Comments on: The costs of liability

By: Bill Jensen

Bill Jensen — Mon, 26 Nov 2007 11:23:18 +0000

I think that you can safely separate software from doctors in this case due to the clause of negligence. Doctors, after accepting personal information from patients, are supposed to be aware that they are responsible for keeping it safe – both in the EU and in the US. This is not new. What is unique is that England is acknowledging that doctors have not done an exceptional job of securing that information – despite knowing the possible consequences.
On the other hand, a security vulnerability is an unexpected event in theory. It would be hard to regulate. I mean, how can you regulate due diligence in the testing process? You don’t even know what possible attack vectors are around next month. :)

By: Iang

Iang — Sun, 25 Nov 2007 11:05:16 +0000

Adam,
yes, Redhat would be liable if the only discussion was a strong contract, because they sold a copy. Lunix (whoever that is…) would not.
As to arguing that we should “just do it”, I wouldn’t argue that. Any law that argues for this liability has a nearly perfect chance of doing more harm than good.
I personally would see that there is sufficient cause for a class action process. Having said that, I’m not a lawyer, they are complex things and it hasn’t happened yet, so I’m wrong somewhere…

By: Adam

Adam — Tue, 20 Nov 2007 20:34:46 +0000

Ian,
I explicitly called out redhat because they have an open source OS which they sell. Liable or not? Arguing that we should just do it, and endure the (if you’ll permit me) emergent chaos seems less clever than planning.

By: Antonomasia

Antonomasia — Tue, 20 Nov 2007 09:30:04 +0000

A row over loss of HMRC disks is now top story on the BBC.
http://news.bbc.co.uk/1/hi/uk_politics/7103566.stm
It mentions child benefit claimants – possibly a different loss from the recent pensions one.

By: Antonomasia

Antonomasia — Tue, 20 Nov 2007 08:34:36 +0000

http://worsethanfailure.com/Articles/Finally,-a-Software-Guarantee.aspx
There is scope for arguing over whether something was installed and used right – and for what it was intended for.
And then there’s patching – after a patch is released is the vendor is no longer liable for flaws in the outdated version and the unpatched user is liable? Might a court have to decide whether a patch is really usable, as opposed to rushed release as a cop-out? Would the vendor be allowed to charge for patches? Would the vendor be obliged to release patches separately from other features that the users might not want?

By: Iang

Iang — Mon, 19 Nov 2007 11:46:49 +0000

Advocating the devil of course, but the reason we don’t know much about how to do this is simply that we’ve never done it. Once a few cases shake out, liability on software will pass from strange and scary to routine and expensive.
Probably open source will get a pass, because there is no strong contract (e.g., contract for consideration) involved, so contract law does not say so much. It is where there is a paid contract that it gets more interesting. At a superficial reading, Microsoft would thus be much more liable than Mozilla.
Another thing to consider is the meaning of gross negligence or criminal negligence which for some reason is more customary than other legal things. So to bounce it back to the computer industry, we are now at the point of making loss of data a crime for purposes of negligence, simply because the damage done is disproportionate. Doctors will have to start treating laptops like their supplies of desirable drugs.

By: Nicko

Nicko — Mon, 19 Nov 2007 10:39:48 +0000

The first thing that came to mind when hearing about this was “well, that’s one way to discourage breach reporting”. If individuals are to be held criminally liable for loosing data then any small incentive that they might have once had for reporting their screw-ups to their bosses goes right out the door.