THE TORT OF NEGLIGENT ENABLEMENT OF CYBERCRIME

In reference to Izzat Al Faris's post titled 'The Food', I would like to further elaborate on one of the ways to solve this problem, which is through the proposed tort of negligent enablement of cybercrime. Firstly, let me correct him. It's actually a 60 page article by two prominent Professors namely; Michael L. Rustad and Thomas H. Koenig. It is not a case between them. They propose a new tort of negligent enablement which will hold software vendors accountable for defective products and services that pave the way for third party cybercriminals who exploit known vulnerabilities. In the present situation, the software industry has externalized the costs of making code safe for its intended environment of use onto its end users through one-sided mass market agreements. Moreover, computer users have no meaningful remedies for injuries such as the theft of personal data, computer viruses, or internet fraud enabled by software failure. The proposed negligent enablement tort fills the void left by the failure of contract law to give meaningful remedies for the unacceptably high levels of risk of computer intrusions due to defective software.

The public policy rationale for imposing secondary tort liability on software publishers who aid and abet cybercriminals is to reduce the rate of cybercrime. The proposed negligent enablement tort draws upon well established principles of the Uniform Commercial Code (UCC) Article 2. Article 2 > warranties, premises liability, and negligence-based product liability to construct a modified duty of care to produce safe software suitable for its environment of use.

This Article examines the elements of duty, breach, causation, and damages for the proposed negligent enablement tort as well as defenses, procedure, and possible policy-based objections. The number of detected software vulnerabilities has increased rapidly over the past decade.

In addition, the Federal Trade Commission estimated in 2003 that personal data from approximately ten million Americans was stolen that year, resulting in direct losses of $5 billion to consumers and another $48 billion in losses to the business community. This proposed way argues that a software vendor should be secondarily liable to consumers and other third parties for a new tort(the tort of negligent enablement of cybercrime)

Furthermore, courts should recognize a modified duty of care on the part of software licensors to incorporate reasonable security into their products and services. A claim of negligent enablement requires proof of the following elements:

(1) a duty of care owed by the software vendor to its customer;

(2) conduct below the applicable standard of care that amounts to a breach of that duty;

(3) an injury or loss;

(4) cause in fact; and

(5) proximate or legal cause.

Once the software publisher owes the licensee a legal obligation to conform to a reasonable standard of conduct, the question is whether the duty has been breached. Software vendors are the “cheapest cost avoider” because they have superior information about known or developing vulnerabilities in their products or services. The rapid pace of technological change has exposed a fundamental weakness in the civil justice system. With cybercrimes skyrocketing and an ever-increasing amount of sensitive information being exchanged on the internet, the development of robust and trustworthy computer systems is a necessity.

Thus, the new tort of negligent enablement brings good sense to software law for the millennium.