In Tom Espiner's story about former White House cyber-security adviser Howard Schmidt and liability for software flaws, a security representative of the BCS (British Computer Society) said that Schmidt had suggested personal accountability for software developers on the software they write. The article was mistakenly titled "Expert: Hold developers liable for flaws" should have used the term "accountable" instead of "liable" and will be corrected. Although the BCS doesn't endorse that extreme level of accountability, they do think the software companies they work for should be held responsible. The world "liability" wasn't used here, but we should be careful in the choice of words. While I'm always in favor of accountability, liability is a slippery slope that we should not entertain.
Many advocates in the Open Source community favor software liability lawsuits because they view it as a way of bringing down Closed Source software companies since they're selling a product that can be sued. The problem with that is; where does this slippery slope end? If a developer gives away his or her software for free and a user is hacked because of a security vulnerability in that free software, does that protect that developer from legal liability if we start a legal precedence in software malpractice? There was even a case where a medical doctor was sued for malpractice because a man needing emergency medical care died under his voluntary care outside of the hospital. Medical malpractice has already crippled the medical industry with multi-million and even billion dollar lawsuits and doctors are leaving the profession in droves because of skyrocketing malpractice insurance premiums. Is this really the fate we want for the software industry?
I've always favored reasonable disclosure and accountability for software companies, but that accountability should be a reasonable agreement between the software maker and the consumer be it an individual or company. I'm talking about a set of guidelines such as the one below that would aim to avoid litigation if everyone does their job.
In my opinion, these are very reasonable guidelines. Any software company or individual who sells or distributes free software should have the option to adopt these guidelines or not. However, any software maker who refuses to adopt these guidelines should automatically be barred from consideration in any software purchase for any company or organization responsible for sensitive data. What this means is that anyone is still free to write bad software and anyone is still free to buy bad software, they just shouldn't expect to be compliant with anything like PCI, HIPAA or SOX nor should they expect sympathy from a jury.