Historically, software developers have been free of liability if their software fails thanks to End User License Agreements that essentially grant them immunity from lawsuits. Over the years, U.S. courts have upheld those agreements. As far back as 1986, Apple was let off the hook by a federal court and ruled that they could not be sued for bugs in its software, pointing to the disclaimer that no claim was made that the code was bug free. Since then, there have been several class action suits brought against software makers for buggy software that were similarly ruled against.
But, ISVs beware, that scenario may be changing. In late 2016, The Christian Science Monitor reported that “leading digital security experts are calling on U.S. policymakers to hold manufacturers liable for software vulnerabilities in their products in an effort to prevent the bugs commonly found in smartphones and desktops from pervading the emerging IoT space.”
Just recently, the Washington Examiner reported that U.S. Senator Mark Warner told the audience at the South by Southwest conference in Austin, Texas, that “a fulsome debate is needed about whether the software sector's legal immunity has outlived its usefulness, especially in an age of relentless cyberattacks that frequently exploit software vulnerabilities.”
Warner, who is also a leader on the U.S. Senate Intelligence Committee, also believes that “subjecting the software industry to legal exposure for flaws in their products is one way to get the private sector to improve their cybersecurity.”
With the global spotlight on cybersecurity, it’s not hard to understand why the software industry and product liability issues are under heavy scrutiny. The discussion is now well beyond the inconvenience caused by buggy software. Unprotected and vulnerable software in the cyberworld can have grim and even life-threatening consequences – an autonomous vehicle could crash, a lifesaving medical device could fail, or a power grid could be attacked and put national security at risk.
Product liability in the cyberworld opens up a whole new area of potential litigation, as the ISV is not only responsible for its own software, but also responsible if people exploit it for malicious actions. So, for example, if a hacker finds a vulnerability in the code and manipulates it to cause damage, the developer conceivably could be held responsible for it. And when life and death are at issue, the focus will surely shift to accountability and liability.
A key takeaway here is that developers need to take action now to design security into their products. If they don’t have the expertise (and many don’t), they need to work with security partners who can help them eliminate potential vulnerabilities and protect against nefarious hackers. Two good reference points are the Industrial Internet Consortium’s Industrial Internet Security Framework and the on-demand Webinar, IIoT Endpoint Security – The Model in Practice.