Comment by sunshine-o
20 hours ago
So insurance did not offer much before the CRA. They will probably develop this market but it is gonna cost a lot probably and will be complex and imperfect.
Of course an LLC ultimately protect you but you have just multiplied by 10 or 100 the risk of blowing up your livelihood and the one of your employees.
Those regulations are just a nightmare, with "no-fault" liability, a simplified the burden of proof for the claimant, and are just very difficult to decrypt or applied to real world situations in an evolving landscape.
So unless you are big and have legal resources to work on it people are probably not gonna bother or give up.
Anyway your costs and risks have exploded and you are still competing with let's say Microsoft Azure.
Have you talked to an insurer? Business insurance requires a customized quote.
You didn't really answer the question. Do you have a specific risk in mind, or are you only worried about the risk of a random fuckup which all businesses face?
Yes so the problem is this is not about random f-up, the CRA is full of buzzwords concepts like "Cyber security by design", "Cyber security by default" "according to risks" which will be evaluated by the courts if you end up there.
Every software you provide have to be secure and if not you are liable for damage. So this is not just a random f-up, and we know how hard security really is in practice.
I also know that when you are a provider of a software most vulnerabilities and risks are usually requested/created by the client who usually exercise pressure on you (especially if you are a small actor). It is often done in a sneaky manner, putting the provider in an impossible situation. You will need to document this the best you can because now you are liable big time.
EDIT: What I mean is I understand they did that to force big manufacturers of IoT device to care more about security. But if you are now a small provider setting up some customized software you fall under the same rules.
Open source software is unsecure. It's neither secure or insecure. Securing something means implementing policies like SSO and ACLs. That's not open source's job. Open source gives you a tool and it's your responsibility to secure the thing. It's not the responsibility of open source developers. It can't be. What they strive to do is to not ship something that's known to be insecure.
So in other words if you provide someone software and it sets their business on fire, you're liable to repay the value of the business you set on fire. Yes, this is how all business relations work. If I sell someone a mango that sets their business on fire I'm liable for that too. Not unique to software. No difference if it's a mango full of genetically modified bacteria that spontaneously combust after a certain time passes, or a server that sends network signals to turn the heating up to 1000 degrees. And in both cases the solution is don't do that.
So I want to know what specific risks you're worried about that are not present in literally 100% of business interactions. Or do you expect software to be exempt from the general principles of liability?
2 replies →