Suing Your Software

In the 13th century, pondering the question of whether a business could be sued, Pope Innocent IV concluded that such a pursuit was futile because, as inanimate objects, corporations could not feel the sensation of being punished. That concept found another voice in the 18th century when an English judge reportedly lamented the fruitless results of suing a corporation because it had “no soul to damn and no body to kick.” By the 19th century, however, as a growing number of workers were injured in an increasingly industrialized Europe, they were finally allowed to sue the corporations that employed them. Even then, the objects of lawsuits were not the companies that made the machinery that harmed workers, but the companies that owned and used the machines in their factories.

Similarly today, in a world that is thoroughly interconnected and utterly dependent on information technology, the likelihood, scope and impact of large-scale technology failures are increasing and with that the possibility of cataclysmic consequences. Flawed software can prevent a cardiac device from operating properly or cause an unstaffed commuter shuttle to derail, a stock exchange to collapse, or an entire municipal power system to shut down. The increased possibility of, and exposure to, such failures must inevitably lead to regulation of the software industry.

An industry cannot forever increase its reach and power without at some point accepting greater responsibility. The multitrillion dollar IT industry’s status of freedom from liability for consequences of product and service failure is historically unique and extraordinary – and it is nearing its end. In the United States and elsewhere, at least where life and limb are not involved, it is technology users, not providers, that are regulated and it is often the users and not the providers who become the targets of public ire when things go awry.

Technology providers have benefited as well from quickly settling lawsuits out of court to avoid unfavorable precedent setting; the reluctance of corporate users to “rock the boat” of their installed bases of IT; and also avoiding early steps towards a de facto IT industry “self regulation” of quality, such as Microsoft’s Trustworthy Computing initiative. But even these strong inhibiting factors will not prevent calls for eventual industry regulation as software failures increasingly disrupt ordinary people in their day-today activities. Calls for regulation will gather momentum as financial losses, injuries or deaths create public relations disasters. When major disruptions combine with episodes of widespread privacy invasions and total financial ruin of individuals, the march to IT regulation will be unstoppable.

However, straitjacket regulation will benefit no one. To effectively protect end users while enabling a robust IT industry, regulation must be carefully designed and implemented. First, a post-regulated IT world will deliver detailed documentation specifying a product’s precise capabilities and known limitations, thus making IT users much better informed customers. New revenue opportunities for IT and service providers will abound as “tiered” product offerings allow higher price points for enhanced qualities such as accuracy, error detection and correction, and certificates declaring suitability of purpose. Service providers that demonstrate superior handling of IT products or avail themselves of enhanced versions of IT products will be able to clearly differentiate their value position from that of their competitors.

For the IT industry, childhood is ending. Just as centuries went by with people believing corporations could not be sued, many still believe they will never see the day when IT companies will be regulated. These nonbelievers are hereby placed on notice: You have less than ten years to prepare.