Shostack + Friends Blog Archive


Software Liability by Contract, Not Regulation

While “other events” are causing me to prevaricate over data protection legislation in the US, it’s great to see this Wall St Journal story (reprinted in the Contra Costra Times) on large software buyers pushing for liability clauses in their contracts.

“I’m paying the bill. Other companies are paying the bill,” says Ed Amoroso, AT&T’s chief information-security officer. “The software companies are not paying the bill.” Amoroso says AT&T spends roughly $1 million a month just to patch its existing software. Testing and installing a single patch across AT&T’s network can require as many as 30 people working full time for several days.

But everyone is treading cautiously. For example, technology and security executives at big companies talk about getting tough on software makers. But their bosses — chief executives — don’t always agree. Instead, the Business Roundtable, an association of CEOs, has focused on reducing liability exposure for technology users, not increasing it for software vendors. The CEO group opposes mandatory reporting of security breaches and requirements that companies meet minimum computer-security standards, for fear such moves could expose their companies to legal liability.

BJ’s Wholesale Club Inc. last year filed suit against International Business Machines Corp. for providing software that allegedly allowed thousands of credit-card numbers of BJ’s customers to be stolen by an organized-crime ring last spring.

I like to see companies working out these arrangements amongst themselves, because, when the externalities don’t splash onto us, its a more efficient arrangement than new laws locking in a single set of liabilities for all parties. There may be issues of what clauses anyone can get into a Microsoft deal, but with increasing competition from Open Office, I expect those will get worked out over the next few years