Comment by brendanyounger
12 hours ago
I'll never understand this point of view. If someone would please explain how to create perfectly secure software, I will gladly start writing perfectly secure software. Only after, if it's clear I ignored obviously correct advice, should there be malpractice penalties.
Consider surgery instead of software development. There are general best practices, but the difference between a good surgeon and a poor one is a small number of deaths. Malpractice insurance is high. Litigation is constant. And patients still die on the operating table. It's unclear what all the malpractice tort law actually gets you in the end.
> "Consider surgery instead of software development."
Is that really the analogy you want to use the bolster your argument? Licensing was forced on the medical profession because of rampant quackery causing a large number of deaths. Some of the horrors that went on before enforced medical licensing are well-nigh unbelievable, e.g. https://en.wikipedia.org/wiki/John_R._Brinkley
> Only after, if it's clear I ignored obviously correct advice, should there be malpractice penalties.
In most of these cases, the companies involved did NOT follow standard security practices.
I am pretty sure that is what people mean when they say "held responsible", they mean "held responsible for failing to follow standard security practices", not for the actual act of getting hacked.
> Consider surgery instead of software development. There are general best practices, but the difference between a good surgeon and a poor one is a small number of deaths.
I like this analogy, but deaths shouldn't be the leading indicator just an indicator. Family member had a surgery with well known procedures, say removing a gall bladder. Unfortunately, this surgeon skipped a step in lieu of setting a record for fastest procedure. Because steps were skipped, the gall bladder was not scooped into a net to avoid spilled gall stones which resulted stones spilling into the abdominal cavity requiring numerous follow up surgeries to remove the spilled stones as they made themselves known. So clearly not following accepted procedures should be a clear win in a malpractice case, yeah? Wrong. No doctor would testify against the surgeon and the case was dismissed. I feel like this is exactly how it would work in software security incidents as well.
> this surgeon skipped a step
That was the foundational premise of Dr. Atul Gawande's book The Checklist Manifesto, an expansion of his article The Checklist in The New Yorker [0]
[0] https://www.newyorker.com/magazine/2007/12/10/the-checklist
I agree that even if companies do everything right, they can still get popped. But most companies do not do everything right, and they should be legally responsible for those things.
But even if they do everything right, is it really fair to let the companies just shrug their shoulders and say "it happens"? While their users are the ones who really get hurt.
Well, you don't know how many more would have died if doctors and hospital didn't care about their insurance going higher???