Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
ThrowawayR2 10 hours ago

I wonder when the public is going to start calling for corporate liability for malpractice in software development and corporate liability for malpractice in IT deployments. Even if the tech industry fights it, it probably won't be that much longer.

brendanyounger 10 hours ago | parent | next [-]

I'll never understand this point of view. If someone would please explain how to create perfectly secure software, I will gladly start writing perfectly secure software. Only after, if it's clear I ignored obviously correct advice, should there be malpractice penalties.

Consider surgery instead of software development. There are general best practices, but the difference between a good surgeon and a poor one is a small number of deaths. Malpractice insurance is high. Litigation is constant. And patients still die on the operating table. It's unclear what all the malpractice tort law actually gets you in the end.

ThrowawayR2 8 hours ago | parent | next [-]

> "Consider surgery instead of software development."

Is that really the analogy you want to use the bolster your argument? Licensing was forced on the medical profession because of rampant quackery causing a large number of deaths. Some of the horrors that went on before enforced medical licensing are well-nigh unbelievable, e.g. https://en.wikipedia.org/wiki/John_R._Brinkley

cortesoft 10 hours ago | parent | prev | next [-]

> Only after, if it's clear I ignored obviously correct advice, should there be malpractice penalties.

In most of these cases, the companies involved did NOT follow standard security practices.

I am pretty sure that is what people mean when they say "held responsible", they mean "held responsible for failing to follow standard security practices", not for the actual act of getting hacked.

9 hours ago | parent | prev | next [-]
[deleted]
kelnos 8 hours ago | parent | prev | next [-]

I agree that even if companies do everything right, they can still get popped. But most companies do not do everything right, and they should be legally responsible for those things.

But even if they do everything right, is it really fair to let the companies just shrug their shoulders and say "it happens"? While their users are the ones who really get hurt.

dylan604 9 hours ago | parent | prev | next [-]

> Consider surgery instead of software development. There are general best practices, but the difference between a good surgeon and a poor one is a small number of deaths.

I like this analogy, but deaths shouldn't be the leading indicator just an indicator. Family member had a surgery with well known procedures, say removing a gall bladder. Unfortunately, this surgeon skipped a step in lieu of setting a record for fastest procedure. Because steps were skipped, the gall bladder was not scooped into a net to avoid spilled gall stones which resulted stones spilling into the abdominal cavity requiring numerous follow up surgeries to remove the spilled stones as they made themselves known. So clearly not following accepted procedures should be a clear win in a malpractice case, yeah? Wrong. No doctor would testify against the surgeon and the case was dismissed. I feel like this is exactly how it would work in software security incidents as well.

dctoedt 8 hours ago | parent [-]

> this surgeon skipped a step

That was the foundational premise of Dr. Atul Gawande's book The Checklist Manifesto, an expansion of his article The Checklist in The New Yorker [0]

[0] https://www.newyorker.com/magazine/2007/12/10/the-checklist

harikb 10 hours ago | parent | prev [-]

Well, you don't know how many more would have died if doctors and hospital didn't care about their insurance going higher???

cortesoft 9 hours ago | parent | prev | next [-]

I do wonder if that won't just end up INCREASING ransom-type attacks, though?

If we increase the penalties for a company being hacked, you create even MORE incentive for hackers to try to break in, because if they succeed, they have a pretty big stick to threaten companies with when demanding a random payment - not only will the company have the negative effect of the data being leaked and the PR that accompanies it, they now know that if they don't pay and the attack becomes public knowledge, they face a big fine or other punishment.

A company is much more likely to pay a big ransom if they know they are just going to end up paying that much or more in fines if they refuse the ransom and report the hack instead.

If you take this route, and increase punishment for being hacked, you are making a pretty big bet that the main reason companies are hacked is because of poor security practices. I am not sure if that is true or not.

ThrowawayR2 8 hours ago | parent [-]

There's precedent for simply making it illegal to pay the ransom, e.g. https://www.reuters.com/world/uk/uk-plans-ban-public-sector-...

berti 10 hours ago | parent | prev [-]

That is already happening in the EU [1][2]. Most of the world will catch up soon I suspect, with some notable exceptions.

[1] https://digital-strategy.ec.europa.eu/en/policies/cyber-resi... [2] https://ec.europa.eu/commission/presscorner/detail/en/ip_22_...