Sunday, May 21, 2017
“To update or not to update” that is the question any Board of Directors must answer.
Microsoft’s Old Software Is Dangerous. Is There a Duty to Fix It?
A global ransomware epidemic is winding down, but questions over the fallout are just beginning. Who's to blame for the crisis that hijacked hundreds of thousands of computers? And can anyone stop such criminals, whose victims included hospitals and police, from striking again?
These aren't easy questions, but one company, Microsoft, has more explaining to do than most. After all, it was flaws in Windows systems that allowed hackers to carry out the ransomware attacks, which also struck companies and governments. In some cases, like the U.K.'s National Health Service, the frozen computers put lives at risk.
If this was a different industry, Microsoft would likely face lawsuits for selling a faulty product. But its product is software, and suing over flawed software is difficult. This means the legal case against Microsoft is feeble—even if the moral one may be strong.
… There's also the fact Windows is a closed software platform. This means any defects in its source code are hard to detect because the internal workings that make it run—the source code—are all but invisible to those outside the company. This is why some people like Eban Moglen, a noted computer law professor at Columbia University, considers platforms like Windows to be intrinsically dangerous.
"Proprietary software is an unsafe building material," he explained in a published speech. "You can’t inspect it. You can’t assess its complex failure modes easily, by simply poking at the finished article. And most important of all, if you were aware of a problem that was of a safety-enhancing kind, that you could fix, you couldn’t fix it."
… Cyber law professor Jennifer Granick of Stanford University suggests auto-industry style liability is not appropriate for software.
"While it is true that companies need to start to prioritize security in coding, it is unreasonable to ask Microsoft to be liable for anything that can be done with the 50 million lines of code in Windows 10," Granick told Fortune by email.
Not specifically targeted, but generally more vulnerable?
Dena Feldman and Christopher Hanson write:
Last week, the Health Care Industry Cybersecurity (HCIC) Task Force (the “Task Force”) published a pre-release copy of its report on improving cybersecurity in the health care industry. The Task Force was established by Congress under the Cybersecurity Act of 2015. The Task Force is charged with addressing challenges in the health care industry “when securing and protecting itself against cybersecurity incidents, whether intentional or unintentional.”
The Task Force released its report mere days before the first worldwide ransomware attack, commonly referred to as “WannaCry,” which occurred on May 12. The malware is thought to have infected more than 300,000 computers in 150 jurisdictions to date. In the aftermath of the attack, the U.S. Department of Health and Human Services (HHS) sent a series of emails to the health care sector, including a statement that government officials had “received anecdotal notices of medical device ransomware infection.” HHS warned that the health care sector should particularly focus on devices that connect to the Internet, run on Windows XP, or have not been recently patched. As in-house counsels understand, the ransomware attack raises a host of legal issues. For example, a recent Covington alert addresses insurance coverage for ransom attacks.
Read more on Covington & Burling Inside Medical Devices.
A more general question: Do we stifle creativity by insisting on security? I really doubt it. Companies that can deliver both will find the premium price they can charge will more than compensate for extra development time.
As federal and state governments struggle to address future healthcare regulation, demand for healthcare that is cheaper, better and faster continues to surge. Every day, new healthcare apps are being developed to respond creatively to this demand. But pitfalls may await unsuspecting app developers where the lightning-fast technology sector meets the highly-regulated healthcare industry. Failure to comply with the Health Insurance Portability and Accountability Act (HIPAA) is one such pitfall.
In this update, we highlight several HIPAA issues that all developers in the healthcare app field should consider, as well as healthcare plans, insurers and others parties contracting with developers.
Their update covers a number of issues, but I thought I’d pull out just one for you that highlights some of the complexities in working in this space:
From whom will the developer be gathering data? A customer or consumer?
Consumer-facing products that are not made available on behalf of a covered entity or business associate generally will not be subject to HIPAA, but may be subject to stringent privacy and security requirements under the Federal Trade Commission Act and state law. Products created for a covered entity or business associate customer that gather data from or provide data to consumers, however, may cause the developer to be subject to HIPAA.
Read their full alert on PerkinsCoie.
Perhaps we need an “encryption revolution” to break from the evil government issuing such warrants?
Roger L. Stavis writes:
The “Warrant Clause” of the Fourth Amendment provides that “no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” In a recent opinion requiring search warrants for “smart phones,” U.S. Supreme Court Chief Justice John G. Roberts expounded on the history behind the Fourth Amendment:
Our cases have recognized that the Fourth Amendment was the founding generation’s response to the reviled ‘general warrants’ and ‘writs of assistance’ of the colonial era, which allowed British officers to rummage through homes in an unrestrained search for evidence of criminal activity. Opposition to such searches was in fact one of the driving forces behind the Revolution itself.
Unfortunately, “general” warrants, authorizing “rummaging” searches without specification, are alive and well in the 21st Century. More often than not, such “general warrants” are relied upon to authorize “rummaging” searches of computers.
Read more on New York Law Journal (free sub. required).
[From the Journal article:
One commentator has noted that computers "are postal services, playgrounds, jukeboxes, dating services, movie theaters, daily planners, shopping malls, personal secretaries, virtual diaries and more." Kerr, "Searches and Seizures in a Digital World," 119 Harv. L. Rev. 531, 569 (2005).