70 Pages Posted: 27 Aug 2007

Abstract

Since 9/11, increased attention has been given to the security of critical national infrastructures, including transportation, finance, electric power, water supply, military, homeland security, and disaster recovery, to name but a few. These sectors are all dependent on the evolving information infrastructure, which in turn is dependent on the availability of secure software. Yet, government and industry are plagued by operating system and applications software containing myriad security vulnerabilities through which hackers and cyberterrorists can (and do) gain access to, and in many cases, take control of computer systems containing sensitive information - personal financial and medical information, corporate trade secrets and even top secret national security information.

To date courts have generally refused to find software vendors responsible for these vulnerabilities, allowing them to disclaim any liability through contractual provisions contained in software licenses. This article looks at the evolution of the software industry over the last 30 years, and the development of tort concepts during that same time period. While it may not be appropriate to apply tort law to general software, such as word processors and videogames, strong arguments can be made that current tort law can (and should) be applied to software intended to provide system and network security.

The federal government enacted the Sarbanes-Oxley Act in 2002 to deal with corporate fraud. The Act requires executives of publicly traded companies to certify that their company's computer systems are secure - under penalty of substantial fines and jail terms. Yet, the vendors who provide the software for those systems are under no obligation to certify that their software is secure.

Unless and until the government enacts legislation placing a burden on software companies to improve their software security, tort law can provide an ideal mechanism for enforcing the reasonable expectations of software licensees and users, particularly in the area of software intended to secure computer systems and networks.