Some people – notably information security expert Bruce Schneier – believe that if IT suppliers, notably software providers, were civilly liable for the harm caused by buggy products, they would have an incentive to be more careful. The market currently encourages the industry to put products on sale as early as possible, and with the most hype possible, whether testing has been adequate or security threats thoroughly checked.
Would they be more careful – and would we then all be better off – if a few drastic civil judgments persuaded them to adopt better practices?
Stewart Baker of Steptoe & Johnson in DC does not think so. His article addresses mainly security measures that might reduce the number of instances of compromise of personal or commercial data. Is he persuasive? Does his reasoning apply beyond data breach to other data security issues?
If the threat of liability were a useful incentive, can it be legislated to some extent?
P.S. I had a few things to say about intermediary liability in my Technology columns last year, here and here. Some of that discussion might apply to IT suppliers, whether they are ‘intermediaries’ or not..