20. Manufacturers of ICT hardware and software shall be liable for negligent security failures that cause harm.

Rapporteur: Metta Spencer

Unless you live in a cave, you probably depend on a refrigerator, online bank account, airline traffic control system, oil pipeline, water treatment plant, car, subway, electric power plant, WiFi router, and maybe your pacemaker(1) and insulin pump.(2) Nowadays all of those things can be controlled by computers that can be hacked.(3) When that happens, whose fault is it, and what can you do about it?

If you ask a court who’s to blame, the judge will probably pin it all on a hacker criminal, who probably cannot be found. Yes, the hacker is the main culprit, but the programmers enabled him by writing buggy software that their company’s executives hurriedly sold without having it tested properly. The negligent vendors of such inferior products should be held accountable.

If you buy a TV set that explodes (and that has actually happened!) the manufacturer is liable for damages, but if you buy software, you probably don’t actually own it; you’ve just paid for a license to use it. (Remember that “terms of service” agreement you signed without reading it? That’s when you signed away your claims against the manufacturer, who now cannot be held liable for the software’s shoddy performance or its vulnerability to hacking. But you didn’t have much choice. You could take or leave it, so you signed, as we all do.)

The relevant laws are unlikely to be changed until internet insecurity becomes lethal. So far, the harm that hackers inflict is mostly inconvenience or financial loss—and the financial losses are far greater than the public knows. Banks and corporations avoid publicity about such events.

Read more