Liability and Computer Security

Pelerin writes "In the latest Crypto-Gram, Bruce Schneier has written an interesting essay with some thoughts about the current lack of business incentives for the deployment and production of more secure software. His main recommendation/prediction is this: "Step one: enforce liabilities. This is essential. Today [...] the marketplace rewards low quality. More precisely, it rewards early releases at the expense of almost all quality. If we expect CEOs to spend significant resources on security -- especially the security of their customers -- they must be liable for mishandling their customers' data. If we expect software vendors to reduce features, lengthen development cycles, and invest in secure software development processes, they must be liable for security vulnerabilities in their products." Schneier's five-step plan for thinking about security is also good.

Pelerin continues: "All well and good, but this raises some questions in the case of a company offering security solutions based on open source / free software.

• Where does the chain of liability end? Can somebody attempt to recover damages from Linus when a kernel security hole shows up?
• Can a case be made for lower insurance rates for free software solutions? (I mean, can it be made to the accountants and the lawyers, not the techies).
• When liability enters the picture, which mechanisms can allow free software to compete based on its merits, not on the likelihood of surviving a liability lawsuit?

"

Re:Indemnity clauses

[sisukapalli1]

What's the estimated cause of Nimda so far? Code Red? SadminD? Melissa?I love you? all the other outlook worms?


Don't know of others, but the "love" thing supports a large herd of lawyers involved with paternity suits.