[Owasp-leaders] Developers, Software makers held liable for code?

Ludovic Petit ludovic.petit at owasp.org
Sat Feb 9 17:33:32 UTC 2013

Hey, I'm back on stage

After having thrown a stone in the water, I'll try to surf the waves ;-)

Well, in order for you to have a better understanding of what I'm talking
about, I would suggest to take a look at a couple of slides in my
presentation introduced at our Chapter Meeting. On the wiki, page OWASP
France, section Chapter Meeting 2013.


See slides 57-60, and 62-67 as reference.

Talking about *Evolution of the Legal Framework - Developers, Software
makers held liable for code?*, and the *Draft European regulation*:

Notify the national supervisory authority of violations of personal data
(Art. 30):
- everyone is concerned
- without undue delay
- if possible within 24 hours at the latest
- justification if more than 24 hours

Caution: The obligation also applies to subcontractors
- The contractor must notify the controller of any violation he knows

The notification describes:
- nature of the data, number of people involved
- point of contact (person, contact details)
- mitigations
- consequences of the violation
- measures that have been taken to remedy

This was also argumented at the Chapter Meeting by/with a friend of mine,
Thiébaut Devergranne, Lawyer.
the slide deck (in French, sorry) is available on his web site:

*Données personnelles : le nouveau projet de règlement européen*

I have discussed the topic with other lawyers specialized in ICT, and all
of them are saying that developpers and Software makers are liable for
code, and could be (really) held liable in case of hacking via an
application they've coded / supplied.

That's why, although legal aspects are neither the specialty nor the
purpose of the Foundation, it seemed important and interessant to me to do
this post, just for information for my peers at the OWASP.

Indeed, and I personnally fully agree in advance with all of you guys about
this first feeling, I do not think the developer as a person should be
responsible for, but from a legal standpoint, when hacking occurs, the
developer's responsibility is engaged because he is recognized, again from
a legal standpoint, as a subject-matter expert, and as such has a duty to
advise as well.

As we can see, this is a hot and complex topic, and I do not wish to be the
devil's advocate, so don't shoot the pianist please ;-)

Anyway, to keep it short - and this is my initial intent through this
(boring?) post - Regulators tend to reinforce most legal frameworks to
focus on data Privacy... through existing and evolving regulation, and this
is why I would modestly suggest to keep in the loop of such evolution of
legal because nowadays, the legal framework rules the technical means
required to be compliant.

Last but not least, take a look at the Call for Presentations: SnowFROC
2013 from Mark Major, a pity I can't make it:

*Legal track*

   - Liability related to web application security
   - Data ownership and privacy laws within the cloud
   - Cybersecurity and privacy legislation and regulation
   - Electronic discovery considerations, both traditional and in the cloud
   - Cybersecurity considerations related to law enforcement

I hope this helps anyway, and any comments are welcome.

Salut à tous!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130209/76e97085/attachment.html>

More information about the OWASP-Leaders mailing list