Mediawiki is the software that drives the website.  Their software uses optional logins for identifying contributors, but not for protecting information – in fact, the point of a wiki is to publish everything, not protect anything.  If you wish to protect it, you move it into a password-protected folder at the web server (HTTP server) level.

I think that’s the direction in which all software will go, if these laws pass – all password protection will end, and information security will go modular, with just a few dedicated vendors taking on the challenge of providing some sort of plug-and-play or location-based security, and by “location” I mean on your hard drive, or in the cloud.

The dedicated vendor that figures out how to move into that space reliably will make a killing in the market place.

Provided they don’t get sued.

For the full article, see


Leave a Reply