Third-party liability for cybersecurity failures just got a lot more real.
For years, observers of cybersecurity practices have noted a systematic underinvestment in cybersecurity by various enterprises. Critical to explaining that gap was the twofold reality of cybersecurity externalities (your failures affect me) and liability disclaimers (as, for example, in the shrink-wrap contracts you agree to when you open the software box) that prevented adversely impacted third parties from seeking legal redress for the impacts on their work arising from the alleged negligent security of others. To use a real world example, when Colonial Pipeline went down, they owed no money to their downstream partners even though many of them suffered significant economic damage because of Colonial Pipeline’s lax (dare we say negligent) approach to its own cybersecurity.
The problem of these externalities and market failures has been known for almost as long as the problem of cybersecurity has existed (see, for example, this article for the Hoover Institution from 10 years ago). In the past, the problem of liability disclaimers has been analogized to the historical legal practice regarding unsafe cars and the rule of caveat emptor. Indeed, Lawfare published an entire series about Bad Code and the lack of liability for obvious insecurities by Jane Chong. None of this is news to anyone paying close attention—but the circumstance has persisted without end. Proposing liability for badly written code or poorly implemented security measures has been the third rail of cybersecurity policy. Touch it and you die.
No longer. It what may well be regarded as the single most innovative part of the just-previewed Biden cybersecurity strategy, the president has proposed to shift liability for insecure software products and services to “those entities that fail to take reasonable precautions to secure their software.” This is truly revolutionary. It is risky. It is ambitious. It is new and different.
Will it actually come to pass? Who knows. It will probably require legislation. Resistance from entrenched interests who value the immunity from liability will be intense. And even if it does pass into law, there remains the implementation question—how does it actually affect actors in the cyber domain? That, too, is radically indeterminate.
But one has to admire the ambition. Kudos to the Biden administration for putting the issue on the table. The first shots in the fight over liability for cybersecurity failure have been fired. Now we await the outcome of the conflict.
– Paul Rosenzweig, Lawfare