Professional Liability in Information Technology
By Robert A. Stines
We are in the Cyber Age. We rely on the internet and networked devices to engage in commerce, exchange information, and conduct business. Even legal professionals rely on the internet to eFile documents with courts, engage in eDiscovery, and conduct research. Information technology (IT) departments, or managed service providers, are now critical to the successes of almost all organizations, whether they are in the public or private sectors. Similar to our access to roads and electricity, our access to the internet and stored information is a critical component of modern infrastructure and commerce.
Our reliance on the internet and connected devices creates a companion reliance on IT technicians, software developers, and computer scientists. This begs the question: Should we consider individuals who specialize in IT as "service providers" with commensurate standards and expectations, or should we consider them "professionals" with all the obligations attendant to such a designation?
This is not simply an academic question. There are significant consequences to being considered a professional in a highly connected world that relies heavily on IT practitioners. Today, people are accustomed to technology products being rushed to market with glitches, security holes, and compatibility issues. But an IT professional may have a duty to provide the public with better products and services, which may include software that is more secure and not as vulnerable to data breaches.
To recover the costs associated with the recent wave of data breaches, companies are suing IT specialists, web designers, and software companies. With these lawsuits, a body of law is developing that holds IT specialists to the same standard of care that typically applies to professionals like doctors, lawyers, and accountants. Three recent cases highlight the shift:
In 2015, Travelers Casualty and Surety Company of America sued Ignition Studio, Inc., a professional designer and servicer of websites.
Travelers alleged Alpine Bank hired Ignition to design and service the bank's website with the expectation that Ignition would exercise professional competence to protect the highly personal and private information of the bank's customers. Travelers alleged Ignition negligently allowed one or more hackers to access the bank's website through lax internet security on the server that hosted the website. Because of the breach, the bank had to expend substantial funds to comply with data breach notification obligations. Travelers paid $154,711.34 on Alpine Bank's insurance claim; Travelers then sued Ignition.
Within months of Travelers filing the lawsuit, the parties filed a stipulation of dismissal with prejudice, which suggests the parties settled the case for an undisclosed amount.
Recently, Lexington Insurance Company and Beazley Insurance Company sued the security services firm Trustwave for losses related to the 2008 hacking of an American payment processing company, Heartland.
To settle Heartland's insurance policy claims, Lexington paid $20 million, and Beazley paid $10 million.
The insurance companies are now attempting to recoup that money from Trustwave, alleging Trustwave was grossly negligent in failing to detect the SQL Injection attack, suspicious network activity, and malware associated with the Heartland breach.
The insurance companies claim that if Trustwave had complied with the applicable standard of care and performed the contracted services in a professional and workmanlike manner, it would have detected the presence of malicious code and malware in Heartland's networks before the breach.
A California jury recently found that a software developer, Sparta Consulting, Inc., was liable for professional malpractice.
In 2011, an online vehicle auction company, Copart, Inc., hired Sparta to design and build its new online system. After three years of development, Sparta delivered an unfinished system that lacked critical functionality. Copart terminated the contract, and in 2014 the parties sued each other.
In May 2018, the jury found that Sparta committed professional negligence and was liable for several million dollars. It is believed that this represents the first time a software developer has been held negligent in the capacity of a "professional," similar to a doctor or a lawyer.
Traditionally, the term "professional" was reserved for lawyers, doctors, accountants, architects, and maybe clergy. The court system and insurance companies have expanded the term to include service providers such as insurance brokers, appraisers, and landscapers (just to name a few). To the extent individuals or companies provide a service in the IT field, they could also be considered professionals.
Some courts have decided that the designation "professional" requires a four-year degree. Other courts have stated that if the vocation requires a license from the state, then the practitioner is a "professional." There is also a body of law that suggests if the field requires years of practical experience, then the designation of "professional" is warranted.
But what are the implications of being considered a "professional"? For the purposes of a lawsuit, those implications are significant.
When a person or company is sued for negligence, the applicable standard is whether that person or company failed to use reasonable care, which is the care that a reasonably careful person would use under like circumstances.
For professionals, the standard is higher. Although it depends on the jurisdiction, reasonable care on the part of a professional is the care that a reasonably careful (insert title of professional) would use under like circumstances. For example, the reasonable care on the part of an attorney is the care that a reasonably careful attorney would use under like circumstances.
For IT professionals, the question becomes what would a reasonably careful IT specialist under like circumstances do? For example, would a reasonably careful IT specialist under like circumstances develop a program that is vulnerable to a data breach, or fail to patch software in a timely fashion, or overlook indications of a data breach, or ... The list is endless.
Where a reasonable person may not patch the software or identify the data breach, an IT professional probably should. Moreover, that IT professional would be liable for failing to do so. This is why being held to a professional standard has serious implications.
This question also impacts the concern that faulty software or information systems will eventually result in physical harm. The debate is most prevalent with the growth of IoT devices. The demand for IoT devices means more software, more lines of code, and even more bugs and vulnerabilities. As everything is connected to the internet - cars, trains, planes, traffic lights, etc. - there are more opportunities to compromise the technology through a breach. When an IoT device (such as a car or a train) is breached, we may see physical injury and mass hysteria. If such an event does occur, one of the issues will be whether the IT could have been better developed and managed. Meaning, would a reasonably careful IT specialist under like circumstances develop, or fail to manage properly, an IoT device that is vulnerable to such a breach.
As governments, companies, and consumers rely on glitch-free access to connected devices, the internet, and information, there is huge pressure on IT "professionals" to provide faster, better, more reliable services. Similar to how customers and clients sue their attorneys and doctors, we might see more litigation against those who provide IT services.