Singularity Law

This is not a new issue, but one that has been reignited by a recent hacker competition to break into supposedly security computer systems. What is “responsible disclosure”? Well, consider the following scenario.

Don is a computer researcher that discovers a dangerous flaw in a popular computer operating system. Should he immediately disclose the vulnerability to the public so users of that operating system can take steps to protect themselves against this vulnerability, or should they notify the vendor of the operating system and give them time to create a patch before disclosing it to the public?

Those who favor “responsible disclosure” say that the vendor should be notified first and the public should NOT be notified before the vendor has a fix. The thinking is that if the vulnerability is disclosed before a fix is available, hackers will exploit the vulnerability before there is a fix. But is that really “responsible”? The flaw of that position is the assumption that Don is the only one that is searching for, or will discovery the vulnerability before a fix is available. Yet we know that there are thousands of people who are employed by organized crime, foreign governments, and just plain hackers to find system vulnerabilities that can be exploited for monetary or political gain.

And how long should Don wait before he discloses the problem? What if the vendor can’t or won’t fix it in a timely manner. Is there a “reasonable” time after which Don should be able to tell the public of the problem? And who should decide what is that reasonable period of time?

From a legal point of view, since Don is under no duty to the public to disclose the vulnerability, whether he chooses to disclose or not disclose is not legally significant. However, what about the vendor, once it has notice. Can it sit on that information for an indefinite period of time before notifying its customers of the problem? Under product liability law there may be a duty to warn if a vendor learns of a problem with one of its products. If it fails to give notice, it may be held liable for the resulting damages caused. However, the economic loss rule (which says that a vendor is not liable for pure economic loss, as opposed to personal injury or property damage) generally insulates a vendor from liability even for its breach of duty to disclose.

While numerous states now have data security breach notification statutes, which require a user of a computer system who experiences a data security breach to immediately notify any potentially affected party, such statutes place NO obligation on the vendor of the defective software to notify anyone.

If a vendor, knowing that there is a flaw in its software, does nothing, even with knowledge that its customers are suffering damages as a result of third parties’ exploitation of that flaw, is such failure to disclose the flaw “responsible”? For me the answer is no.