When a plane crashes because its aircraft control software has been incorrectly coded, the software manufacturer may be liable for damages. However, when a computer software application is incorrectly coded, leading to a major cyber-attack and interruption of international commerce, the vendor company which created the software almost never incurs liability. Why? Would amending consumer protection laws enhance cybersecurity?
The reason software vendors are rarely found liable for damages that result from vulnerabilities in their software are the strict terms that vendors impose on all users of their software. Courts almost always enforce these strict terms. Very few users even read the terms before using the software and, even when they do, they do not understand that these terms effectively exempt software vendors from almost all liability.
As a result of this protection, some software vendors may be lax about securing their software. Competition among vendors demands innovation, constant improvement, and expansion of useful features. Time-to-market is a critical part of the competition. As a result of this haste, software security may not be the vendor’s first priority. Software vulnerabilities do affect customer confidence and may affect sales, but there is no direct financial penalty for potential damages caused by those vulnerabilities.
There is evidence that software insecurity is growing: significant increases in software data breaches and other cyber-attacks such as ransomware. Most breaches involve, at least in part, a software coding error by a human.
Most common software, especially computer operating systems like Windows or MacOS, are very complex and consist of a vast number of lines of code. Each line is typed by a human, similar to typing an English sentence. Humans make software coding errors in the same way as authors make typographical, grammar, and spelling errors. However, even a single missing semicolon by a coder can make the difference between secure software and a computer breach resulting in a massive intellectual property theft, a massive personal data breach, or even a massive global computer outage lasting for weeks.
What if software vendors were subject to product liability as are vendors of a car, kitchen appliance, or children’s toy (many of which, incidentally, are now operated by internal software code?) Based on the practices of these other industries, to protect themselves from product liability risk, software vendors would use additional resources to test the cybersecurity of their products before releasing new software. The consumer might pay more – but the software would be more secure.
New consumer protection laws could override the strict software user terms that almost no one reads or understands and set a new level playing field for all software vendors. More secure software will go a long way to better consumer protection, greater individual privacy, more secure commerce, and increased national security.