Lawsuit Raises Fear of Greater Liability Exposure for ISVs
Corrected: June 7, 2010
by Alex Woodie
The importance of software quality and the potential liability for functional flaws and security vulnerabilities was on full display last month when a judge in the United Kingdom ordered a software company to compensate a former customer for the business costs of a failed implementation of a hotel management system. The judge basically overturned the limited liability clause of the vendor's license agreement--a move that software quality experts and industry analysts say could herald a new wave of litigation and a push to certify applications.
The trouble for Kingsway Hall started soon after going live with Red Sky IT's Windows-based software in late 2006. The biggest problem was an inability for the reservation system to accurately track which of the four-star hotel's 170 rooms were available, requiring the hotel to do this manually, which took a toll in the hotel's revenue. Group bookings also posed a problem, as did mini bar charges. Finally, the system would freeze at least once per day on each client, which required the hotel to re-boot the clients frequently, taking up more staff time.
In his decision, Judge Toulmin, a member of the Technology and Construction division of the Royal Courts of Justice, stated that "the system was never fit for the purpose for which it was sold," and mandated that Red Sky IT compensate Kingsway Hall to the tune of about £111,000, or $160,000 at current conversion rates. A good percentage of this judgment was for Kingsway's lost profits, additional staff time required to maintain room availability, and wasted expenditures related to the software, according to the written judgment, which can be read at www.bailii.org/ew/cases/EWHC/TCC/2010/965.html.
What's is striking about this case is that the judge basically threw out Red Sky IT's end user license agreement (EULA). Most EULAs, including Red Sky's, contain liability clauses that limit the damages an ISV legally must pay to cover the cost of the software and related fees. But in this case, the judge granted the plaintiff damages for lost profits and other impacts the failed hotel management system had on the hotel's business--an unusual move that experts say could open the kimono on EULAs around the industry.
Roger Oberg, senior vice president of marketing at Veracode, says this ruling could mark a milestone in how court's around the world enforce EULAs.
"It's kind of surprising that it's lasted this long, the blanket indemnification that we get out of our EULAs," Oberg tells IT Jungle. "Gartner predicted this would happen in 2007. They said as organizations increasingly become reliant on commercial software for core business processes, that these complete blanket agreements of indemnification would be litigated and software companies would be held more accountable. They see this as a trend and [the Kingsway case] an indicator of the trend, and frankly so do we."
While the Kingsway case revolved around whether Red Sky's software functioned as advertised, Oberg sees the issue evolving to include security, which could potentially be a much more expensive proposition.
"Start pulling on that string and you get to a much scarier place, for customers and software suppliers," Oberg says. "For customers, security breaches could be potentially far more damaging than failure to perform the function that software was implied to do. The damage from being egregiously hackable could determine the fate of the business."
Imagine, for a minute, if Microsoft could be held to account for all of the damage caused by security vulnerabilities within its products. That number--let's call it a google for lack of a better term--would make BP's liability exposure for the Gulf of Mexico oil spill, by comparison, look like chump change.
Obviously, there has to be some kind of balance, Oberg says. "If every software company was held in an unlimited way liable for security breaches or functional failures, you'd shortly see a demise in the number of people writing software for commercial purposes. There has to be some point here where accountability balances with economic viability," he says.
For this reason, the limited liability clause in EULAs must remain, but vendors need to take additional action if this is to be the case. "I believe the industry is going to need to look to things like certifications, which suggests that they've applied some due diligence to the effort to make sure that the software is of sufficient quality. That's where we come in," Oberg says.
Veracode is one of a handful of companies that provides security testing for other ISVs and grants its own certification mark for applications that have passed the company's tests. The company offers three types of application testing, including static binary testing, dynamic Web application testing, and targeted penetration testing, to ensure that modern C, C++, Java, ColdFusion, PHP, and .NET applications don't contain any of the most well-documented vulnerabilities, as well as some not-so-obvious problems.
System i software vendors that write in RPG and COBOL are generally not as susceptible to security problems as their "open systems" brethren. (In terms of functional problems, it's probably a wash, despite the fact that many in the AS/400 industry believe RPG to be the world's greatest business application programming language.) There are a number of reasons for the improved security posture of the AS/400 architecture, including the closed-loop nature of i/OS security, the monolithic nature of legacy development models, and the lack of visibility that i/OS systems and applications have to the outside world.
But as soon as i/OS ISVs start incorporating any of the above-mentioned languages into their modernized applications--especially if they're using third-party component libraries and integrating them using service-oriented techniques--then their potential exposure suddenly jumps up a notch.
"The court case suggests that perhaps the pendulum is swinging, and accountability may be the watch word, if you will, for software companies in the future--both for security and functional performance," Oberg says.
The Kingsway ruling could be an aberration. But with thousands of hungry lawyers around the world looking for any chink in the armor protecting the deep pockets of the titans of high-tech, that possibility may not be worth betting on. In any event, it's something to keep an eye on.
This article was corrected. Roger Oberg's name was misspelled. IT Jungle regrets the error.
Post this story to del.icio.us
Post this story to Digg
Post this story to Slashdot