| It's going to work for about a year, then when there is a security failure the company will turn around run git/svn blame and sue the individual employee. You bring up an interesting topic which is an extension of the first one. If the forces motivating a company to do the right thing are 1) desire to gain and not lose customers 2) desire to not be penalized by the government and 3) desire to not be sued, then what motivates an employee to also do the right thing? (I'm generalizing the question because this applies to so many things, but I'll switch back to talking about "building secure software" as a specific example of "doing the right thing".) A software developer should be motivated to build secure code because of these motivators: 1) Desire to build or maintain a good reputation among peers 2) Desire to not get fired 3) Desire to protect employer from harm 4) Desire to protect customers from harm 5) Desire to just do things the right way for the sake of preferring good things over bad. (There's probably a more elegant way to phrase that last one, but it's like how an architect might fight against proposed changes to a blueprint for the sake of the building itself.) To err is human, and companies are composed of humans. When a company hires a software developer, they are inherently taking on the risk that this human will make mistakes, so I don't think developers should be legally liable for bugs or vulnerabilities in their code unless they are incredibly egregious or intentional. It's the company's responsibility to anticipate the possibility of bugs and vulnerabilities, and to mitigate that risk by hiring good people, and by having good policies, procedures and training. (By having code reviews and conducting security audits, for example.) I'm sure we're in agreement that developers shouldn't be sued for mistakes in their code, but whether or not they can be sued for honest mistakes is another question. I don't know what the law has to say about that, but if employees aren't already protected against lawsuits for non-egregious mistakes then that should be changed. Hopefully the laws would be written so that when you post security best practices in your TOS and the customer does not follow them the liability can be mitigated (eg. don't reuse passwords on multiple sites) I totally agree. Customers have to bear some of the responsibility as well. Re: AT&T where are they going to go? T-Mobile? My point exactly! Going back to three motivators I mentioned for companies to do the right thing, AT&T knew it wouldn't lose a significant number of customers over the NSA spying issue because there's not much competition in their space. (That and apathy, unfortunately.) Also, they knew they wouldn't get penalized by the government for, well, forking data over to the government. That leaves the only viable option being to sue AT&T... except that power was taken away by retroactively granting AT&T immunity by FISA. ( http://en.wikipedia.org/wiki/Hepting_v._AT%26T ) This is what makes the AT&T/NSA issue so upsetting. All motivations for AT&T and other telecoms to "do the right thing" have been taken off the table. |