Pillar III of the new U.S cyber security strategy is to “Shape Market Forces to Drive Security and Resilience”. This far reaching ambition makes sense in that it recognises the importance of cybersecurity to business and seeks to leverage market power and innovation to solve this major problem.
There is more to this, however. One of the key objectives of Pillar III is “Shifting liability for software products and services to promote secure development practice” and this means strict liability for developers is coming. And it’s not just in the US, the EU is following this path too.
The legal concept of strict liability is commonly used in product safety regulation (for the UK this is under the Consumer Protection Act, as based on the Pre-Brexit EU Product Liability Directive), which essentially sets out that certain businesses are responsible for ensuring that any physical product they place on the market is safe. As a result, those businesses are subject to the concept of strict liability, which is a greater liability burden than that usually imposed by contract or tort (the law of negligence), and it can’t be avoided.
Under strict liability, a claimant needs only to show that a product is defective and has caused it damage (in terms of injury to person or to property), in which case the manufacturer/importer/own brander of the defective product will be strictly liable to compensate the claimant for the damage caused, irrespective of the lack of any commercial relationship between the parties.
Take a deep breath for now developers as, for the moment at least, a product (as covered by the CPA and PLD) does not include software which is not incorporated as part of a physical product (although that in itself can lead to difficult questions of delineation). Also, the CPA imposes a burden of strict liability only in relation to claims by consumers. However, the lead being taken by the U.S and by the EU in imposing strict liability for developers more widely means that UK may well follow suit.
When that happens, the likelihood is that, if a consumer (or potentially a business) suffers damage as a result of a cybersecurity incident (which in all likelihood will include financial damage given the nature of the beast), a developer of any cybersecurity related software (or any party own-branding such software) may be strictly liable if it can be shown that the software package (which would include any related instructions or warnings) is defective and that the software caused the damage by failing to do its job. This could have a massive impact and result in developers facing substantial group claims at the very least.
These are early days and changes to any legislation will have to reflect the hydra-like nature of cyber security, where software developers are constantly reacting to the changing threat. In this respect, the timing of when software was supplied and when the threat arose will be a key factor. But whatever happens, developers (be the in the US, EU or UK) are soon going to be under more pressure than ever and they need to be ready.
We will place responsibility on those within our digital ecosystem that are best positioned to reduce risk and shift the consequences of poor cybersecurity away from the most vulnerable in order to make our digital ecosystem more trustworthy
Large Language Models (LLMs) are a type of artificial intelligence (AI) that use deep learning algorithms to understand and generate text, images and videos in a way that mimics similar outputs created by humans, basing its responses on the vast quantities of data they are trained on. While LLMs can generate creative text formats, legal documents, or summarise information, they are not designed to be inherently truthful or unbiased and can generate inaccurate or misleading content
Read moreAn Advance Subscription Agreement (ASA) is a financial arrangement between an investor and a company, often a startup or early-stage business. Under this agreement, the investor pays in advance for shares that will be issued at a later date, typically during the company's next funding round.
Read moreFor many founders, securing a strong customer base is central to their company’s long-term value. But what happens when the business is sold, and a key contract allows customers to walk away? This is where Change of Control provisions come into play. Too often overlooked during negotiations, these clauses can have serious ramifications for both your company's valuation and your future business prospects. Here's why founders should carefully consider these provisions.
Read more