Flawed software costs businesses and consumers millions of dollars every year, but
existing tort law does not generally require developers to compensate others for
economic injuries caused by bad code. Discontented scholars and policy analysts
have produced an array of proposals that would force developers to pay for harms
flowing from vulnerabilities that hackers exploit to injure software users. This basic
model—which would impose a duty on developers to eliminate security-related
vulnerabilities but not other types of software flaws—dominates legislative and
academic debates about reform. This Note argues that this focus is misconceived. It
is technically ambiguous, doctrinally anomalous, and would throw national security
and consumer welfare goals into conflict. Liability proponents have focused on
it because they recognize that imposing new duties on software developers must
realistically be limited in some way. Although the vulnerability-based limitation is
ultimately misguided, this Note proposes that a party-based limitation restricting
recovery to parties in near-privity is more defensible. Focusing on party-based
limitations on duty instead of a vulnerability-based limitation would require
thinking of software development not as a product, but rather as a professional
practice subject to malpractice-like standards. This reframing, I argue, better aligns
proposals for expanding software developers’ duties with existing tort doctrine
while focusing a liability evaluation on the most important aspects of the software
development process.
LawReview
