My colleague Wayne Crews has a new paper out on cybersecurity. He outlines why we need to let the insurance market develop for software risks, and that government mandates would hurt this development. He says:
Contractually driven approaches that treat liability as an evolving relationship should prevail over regulatory approaches that mandate liability, or at the opposite extreme, indemnify companies from liability when technologies fail.
From the executive summary:
We face unprecedented information security vulnerabilities in our hyper-networked, global economy. Leaving the path clear for private, technical, market, and contractual solutions, and avoiding governmental mandates that impede contractual liability and insurance markets, should take priority. Embracing legislation or mandates can mean locking in collective “solutions” that may be hard to correct, undermining information security rather than enhancing it.
Policymakers, along with the computing and infrastructure industries, should think carefully before implementing further federal regulation over risk allocation. The principle for cyber-risk allocation, as much as one can be defined, is that government’s protection function should not overburden the ability of markets to self-insure or self-protect via technology, contractual liability and insurance instruments. Although there is not always a bright line, government must better distinguish between proper public and private responsibilities in information security, and avoid dictates that interfere with these private alternatives as technologies or other conditions change. Interventionist approaches will create jealousies among players, and lead to a politically driven hodgepodge of liabilities and immunities. Uncritical government assumption of responsibility for network and critical infrastructure risks can roll back progress without contributing to information security, cybersecurity or even national security.