computerwoche.de

Archiv

Enron-style IT breach will see vendors in court

26.04.2005
Von Michael Crawford

IT providers will be forced to take greater responsibility for application breaches and poorly-designed software as local customers embrace an emerging trend which includes suing vendors.

In a forecast of future trends in the IT market, the head of the Unisys secure identification and biometrics practice, Terry Hartmann, warns the day is fast approaching where users will be able to sue vendors for releasing unsecured product.

He said the onus will be on providers to be more responsible for the products they provide that secures private information held by financial firms and credit card companies.

Initially, Hartmann said, it will happen in the U.S. but Australia will not be far behind.

"It is about a general level of responsibility," Hartmann said.

"If you looked at a contract with the government now there are chances they could sue a developer of an insecure product, but the average retailer would not have a contract that rigorous for an application developer - they need legislative backing for that level of risk.

"It is only a matter of time before an attack on a specific vendor"s application or database product causes damage that leads the customer to sue the software provider for the consequences of the security breach."

Hartmann added that it will take a significant disaster to create the catalyst "in the same way Enron changed the scope of auditing in financial management".

However, at the network level, New South Wales State Library IT manager Saraj Mughal said it is still IT managers that are held responsible for security.

"Security is the responsibility of both the customer and the vendor. If users suffer breaches through applications, then that is where the vendor responsibility comes in," Muraj said.

"At the moment it is hard to prove; you need to keep a log of evidence.

"It will be much easier to prove as technology matures."

Peter James, joint IT manager at University of Technology Sydney said he would love the opportunity to sue vendors, but has to be realistic. James said it would have to be a really bad breach to even consider taking a vendor to court.

"While we all like to bash vendors," he said, it would have to be a very serious breach adding that the US is far more litigious.

National head of IP and technology for Gadens lawyers, Andrew Perry, said it all depends on how the product is used and the IT environment in which it is used.

"Increasingly, suppliers continue to tie performance and security with support and maintenance contracts - in this case an end user is much more likely to expect ongoing security support; I think taking a vendor to court is the last option a customer will follow," he said.