In 2015, hackers gained access to hundreds of millions of consumer data records housed in the databases and systems of American businesses, and the number of records stolen climbed even higher the following year. Though businesses spend billions of dollars each year on security software and systems to protect data from unauthorized disclosure, those systems often fail because of vulnerabilities in the software that hackers exploit. All but the simplest software contains some vulnerabilities, including coding errors. Pursuant to the observations of previous legal scholarship, one of the reasons “bad code” (i.e., code vulnerable to hacking) persists in the consumer market is that software vendors insulate themselves from accountability using contractual disclaimers of warranties and limitations on liability. One might expect, by way of contrast, that in the commercial market for software and, in particular, for security software, companies would demand that the vendor share responsibility in the event of a data breach. But this Article’s empirical analysis of end-user license agreements (i.e., agreements between the software vendor or developer and the software user) for such security products demonstrates a similar liability shield in the contractual terms. Therefore, companies cannot, or perhaps just will not, hold security software vendors accountable. The result is an unacceptable risk to consumers; therefore, this Article proposes that regulators should reduce the risk by using unfair trade laws. Specifically, this Article recommends that if a security software vendor knows of a vulnerability in its code and fails to notify its licensees of that vulnerability, it should be charged with committing an unfair trade practice.

First Page


Included in

Law Commons