return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Implications of absence of liability: shifting the cost from perpetrator to consumer and bystander ]

Implications of absence of liability: shifting the cost from perpetrator to consumer and bystander


Absence of liability in software design and data aggregation share a common theme: The absence of liability or responsibility for human action in any system leaves a massive open loop in which damaging action is allowed to rise, and to continue, without impact to the perpetrator's finances, equity and reputation. The unregulated impact of such action is a form of collateral damage to consumer and bystander as the cost to correct wrongful action or inaction is transferred to them.

The politico-economic system is as much at fault as are the perpetrators as the latter are only responding to the risk-reward calculations that the system presents them. If I am producer of product, tangible and intangible, and am not held accountable for the quality of those products, I will devote more attention to 'features' than to the quality of those features. If I am an aggregator of information and not held accountable for the security and accuracy of that information, I will focus on gathering/acquiring more information and designing data mining tools to exploit that information than to securing and updating that information. In both cases, it comes down to the consequences of shabby 'product.'

Speaking as one who has spent quite some time in software and systems firms, and who uses both event and entity (personal) information in data mining and analytic projects, I can say that redress is as long overdue as the risk of failing to secure that redress is rising. But if we are going to haul these 'producers' into the dock, we should also fix the system that allows them to operate - and that is the hardest of all solutions. Add to this the speed of technology, which outstrips the ability of laws to catch up with its implications. Readers are referred to these short introductions for the scale of the problem: Applying Ackoff's rules of system interdependency, Part I and Ackoff on Reductionism and Expansionism, Part II.

Rising economic loss has joined cybersecurity and homeland defense risk in driving the market, e.g., driving software and systems to improve, and driving more data aggregation and mining:

  • Software asks: Does the liability exemption relieve pressure on software makers to write more secure code? If so, are legal or regulatory changes required to correct such a "market failure?
  • Data aggregation asks: Does the US need a national data privacy law, or, at a minimum, that data aggregators must observe the Fair Credit Reporting Act rules designed to ensure that credit reports are accurate?

The software industry is maturing as spending is slowing, thus giving buyers more leverage. Conversely, proprietary software presents buyers with the high cost (direct, opportunity, and training) of a vendor change. The net gain as been in the vendors' favor. I expect that to change. (The 2002 recommendation to Congress that it "consider lifting software vendors' liability immunity because vendors had failed to "respond adequately to the security challenge"" is a case in point.)

I agree with Oracle's chief security officer that "national-security needs combined with the lack of accountability could make software ripe for regulation"; with CA that "some form of liability may be needed to focus the software industry's attention on security"; and with NSA's director of information assurance that "Congress would be quick to intervene "if something bad happens and it's because of bad software.""

Matters are worse in data aggregation and worse still for non-US nationals. Sale of personal data is permitted in many states. Data-sharing agreements among nations and the US are not publicly defined. Foreign states are increasingly concerned that the US Patriot Act can be extended to US subsidiaries on foreign soil, thereby leaving the foreign state no legal recourse in US courts.


  1. Federal and state privacy laws and regulations will see customers hold vendors increasingly accountable for customers' liability in using flawed software
  2. Sarbanes-Oxley will bring increasing transparency and risk identification to vendor (for software) and customer (for breaches of their own making) alike
  3. Software license agreements will slowly, with FUD resistance, soften liability waivers that hold the vendor "harmless for damages caused by software defects"
  4. Vendors will attempt to negotiate exemptions in return for taking appropriate security measures
  5. Very large firms and systems integrators acting as intermediaries will negotiate stricter liability in their SLAs (Service Level Agreements)
  6. Those SLA advances will trickle down to the general user base
  7. The structure of the software market as we know it will change
  8. Major data aggregators, fewer in number and acting as a private intel agency to federal and state entities, will move even slower than software
  9. Foreign nations will react with laws and limits on data repatriation of local data to US parent firms

When identity thieves strike data warehouses
By Robert Vamosi
February 25, 2005

Senator Says Data Service Has Lax Rules for Security
New York Times
February 25, 2005

Companies Seek to Hold Software Makers Liable for Flaws
February 24, 2005

ChoicePoint's error sparks talk of ID theft law
By Grant Gross, IDG News Service
February 23, 2005

Canadians Fight for Privacy
By Kim Zetter
Wired News
02:00 AM Feb. 04, 2005 PT

Gordon Housworth

InfoT Public  Risk Containment and Pricing Public  Strategic Risk Public  


  discuss this article

<<  |  September 2019  |  >>
view our rss feed