Being sued for security holes?
TechRepublic have an interesting article covering whether Software Developers should face legal action if their coding results in (presumably exploited) security vulnerabilities.
Given that most security breaches result in data loss (for individuals) – fines from the ICO ought to be relevant –
- Tesco being investigated by the ICO
- Belfast NHS Trust fined £225,000 by the ICO
- London council finded £70,000 by the ICO
So, in some ways, liability is already on developers – or at least the software’s owners.
Moving liability onto developers seems attractive, but isn’t going to work – unless you can deal with :
- Overseas developers
- Applications being based on open source components
- That the security landscape changes with time (so something that was secure last year may not be now)
- That with the total system, software is not the only component – what about the hosting environment / platform, users, network access, password policies, disgruntled ex-staff and so on. Should Systems administrators also be sue-able if they’ve not installed the latest service pack/patch?