New Biden Administration Cyber Strategy Proposes Dramatic Shift in Order to Hold Software Developers Liable for “Insecure” Software

Brian Finch, Aimee Ghosh, Arielle Heffez
Pillsbury Winthrop Shaw Pittman LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Pillsbury Winthrop Shaw Pittman LLP

TAKEAWAYS

  • The Strategy’s liability proposal represents a fundamental change in the cybersecurity market for software markers.
  • Proposed legislation would seek to restrict software providers’ ability to limit liability while also incentivizing those who meet certain standards through a new safe harbor program.
  • Companies should expect the administration to take initial action where it can without congressional input, including by pushing for heightened software security accountability measures in federal procurement rules.

On March 2, 2023, the Biden administration released its National Cyber Security Strategy to create a more defensible, resilient and value-aligned digital ecosystem which includes, among other priorities, the administration’s efforts to make software firms liable for system insecurities.

Built on five pillars, the Strategy strives to: 1) defend critical infrastructure, 2) disrupt and dismantle threat actors, 3) shape market forces to drive security and resilience, 4) invest in a resilient future, and 5) forge international partnerships to pursue shared goals. Notably, the third pillar centers on limiting security software makers’ ability to contractually disclaim liability for poor software security, thereby increasing the likelihood that software products and services developers may be found liable for insecure software development and maintenance practices.

Justifying this change, the administration notes that market forces have fallen short and have failed to “adequately mobilize industry to prioritize our core economic and national security interests.” Specifically, according to the Strategy, software makers’ disclaiming liability by contract has “[reduced] their incentive to follow secure-by-design principles or perform pre-release testing.” The administration believes that software developers “must be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers.”

To resolve this perceived imbalance, administration proposes new legislation to establish liability for software products and services. That legislation, as described by the White House, would bar software manufacturers from using contracts to shift liability to end-users and would establish higher standards of care for software in specific high-risk scenarios. The end goal is to place responsibility “on the stakeholders most capable of taking action to prevent bad outcomes, not on the end-users that often bear the consequences of insecure software nor on the open-source developer of a component that is integrated into a commercial product.”

According to the Strategy, legislation to impose liability on software providers would be coupled with an “adaptable safe harbor framework” to shield providers who securely develop and maintain their software products and services. This proposal would presumably result in the imposition of de facto security standards—as enforced through the courts—with companies that meet prescribed standards obtaining liability protections, and those who do not facing greater risk of claims for insecure software development, negligent patching/vulnerability remediation, and other causes of action. Additional details of such legislation were not described in the Strategy, although the administration intends to work with Congress and the private sector to develop a bill.

While no legislative text has yet been proposed and there is no guarantee that such an initiative would pass through Congress—at least without major modifications—the Strategy’s liability proposal represents a fundamental change in the software market. If enacted, this legislation is likely to largely preempt existing state-level liability frameworks and establish an agreed upon “standard” to which courts can compare software provider performance.

It is likely then that the administration’s proposal will be the subject of much debate in Congress. To advance this goal in the interim, companies should expect the administration to take initial action where it can without congressional input, including by pushing for heightened software security accountability measures in federal procurement rules. The administration is also likely to look favorably on enforcement activity by regulatory agencies like the SEC aimed at developers of allegedly insecure software.

Additionally, companies concerned about tort liability related to insecure software development may consider pursuing liability protections through the SAFETY Act. The SAFETY Act is an existing safe harbor program that limits or eliminates third party tort liability for a variety of security products and services deployed to deter “acts of terrorism,” including cybersecurity tools. Companies are pursuing those protections immediately, and by doing so will have liability protections available long before any new safe harbor regime is developed.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pillsbury Winthrop Shaw Pittman LLP | Attorney Advertising

Written by:

Pillsbury Winthrop Shaw Pittman LLP
Pillsbury Winthrop Shaw Pittman LLP
Contact
more
less

Pillsbury Winthrop Shaw Pittman LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide