Flawed software costs businesses and consumers millions of dollars every year, but existing tort law does not generally require developers to compensate others for economic injuries caused by bad code. Discontented scholars and policy analysts have produced an array of proposals that would force developers to pay for harms flowing from vulnerabilities that hackers exploit to injure software users. This basic model—which would impose a duty on developers to eliminate security-related vulnerabilities but not other types of software flaws—dominates legislative and academic debates about reform. This Note argues that this focus is misconceived. It is technically ambiguous, doctrinally anomalous, and would throw national security and consumer welfare goals into conflict. Liability proponents have focused on it because they recognize that imposing new duties on software developers must realistically be limited in some way. Although the vulnerability-based limitation is ultimately misguided, this Note proposes that a party-based limitation restricting recovery to parties in near-privity is more defensible. Focusing on party-based limitations on duty instead of a vulnerability-based limitation would require thinking of software development not as a product, but rather as a professional practice subject to malpractice-like standards. This reframing, I argue, better aligns proposals for expanding software developers’ duties with existing tort doctrine while focusing a liability evaluation on the most important aspects of the software development process.
LawReview
