Computer Malpractice

Copyright (c) Cem Kaner. All rights reserved.

This was originally published in Software QA, Volume 3, #4, p. 23.

Malpractice is a widely discussed type of lawsuit. Unfortunately, it is also widely misunderstood, with misinformation spread in private discussions, in the press, and in political discussions. For example, several people have insisted to me that software developers are sued "all the time" for malpractice. This is absolutely untrue. Depending on what you're willing to count as a "computer malpractice" case, the number of successful computer malpractice lawsuits in the United States is between one (1) and five (5).

For the moment, computer malpractice is a losing lawsuit because to be sued for malpractice (professional negligence), you must be (or claim to be) a member of a profession. Software development and software testing are not professions as this term is usually used in malpractice law. Therefore, malpractice suits against programmers and testers fail.

Introduction: Definition of computer malpractice

A malpractice suit involves professional negligence. Computer malpractice involves professional negligence when providing computer-related services. In any negligence suit, the plaintiff must prove:

Duty . If you provide services to someone, you have a legal responsibility (a duty) to exercise reasonable care in providing the services. For example, if you provide consulting services, your duty is to take reasonable care to provide good advice. If you provide data backup and archiving services, your duty is to take reasonable measures to ensure that you copy the right data and that you keep it safe. 1



. If you provide services to someone, you have a legal responsibility (a duty) to exercise reasonable care in providing the services. For example, if you provide consulting services, your duty is to take reasonable care to provide good advice. If you provide data backup and archiving services, your duty is to take reasonable measures to ensure that you copy the right data and that you keep it safe. Negligent breach of the duty . If you gave bad advice, you might or might not have been negligent. To prove negligence, the plaintiff has to show that no reasonable person in your situation would have given the advice that you gave. Similarly, if a data archiving service loses its client's data, it has probably committed a breach of contract, but it might or might not have committed negligence. To prove negligence, the plaintiff would have to prove that the service didn't take reasonable measures to safeguard the data.

Consider this example of software support advice. People call you when they have problems running their software. One day, you advise a caller that her problems come from an insufficiently-compatible video card. Actually, the caller has set one of the program's display options incorrectly and replacing the video card won't help. Have you committed negligence? Maybe. We can't tell, just based on these facts, because we don't know what a reasonable support advisor would have done. Let's add three facts. First, suppose that you have a database of common problems and this problem was in the database. Second, suppose that the caller's description was specific enough that you would have easily found the problem (and the solution) in the database if you looked. Third, suppose that most software support providers would have used this database if they had it. This last point establishes a standard of care - most support advisors would have checked the database. If you don't check the database, and you provide expensive bad advice, you can be accused of acting unreasonably.

. If you gave bad advice, you might or might not have been negligent. To prove negligence, the plaintiff has to show that no reasonable person in your situation would have given the advice that you gave. Similarly, if a data archiving service loses its client's data, it has probably committed a breach of contract, but it might or might not have committed negligence. To prove negligence, the plaintiff would have to prove that the service didn't take reasonable measures to safeguard the data. Prevailing standard of care. The fundamental difference between an ordinary suit for negligence and a suit for malpractice lies in the definition of the prevailing standard of care.2

If someone sues you for ordinary negligence, they will compare your behavior to what any reasonable person would have done under the circumstances. If they sue for malpractice, they will compare your behavior to what a reasonable member of your profession would have done. Professional standards are much higher and much better documented. (For example, they might be written down in ANSI standards documents.) Therefore, if you act negligently in a professional capacity, it will be easier to prove your negligence by comparing you to other professionals than by comparing you to any reasonably bright and careful person who might undertake to provide the services that you provided. In complex situations, different reasonable people will collect and evaluate information very differently. This makes the plaintiff's task difficult but the principle is the same. She'll have to show that you didn't approach the problem in any of the ways that reasonable people do, or that no reasonable person would have approached it in the way that you did.





History of computer malpractice suits

Few published court cases involve claims of computer malpractice. Of those that exist, most involve a brief statement by the Court that there is no such thing in the law as "computer malpractice." Therefore, that aspect of the lawsuit is rejected and the Court moves on to discuss more interesting parts of the case. Here are the main American cases that discuss malpractice in detail.

The case of Chatlos Systems v. National Cash Register Corp. (1979)3 is the first important computer malpractice case. An NCR salesman did a detailed analysis of Chatlos' business operations and computer needs, and advised Chatlos to buy NCR equipment. Relying on NCR's advice, Chatlos bought a system that never provided several promised functions. Chatlos sued. NCR was held liable for breach of contract. In its Footnote 1, the Court discussed Chatlos' claim of malpractice:

The novel concept of a new tort called 'computer malpractice' is premised upon a theory of elevated responsibility on the part of those who render computer sales and service. Plaintiff equates the sale and servicing of computer systems with established theories of professional malpractice. Simply because an activity is technically complex and important to the business community does not mean that greater potential liability must attach. In the absence of sound precedential authority, the Court declines the invitation to create a new tort.

This refusal to recognize the validity of a lawsuit for computer malpractice has been widely quoted.

The next interesting case was Invacare Corp. v. Sperry Corp. 4 Invacare claimed that it had relied on advice of Sperry employees when it leased a Univac computer and sued for fraud, breach of contract, and negligence. Sperry argued that the negligence suit couldn't succeed because there is no cause of action for computer malpractice. Bowing to the Chatlos decision, the Court agreed that there is no such thing as computer malpractice. But, the Court said, Invacare wasn't claiming that Sperry's acts constituted malpractice. Invacare's claim was that the system was so inadequate for the job that no reasonable person would have recommended it. This is just a lawsuit for ordinary negligence, not professional negligence, and the Court allowed it to proceed.

In 1985, the Internal Revenue Service ruled that if a program goes beyond purely mechanical assistance in the preparation of a tax return, the author of the program is a tax return preparer.5 The IRS can fine a tax preparer who acts negligently, or participates in fraud on the IRS.

When an individual or a company sells a software program to a customer to aid in the preparation of a tax return, IRS noted, a customer may be unaware that the program is incomplete or inadequate and therefore may use it to create an erroneous return.

If using the computer program results in an understatement of tax liability for the taxpayer, the software company may be subject to a penalty.6

This IRS ruling is not a malpractice ruling, but it addresses an important point in the larger area of professional misconduct, and it reflects a well accepted principle of malpractice. Someone who provides bad legal advice can be sued for legal malpractice whether they're a lawyer or not. Someone who provides bad medical care can be sued for medical malpractice whether they're a doctor or not. Someone who provides bad engineering while claiming to be a professional engineer can be sued for engineering malpractice, whether they are licensed as a professional engineer or not. The IRS ruling extended this principle to computer programs that provide professional services. I haven't seen such a lawsuit yet, but it seems likely that a software company can be sued for legal, medical, engineering, architectural, or other malpractice if it claims to provide these professional services and provides them incompetently.

The recent case of State v. Despain (1995) 7 illustrates the same point. A non-lawyer bought a computer program that printed legal forms. She helped clients fill out the forms. This was held to be the unauthorized practice of law. The Court carefully pointed out that the sale of computer software that merely contains (and prints) blank legal forms is not the practice of law. But (p. 578)

the preparation of legal documents for others to present in . . . court constitutes the practice of law when such preparation involves the giving of advice, consultation, explanation, or recommendation on matters of law. Further, instructing other individuals in the manner in which to prepare and execute such documents is also the practice of law.

If your company provides a program that promises legal, medical, dental, architectural or other professional engineering services and advice, think carefully about what you provide and what your marketing materials claim that you provide. If your program appears to be providing professional services, your company might be sued not for computer malpractice but for legal or medical or dental (etc.) malpractice.

1986 brought the main case (I think it is the only case) that unambiguously recognizes a valid suit for computer malpractice. The Chatlos decision came in New Jersey and was followed in many other States. But laws do differ from State to State. This case, Data Processing Services, Inc. v. L.H. Smith Oil, Corp. (1986)8, was decided in Indiana. The Court stated that (p. 319):

Those who hold themselves out to the world as possessing skill and qualifications in their respective trades or professions impliedly represent they present the skill and will exhibit the diligence ordinarily possessed by well informed members of the trade or profession.

The Court decided that this principle applies just as well to computer programmers as it does to lawyers, architects, building contractors, etc. It then upheld a finding of liability on DPS' part by noting that (p. 320):

(a) DPS represented it had the necessary expertise and training to design and develop a system to meet the needs of Smith; (b) DPS lacked the requisite skills and expertise to do the work; (c) DPS knew it lacked the skill and expertise; (d) DPS should have known Smith was dependent upon DPS's knowledge and abilities; and, (e) DPS should have foreseen Smith would incur losses if DPS did not perform as agreed.

Diversified Graphics, Ltd. v. Groves (1989) 9 was the next successful malpractice case. Diversified hired the accounting firm of Ernst & Whinney (E & W) to help choose a computer system. Diversified sued for professional negligence & won. In its appeal, E & W argued that Diversified had failed to define the professional standard of care or to show how E & W had violated the standard. Though the Court explicitly stated that this was a computer case (not an accounting case), it determined the standard of care from E & W's own "Guidelines to Practice" which included management advisory practice standards that had been incorporated by the American Institutes of Certified Public Accountants (AICPA). It's not a big stretch to hold an accounting firm liable for computing consulting malpractice when the proof of the malpractice is proof of failure to follow AICPA standards.

In 1991, Wang Laboratories was sued for negligence and gross negligence.10 Wang sold a computer and a service contract to Orthopedic & Sports Injury Clinic. While attempting to fix the computer, Wang's employee used, and corrupted, the Clinic's last backup disk, thereby losing five years of the clinic's medical and accounting data. (Oops.) The contract limited the amount of damages that Orthopedic could collect from Wang, but Louisiana law (and many other States' laws) allows the plaintiff to recover all damages if the defendant committed gross negligence. The Court ruled that Orthopedic hadn't proved that this use of the backup disk was gross negligence. However, it did allow the lawsuit to go forward as a suit for ordinary negligence. This is another example of a case in which a Court allowed a negligence suit (not malpractice, but ordinary negligence) to proceed against a computer (service or software) seller.

In the case of RKB Enterprises, Inc. v. Ernst & Young (1992) 11, RKB retained Ernst & Young (formerly called Ernst & Whinney) to provide computer consulting services. These included helping RKB procure a data processing system, including helping to oversee and assist in the implementation. RKB sued for, among other things, professional malpractice. The Court rejected this claim, saying (p. 816):

It should be noted that there is no cause of action for professional malpractice in the field of computer consulting. . . . [We] decline to create a new tort applicable to the computer industry. Nor does the fact that Ernst & Whinney was the certified public accountant firm engaged by the plaintiff during the same period add a dimension to the computer or management consulting services separate from the subject of plaintiff's breach of contract claim.

The case of Hospital Computer Systems v. Staten Island Hospital (1992) 12 reached the same result and added more well-quoted explanation (p. 1361):

Professionals may be sued for malpractice because the higher standards of care imposed on them by their professions and by state licensing requirements engenders trust in them by clients that is not the norm of the marketplace. When no such higher code of ethics binds a person, such a trust is unwarranted. Hence, no duties independent of those created by contract or under ordinary tort principles are imposed on them.

Why does it matter if we can be sued for malpractice?

Software testers and programmers can be sued for negligence and for breach of contract, whether or not they can be sued for malpractice. 13 So why does it matter whether malpractice is a viable type of lawsuit? 14

Malpractice suits are more serious than suits for breach of contract or for simple negligence. The plaintiff enjoys several advantages in a malpractice suit, including these:

A non-professional service provider's contract might limit the damages that it must pay the customer. The customer's losses might be much more than the limited amount of damages that the contract allows. These limits might be enforced in a simple negligence case, but they are rejected in malpractice suits because they are deemed to violate public policy. 15 For example, as an attorney in California, I can be charged in a State Bar Court with violating the profession's Code of Professional Responsibility if I even attempt to put a clause in a contract of representation of a client that limits my liability for malpractice.



For example, as an attorney in California, I can be charged in a State Bar Court with violating the profession's Code of Professional Responsibility if I even to put a clause in a contract of representation of a client that limits my liability for malpractice. Malpractice lawsuits sometimes provide plaintiffs with procedural benefits. For example, the plaintiff might be able to file the suit after it is too late to file a negligence or contract suit, or in a different State, or under a different State's laws. The plaintiff might also be able to avoid an arbitration clause or certain defense arguments (such as comparative negligence) that might be available in negligence or contract suits.



Professionals are held responsible for their advice under a broader range of circumstances. A paying customer might have a hard time proving that a non-professional consultant intended her to take the consultant's advice seriously and to follow it immediately. In contrast, as an attorney, I risk malpractice liability if I make a dumb suggestion to a non-paying stranger at a cocktail party.

A malpractice plaintiff might also be more able to collect punitive damages.

Over the years, several people have advocated the licensing and professionalization of computer specialists. There are benefits to this, but we should approach this idea with open eyes. Becoming a professional carries significant additional legal responsibilities that are enforced by malpractice liability.

Why judges don't classify computer experts as "professionals"

Five factors are widely quoted as hallmarks of a profession:

the requirement of extensive learning and training; a code of ethics imposing standards above those normally tolerated in the marketplace; a disciplinary system for members who breach the code; a primary emphasis on social responsibility over strictly individual gain, and the corresponding duty of its members to behave as members of a disciplined and honorable profession; and the prerequisite of a license prior to admission to practice." 16

Few or none of these apply in computing. Therefore, we should not be subject to malpractice liability.

What about people who call themselves engineers?

Several people are considering taking the ASQC examination to become Certified Software Quality Engineers (CSQE). Others of us have become ASQC-Certified Quality Engineers (CQE). A lawyer can make a persuasive argument that a CQE or CSQE should be subject to malpractice liability, even though we are not members of a recognized profession. The problem is that by using the word "engineer" on our stationery or resume, we can be accused of representing ourselves as professionals. Engineering is a licensed profession, and engineers are subject to malpractice liability.

I'm an ASQC-CQE. I became aware of the risk of malpractice liability in 1993 when my legal malpractice insurance carrier pointed out that my policy covered me for legal malpractice but not for engineering malpractice. That didn't bother me much because I generally like the idea of holding people accountable for incompetent work, whether they are members of a licensed profession or not. I continued to list my ASQC-CQE on my stationery since I received it, in 1992.

Unfortunately, while doing research for this article, I ran across the following statute, Section 6732 of the California Business and Professions Code, which makes it unlawful to represent yourself as an engineer if you are not registered with the State:

It is unlawful for anyone other than a professional engineer registered under this chapter, to . . . use the title . . . "quality engineer."

As I read Section 6787(f), calling myself a "quality engineer" is a misdemeanor (a crime), subject to a penalty of not more than a $1000 fine and three months in the county jail. My understanding is that other States also restrict the use of the word "engineer" to licensed professionals. Obviously, the phrase "Certified Quality Engineer" is coming off of my stationery immediately.

If you are considering taking one of the ASQC exams, you might consider writing the ASQC and asking them to change the title on the certificate.



1 If you provide a product, you have a legal responsibility (duty) to design and manufacture a product that doesn't pose an unreasonable risk of injury or property damage. For discussion of negligence that results in personal injury or property damage, see my paper, "Software negligence and testing coverage" in Software QA Quarterly, Vol. 2, #2, p. 18, 1995.

2 The classic discussion of this is in W.P. Keeton, D.B. Dobbs, R.E. Keeton, & D.G. Owen, Prosser & Keeton on Torts, West Publishing, Fifth Edition (Hornbook Series, pp. 185-193).

3 Chatlos Systems v. National Cash Register Corp., Federal Supplement, Vol. 479, p. 738, United States District Court for the District of New Jersey, 1979.

4 Invacare Corp. v. Sperry Corp., Federal Supplement, Vol. 612, p. 448, United States District Court for the Northern District of Ohio, 1984.

5 "Revenue Ruling 85-189: Return preparers; sale of computer program. A person who prepares a computer program and sells it to a taxpayer to use in preparing the tax-payer's income tax return may be an income tax return preparer." Internal Revenue Cumulative Bulletin, volume 1985-2, p. 341.

6 "IRS announces that companies who sell return preparation computer software and programs may be considered return preparers subject to penalties." I.R.S. News Release, IR-86-92 (May 6, 1986).

7State v. Despain, South Eastern Reporter, Second Series, Vol. 460, p. 576, Supreme Court of South Carolina, 1995.

8 Data Processing Services, Inc. v. L.H. Smith Oil, Corp., North Eastern Reporter, Second Series, Vol. 492, p. 314, Court of Appeals of Indiana, 1986.

9 Diversified Graphics, Ltd. v. Groves, Federal Reporter, Second Series, Vol. 868, p. 293, United States Court of Appeals for the 8th Circuit, 1989 (Missouri).

10 Orthopedic & Sports Injury Clinic v. Wang Laboratories, Inc., Federal Reporter, Second Series, Vol. 922, p. 220, United States Court of Appeals for the Fifth Circuit (Louisiana).

11 RKB Enterprises, Inc. v. Ernst & Young, New York Supplement, Second Series, Vol. 582, p. 814, New York Supreme Court, Appellate Division, 1992.

12 Hospital Computer Systems v. Staten Island Hospital, Federal Supplement, Vol. 788, p. 1351, United States District Court for the District of New Jersey, 1992.

13 Individual testers and programmers who work as employees will rarely be sued for negligence or malpractice, but consultants and businesses that provide programming and testing services can face such suits. If there's enough interest in the question (write me at kaner@kaner.com), I might explore the general question of liability of employees in another article.

14 T.C. Galligan's article, "Contortions along the boundary between contracts and torts," Tulane Law Review, Vol. 69, p. 457, is an interesting discussion. See R.L. Bernacchi, P.B. Frank, & N. Statland, Bernacchi on Computer Law, Section 3-40 for additional examples of malpractice issues.

15 See Harris v. National Evaluation System, Inc. for a representative discussion of this issue. Federal Supplement, Vol. 719, p. 1081, United States District Court for the Northern District of Georgia, 1989.

16 K.S. MacKinnon, "Computer malpractice: Are computer manufacturers, service bureaus, and programmers really the professionals they claim to be?" Santa Clara Law Review, Volume 23, p. 1065, 1983 quotes these (on p. 1078) as part of an argument favoring application of malpractice rules to professionals. E.B. Galler, "Contracting problems in the computer industry: Should computer specialists be subjected to malpractice liability" Insurance Counsel Journal, October, 1983, p. 574 works through the same characteristics on the other side of the argument.





Cem Kaner consults on technical and management issues, practices law, and teaches within the software development community. His book, Testing Computer Software, received the Award of Excellence in the Society for Technical Communication's 1993 Northern California Technical Publications Competition. He has managed every aspect of software development, including software development projects, software testing groups and user documentation groups. He has also worked as a programmer, a human factors analyst / UI designer, a salesperson, a technical writer, an associate in an organization development consulting firm, and as an attorney (typically representing customers and software development service providers). He has also served pro bono as a Deputy District Attorney, as an investigator/mediator for Santa Clara County's Consumer Affairs Department, as an Examiner for the California Quality Awards. He holds a B.A. (Math, Philosophy, 1974), a J.D. (1993), and a Ph.D. (Experimental Psychology, 1984) and is Certified in Quality Engineering by the American Society for Quality Control. He teaches at UC Berkeley Extension, and by private arrangement, on software testing and on the law of software quality.

The articles at this web site are not legal advice. They do not establish a lawyer/client relationship between me and you. I took care to ensure that they were well researched at the time that I wrote them, but the law changes quickly. By the time you read this material, it may be out of date. Also, the laws of the different States are not the same. These discussions might not apply to your circumstances. Please do not take legal action on the basis of what you read here, without consulting your own attorney.

Questions or problems regarding this web site should be directed to Cem Kaner, kaner@kaner.com.

Last modified: Monday November 10, 1997. Copyright © 1997, Cem Kaner. All rights reserved.