Hacker News new | ask | show | jobs
by pittsburgh 5463 days ago
I hold an unpopular opinion that lawyers and lawsuits are a great way to motivate companies to "do the right thing", where in this case the "right thing" we're talking about is protecting customer data.

Another great motivator for doing the right thing is knowing that customers will vote with their wallets. Unfortunately this isn't always a strong enough motivation because some markets don't have enough competition, or the cost and hassle of changing the companies you do business with is too high. (Don't you wish customers had left AT&T in droves over the NSA spying ordeal?)

That's where another force comes into play, which is government regulation. I lean libertarian, and although I think some regulation is an absolute necessity (especially on environmental issues) my preference is to have the least amount of regulation necessary. That brings us back to the attorneys. When a company like Sony screws up and exposes their customers' data, I'd rather see them get their pants sued off than have the government step in and regulate. Fear of being sued is a much more compelling reason to "do the right thing" than fear of breaking a law, which might only get you a slap on the wrist.

Do frivolous lawsuits exist? Yes, and they piss me off like the next person. Do scumball attorneys exist? Yes, and I hate them like you do. Ironically, I think some of this problem could be solved with new laws, but I haven't really thought about it enough to more specific. (Maybe something along the lines of the loser having to pay the the other side's legal fees, but I can also argue against that from ten angles. I really haven't spent enough time thinking about how to minimize frivolous lawsuits to feel like I can say anything intelligent about it, other than to say that I bet something can be done.)

Anyway, my point is that companies have different forces that can/should/do motivate them to provide data security, and the threat of lawsuit is an excellent one, right up there with fear of losing customers and fear of government regulation. Too much of any one of these forces is bad, but we wouldn't have a healthy mix without attorneys and their lawsuits.
1 comments
fleitz 5463 days ago
It's going to work for about a year, then when there is a security failure the company will turn around run git/svn blame and sue the individual employee. Hopefully the laws would be written so that when you post security best practices in your TOS and the customer does not follow them the liability can be mitigated (eg. don't reuse passwords on multiple sites)

Re: AT&T where are they going to go? T-Mobile?

link
pittsburgh 5463 days ago
It's going to work for about a year, then when there is a security failure the company will turn around run git/svn blame and sue the individual employee.

You bring up an interesting topic which is an extension of the first one. If the forces motivating a company to do the right thing are 1) desire to gain and not lose customers 2) desire to not be penalized by the government and 3) desire to not be sued, then what motivates an employee to also do the right thing? (I'm generalizing the question because this applies to so many things, but I'll switch back to talking about "building secure software" as a specific example of "doing the right thing".)

A software developer should be motivated to build secure code because of these motivators: 1) Desire to build or maintain a good reputation among peers 2) Desire to not get fired 3) Desire to protect employer from harm 4) Desire to protect customers from harm 5) Desire to just do things the right way for the sake of preferring good things over bad. (There's probably a more elegant way to phrase that last one, but it's like how an architect might fight against proposed changes to a blueprint for the sake of the building itself.)

To err is human, and companies are composed of humans. When a company hires a software developer, they are inherently taking on the risk that this human will make mistakes, so I don't think developers should be legally liable for bugs or vulnerabilities in their code unless they are incredibly egregious or intentional. It's the company's responsibility to anticipate the possibility of bugs and vulnerabilities, and to mitigate that risk by hiring good people, and by having good policies, procedures and training. (By having code reviews and conducting security audits, for example.)

I'm sure we're in agreement that developers shouldn't be sued for mistakes in their code, but whether or not they can be sued for honest mistakes is another question. I don't know what the law has to say about that, but if employees aren't already protected against lawsuits for non-egregious mistakes then that should be changed.

Hopefully the laws would be written so that when you post security best practices in your TOS and the customer does not follow them the liability can be mitigated (eg. don't reuse passwords on multiple sites)

I totally agree.  Customers have to bear some of the responsibility as well.

Re: AT&T where are they going to go? T-Mobile?

My point exactly! Going back to three motivators I mentioned for companies to do the right thing, AT&T knew it wouldn't lose a significant number of customers over the NSA spying issue because there's not much competition in their space. (That and apathy, unfortunately.) Also, they knew they wouldn't get penalized by the government for, well, forking data over to the government. That leaves the only viable option being to sue AT&T... except that power was taken away by retroactively granting AT&T immunity by FISA. ( http://en.wikipedia.org/wiki/Hepting_v._AT%26T ) This is what makes the AT&T/NSA issue so upsetting. All motivations for AT&T and other telecoms to "do the right thing" have been taken off the table.

link