Can Better Data Security Be Encouraged by Civil Liability?

Some people – notably information security expert Bruce Schneier – believe that if IT suppliers, notably software providers, were civilly liable for the harm caused by buggy products, they would have an incentive to be more careful. The market currently encourages the industry to put products on sale as early as possible, and with the most hype possible, whether testing has been adequate or security threats thoroughly checked.

Here is an overview of Schneier’s position. A classic statement of the issues with software is here.

Would they be more careful – and would we then all be better off – if a few drastic civil judgments persuaded them to adopt better practices?

Stewart Baker of Steptoe & Johnson in DC does not think so. His article addresses mainly security measures that might reduce the number of instances of compromise of personal or commercial data. Is he persuasive? Does his reasoning apply beyond data breach to other data security issues?

If the threat of liability were a useful incentive, can it be legislated to some extent?

P.S. I had a few things to say about intermediary liability in my Technology columns last year, here and here. Some of that discussion might apply to IT suppliers, whether they are ‘intermediaries’ or not..


  1. David Collier-Brown

    There’s a bit of an exacerbated chicken-and-egg problem here, in that serious security technologies are far more expensive than weak technologies or snakeoil, but until we have (expensively!) demonstrated the pricey ones are viable, the snakeoil vendors will easily be able to discourage the people with money to spend from trying competing approaches.

    Bell and LaPadula’s work has some well-known problems* but a subset is perfectly capable of ensuring military-grade confidentiality in off-the-shelf computer systems.

    Demonstrating that in today’s business climate is heavy lifting, in part because it didn’t take over the world when it was first developed and the problems were less severe. The other part was that it was cheaper to let sysadmins walk out of the NSA with thumb-drives than build and administer the secure system the CIA and NSA paid to have developed (:-()

    If there were demonstrably secure systems generally available, a nice nasty lawsuit might be a good thing. Before then, I suspect not.

    [* See Ross Anderson’s “Security Engineering”, 2nd ed, Chapters 8 & 9]