People understand and may even accept that software in computers and mobile devices have glitches, failures and security holes. People have experienced the blue screen of death, corrupt files, slow applications, viruses and malware. This is just the way it is, right? Maybe not.
Companies are now asking the question: Should software developers and IT professionals have a duty to provide the public with better products and services?
With the recent wave of data breaches and the resulting costs, companies are looking for ways to recoup those monies by suing IT specialist, web designers, and software companies. With these lawsuits, we are seeing a developing body of law that holds cyber specialists to the same standard of care that typically applies to service providers such as doctors, lawyers, and accountants.
Ignition Studios
In 2015, Travelers Casualty and Surety Company of America sued Ignition Studio, Inc., a professional designer and servicer of websites.
In the Complaint, Travelers alleged that Alpine Bank hired Ignition to design and service the bank's website with the expectation that Ignition would exercise professional competence to protect the highly personal and private information of the bank's customers. Travelers alleged that Ignition negligently allowed one or more hackers to access the bank's website through lax Internet security on the server where the website was hosted. Because of the breach, the bank had to expend substantial funds to comply with data breach notification obligations. Alpine Bank made an insurance claim, which Travelers paid. Travelers then sued Ignition for the $154,711.34 that Travelers paid to Alpine Bank.
Within months of Travelers filing the lawsuit, the parties filed a stipulation of dismissal with prejudice, which suggests the parties settled the case for an undisclosed amount.
Trustwave
Recently, Lexington Insurance Company and Beazley Insurance Company sued the security services firm, Trustwave, for losses related to the 2008 hacking of US payment processing company, Heartland.
Lexington paid $20 million to Heartland while Beazley paid out $10 million to settle insurance policy claims.
The insurance companies are now attempting to recoup that money and allege that Trustwave was grossly negligent in failing to detect the SQL Injection attack, suspicious network activity, and malware associated with the Heartland breach.
The insurance companies claim that if Trustwave had complied with the applicable standard of care and performed the contracted services in a professional and workmanlike manner, it would have reported the presence of malicious code and malware in Heartland's networks before the breach.
According to the clerk's docket in Cook County, Illinois, this case is a "professional malpractice" action.
The lawsuit is ongoing.
Huge Jury Verdict
Although not related to a data breach, a California jury recently found that a software developer, Sparta Consulting, Inc. was liable for professional malpractice.
In 2011, an online vehicle auction company, Copart, Inc., hired Sparta to design and build its new online system. After three years of development, Sparta delivered an unfinished system that lacked critical functionality. Copart terminated the contract and in 2014 the parties sued each other.
In May of this year, the jury found that Sparta committed professional negligence and was liable for several million dollars. It is believed that this represents the first time a software developer has been held negligent in the capacity of a "professional," similar to a doctor, or lawyer.
Professional Malpractice
I represent professionals on a regular basis, and I have seen the definition of professional expand over the years. Traditionally, only doctors, accountants, and lawyers were considered professionals. Now, service providers such as insurance brokers, appraisers, and landscapers (to name a few) are held to the standard of care of a professional.
What does this mean? Other than professionals and children, people are held to the general negligence standard. The Florida jury instructions provide that:
Negligence is the failure to use reasonable care, which is the care that a reasonably careful person would use under like circumstances.
For professionals, the instructions are different. The instructions provide that:
Negligence is the failure to use reasonable care. Reasonable care on the part of a (identify professional) is the care that a reasonably careful (identify professional) would use under like circumstances.
So, in legal malpractice cases, the jury might be instructed that:
Reasonable care on the part of an attorney is the care that a reasonably careful attorney would use under like circumstances.
A reasonably careful attorney should not miss the statute of limitations, or any critical deadlines that will harm the client's case (a regular person might however).
The question is what would a reasonably careful professional do or not do under similar circumstances.
How would this question apply to software developers and cybersecurity specialist? Would a reasonably careful software developer under like circumstances develop a program that is vulnerable to a data breach.
Oddly, the answer could be yes!
Conclusion
As governments, companies and consumers rely more on the Internet and functional (glitch-free) software, "professionals" developing the software are exposed to litigation and liability. Even if, at the end of the litigation, the professional is exonerated of all claims, there could be a huge attorneys' bill for defending the claims.
With that said, every professional should have a good professional liability policy (otherwise known as errors and omissions insurance) to defend the claims and pay attorneys' fees. And, a good professional malpractice attorney who focuses on cyber law.