US Homeland Security bill limits vendor liability

The Homeland Security Bill passed by the US Congress this week may provide a legal framework within which vendors can protect...

The Homeland Security Bill passed by the US Congress this week may provide a legal framework within which vendors can protect themselves from legal action by corporate users.

The bill has already drawn flak from some ITanalysts, who claim the best way to improve software reliability is to make vendors liable for the products they sell.

The aim of the bill is to safeguard technologies that vendors may be reluctant to make available without liability limits, such as chemical, biological and radiological sensors.

But the legislation is so broad that qualifying technologies may include widely used products, such as firewalls, antivirus software and intrusion-detection systems.

Analysts said the Department of Homeland Security must determine which technologies qualify as contributing to anti-terrorism efforts.

Gartner analyst John Pescatore compared the liability provision to an effort to limit IT product liability in the states under the Uniform Computer Information Transactions Act (UCITA).

"This seems to be trying to sneak in 'UCITA lite' on the federal level," he said.

David Colton, vice-president of the Information Technology Association of America, an industry trade group that backed the liability-limiting provision, said the protections were critical to ensuring that vendors could offer their most advanced hardware and software.

Colton said the legislation would be especially helpful for start-ups and smaller companies, "where many of the most innovative and cutting-edge solutions come from".

But if the liability protections are extended to systems that are routinely used by businesses, it can only add to scepticism about the law's intent.

The legislation limits vendor liability to the maximum amount of "reasonably available" insurance and bans punitive damages. It is primarily aimed at government use of these technologies, but does not exclude businesses that purchase the same products.

For most companies, however, a law limiting liability will not significantly change what goes on. Most contracts already limit liability.

"It doesn't change the world too much, because we're not focused enough on holding vendors' feet to the fire to build quality software," said Gerry Brady, chief technology officer at Guardent.

Liability limitation in software has been a contested issue for many years. Alan Paller, director of research at the SANS Institute, said buyers could address some of the contractual concerns if they exercise their "community responsibility" to require vendors to provide proactive, automatic correction of problems, rather than searching for fixes on a Web site.

"Since the problem is caused contractually, it can be solved contractually," Paller said.

Read more on IT for small and medium-sized enterprises (SME)