The Homeland Security Bill passed by the US Congress this week may
provide a legal framework within which vendors can protect
themselves from legal action by corporate users.
The bill has already drawn flak from some ITanalysts, who claim the
best way to improve software reliability is to make vendors liable
for the products they sell.
The aim of the bill is to safeguard technologies that vendors may
be reluctant to make available without liability limits, such as
chemical, biological and radiological sensors.
But the legislation is so broad that qualifying technologies may
include widely used products, such as firewalls, antivirus software
and intrusion-detection systems.
Analysts said the Department of Homeland Security must determine
which technologies qualify as contributing to anti-terrorism
efforts.
Gartner analyst John Pescatore compared the liability provision to
an effort to limit IT product liability in the states under the
Uniform Computer Information Transactions Act (UCITA).
"This seems to be trying to sneak in 'UCITA lite' on the federal
level," he said.
David Colton, vice-president of the Information Technology
Association of America, an industry trade group that backed the
liability-limiting provision, said the protections were critical to
ensuring that vendors could offer their most advanced hardware and
software.
Colton said the legislation would be especially helpful for
start-ups and smaller companies, "where many of the most innovative
and cutting-edge solutions come from".
But if the liability protections are extended to systems that are
routinely used by businesses, it can only add to scepticism about
the law's intent.
The legislation limits vendor liability to the maximum amount of
"reasonably available" insurance and bans punitive damages. It is
primarily aimed at government use of these technologies, but does
not exclude businesses that purchase the same products.
For most companies, however, a law limiting liability will not
significantly change what goes on. Most contracts already limit
liability.
"It doesn't change the world too much, because we're not focused
enough on holding vendors' feet to the fire to build quality
software," said Gerry Brady, chief technology officer at
Guardent.
Liability limitation in software has been a contested issue for
many years. Alan Paller, director of research at the SANS
Institute, said buyers could address some of the contractual
concerns if they exercise their "community responsibility" to
require vendors to provide proactive, automatic correction of
problems, rather than searching for fixes on a Web site.
"Since the problem is caused contractually, it can be solved
contractually," Paller said.