The Negligence Lawsuits Arising from the Recent Cyber Breaches
Given the wide-spread use of known vulnerable third party and open source components (often when a fixed version is available but blithely ignored by programmers and their managers) the developing legal consensus around negligence and ignoring known security flaws will make those tolerating such open source vulnerabilities in their code easy targets in court.
Wired recently reported this:
Princeton law professor Andrea Matwyshyn said: “We’re seeing courts more willing to entertain these kinds of lawsuits because the problems are real–particularly if you have evidence of a history of known security flaws that went unfixed a court would be more likely to consider a suit by employees or other harmed parties.” (Note the use of the term “known security flaws” by Professor Matwyshyn.)
When taken in the context of with the recent cyber hacking headlines and the level of resources spent on cyber defense by corporations on a per-employee basis, it seems pretty clear that the “just trust us” days of the technology crew that apparently have little or no desire or knowledge of what even minimum things they should and need to do to build secure code are coming to an end — the lawyers and courts appear to be in the beginning stages of forcing them to change their ways.
From “Welcome 2015 ‒ a year of cyber(in)security,” Gelbstein “warns that in spite of the high cost of security breaches in which data are stolen ‒ over US$250 per record (some attacks involve millions of records) for notifying the parties affected, plus the commercial value of the stolen data which may consist of intellectual property valued in hundreds of millions of US dollars ‒ companies spend less than the price of a cup of coffee per employee per day on IT security.”