Insurance & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security

11:56 AM
Christopher Camejo
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Driving Information Security, From Silicon Valley to Detroit

As software interacts with more and more of our daily lives, technology providers may be liable for more damages than they have in the recent past.

For better or worse, computer software vendors are practically devoid of any liability for vulnerabilities in the software they sell (although there is certainly a heated discussionon this topic). As far as vendors are concerned, software is "licensed" rather than sold, and users who accept those licenses are agreeing to waive certain rights, including the right to collect damages resulting from failures in the software.

To pull one particular example from the licensefor Microsoft SQL Server Enterprise 2012, a widely used piece of database software that underpins a significant number of enterprise applications that handle millions of dollars worth of transactions each:

YOU CAN RECOVER FROM MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO THE AMOUNT YOU PAID FOR THE SOFTWARE... YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.

When a flaw is discovered, including security flaws that are actively being exploited to breach systems, a vendor will typically issue a patch (sometimes many months later, and, hopefully without causing more problems than they fix), and that is the end of the issue: no lawsuits, no refunds, and no damages.

This liability-free model used by software vendors stands in stark contrast to almost any other product that is bought and sold. Product liability laws hold manufacturers and sellers responsible for design or manufacturing defects in their products. Rather than releasing a fix and calling it a day, these companies will find themselves on the hook financially for the consequences of their failures.

Software infiltrates everything

Government oversight from organizations like the Consumer Product Safety Commission, the National Highway Traffic Safety Administration, and the Food and Drug Administration track complaints and have the ability to force recalls or issue fines. For a recent example of these consequences we can look to General Motors' ignition recall troubles that have so far resulted in $2.5 billion worth of recalls, fines, and compensation funds.

Most consumer products also don't receive the frequent software updates that we are used to applying to our computers; whatever software version comes in a consumer product tends to stay in it for life. In the automotive world this has already led to some comically outdated in-dash navigation, information, and entertainment systems (especially when compared to today's rapidly evolving smartphones and tablets) but will also likely lead to some horribly vulnerable unpatched software.

Read the rest of this article on Wall Street & Technology

Christopher Camejo is an integral part of the Consulting leadership team for NTT Com Security, one of the largest security consulting organizations in the world. He directs NTT Com Security's assessment services including ethical hacking and compliance assessments. Mr. Camejo ... View Full Bio

Register for Insurance & Technology Newsletters
Slideshows
More Slideshows
Video
All Videos