Microsoft’s Old Software Is Dangerous. Is There a Duty to Fix
It?
A global ransomware epidemic
is winding down, but questions over the fallout are just beginning. Who's to blame for the crisis that hijacked hundreds of
thousands of computers? And can anyone
stop such criminals, whose victims included hospitals and police, from striking
again?
These aren't easy questions, but one
company, Microsoft, has more explaining to do than most. After all, it was flaws in Windows systems
that allowed hackers to carry out the ransomware attacks, which also struck
companies and governments. In some cases, like the U.K.'s National
Health Service, the frozen computers put lives at risk.
If this was a different industry,
Microsoft would likely face lawsuits for selling a faulty product. But its product is software, and suing over
flawed software is difficult. This means
the legal case against Microsoft is feeble—even if the moral one may be strong.
… There's also the
fact Windows is a closed software platform. This means any defects in its source code are
hard to detect because the internal workings that make it run—the source
code—are all but invisible to those outside the company. This is why some people like Eban Moglen, a
noted computer law professor at Columbia University, considers platforms like
Windows to be intrinsically dangerous.
"Proprietary software is an unsafe
building material," he explained in a published speech. "You can’t inspect it. You can’t assess its complex failure modes
easily, by simply poking at the finished article. And most important of all, if you were aware
of a problem that was of a safety-enhancing kind, that you could fix, you
couldn’t fix it."
… Cyber law
professor Jennifer Granick of Stanford University
suggests auto-industry style liability is not appropriate for software.
"While it is true that companies
need to start to prioritize security in coding, it is unreasonable to ask
Microsoft to be liable for anything that can be done with the 50 million lines
of code in Windows 10," Granick told Fortune by
email.
Not specifically targeted, but generally more
vulnerable?
Dena Feldman and Christopher Hanson write:
Last week, the Health Care
Industry Cybersecurity (HCIC) Task Force (the “Task Force”) published a pre-release
copy of its report on improving cybersecurity in the health care industry. The Task Force was established by Congress
under the Cybersecurity Act of 2015. The
Task Force is charged with addressing challenges in the health care industry
“when securing and protecting itself against cybersecurity incidents, whether
intentional or unintentional.”
The Task Force released its
report mere days before the first worldwide ransomware attack, commonly
referred to as “WannaCry,” which occurred on May 12. The malware is thought to have infected more
than 300,000 computers in 150 jurisdictions to date. In the aftermath of the attack, the U.S.
Department of Health and Human Services (HHS) sent a series of emails to the
health care sector, including a statement that government officials had
“received anecdotal notices of medical device ransomware infection.” HHS warned that the health care sector should
particularly focus on devices that connect to the Internet, run on Windows XP,
or have not been recently patched. As
in-house counsels understand, the ransomware attack raises a host of legal
issues. For example, a recent
Covington alert addresses insurance coverage for ransom attacks.
Read more on Covington & Burling Inside
Medical Devices.
A more general question: Do we stifle creativity by insisting
on security? I really doubt it. Companies that can deliver both will find the
premium price they can charge will more than compensate for extra development
time.
From PerkinsCoie:
As federal and state governments
struggle to address future healthcare regulation, demand for healthcare that is
cheaper, better and faster continues to surge. Every day, new healthcare apps are being
developed to respond creatively to this demand. But pitfalls may await unsuspecting app
developers where the lightning-fast technology sector meets the
highly-regulated healthcare industry. Failure to comply with the Health Insurance
Portability and Accountability Act (HIPAA) is one such pitfall.
In this update, we highlight
several HIPAA issues that all developers in the healthcare app field should
consider, as well as healthcare plans, insurers and others parties contracting
with developers.
Their update covers a number of issues, but I thought I’d
pull out just one for you that highlights some of the complexities in working
in this space:
From whom will the
developer be gathering data? A customer or
consumer?
Consumer-facing products that
are not made available on behalf of a covered entity or business associate
generally will not be subject to HIPAA, but may be subject to stringent privacy
and security requirements under the Federal Trade Commission Act and state law.
Products created for a covered entity or
business associate customer that gather data from or provide data to consumers,
however, may cause the developer to be subject to HIPAA.
Read their full alert on PerkinsCoie.
Perhaps we need an “encryption revolution” to break from
the evil government issuing such warrants?
Roger L. Stavis writes:
The “Warrant Clause” of the
Fourth Amendment provides that “no Warrants shall issue, but upon probable
cause, supported by Oath or affirmation, and particularly describing the place
to be searched, and the persons or things to be seized.” In a recent opinion requiring search warrants
for “smart phones,” U.S. Supreme Court Chief Justice John G. Roberts expounded
on the history behind the Fourth Amendment:
Our cases have recognized that
the Fourth Amendment was the founding generation’s response to the reviled
‘general warrants’ and ‘writs of assistance’ of the colonial era, which allowed
British officers to rummage through homes in an unrestrained search for
evidence of criminal activity. Opposition to such searches was in fact one of
the driving forces behind the Revolution itself.
Unfortunately, “general”
warrants, authorizing “rummaging” searches without specification, are alive and
well in the 21st Century. More often
than not, such “general warrants” are relied upon to authorize “rummaging” searches
of computers.
Read more on New
York Law Journal (free sub. required).
[From the
Journal article:
One commentator has noted that computers "are postal
services, playgrounds, jukeboxes, dating services, movie theaters, daily
planners, shopping malls, personal secretaries, virtual diaries and more."
Kerr, "Searches and Seizures in a
Digital World," 119 Harv. L. Rev. 531, 569 (2005).
No comments:
Post a Comment