Vendors also argue that some consumers may prefer products with little security, but the prevalent lack of consumer understanding of the choices casts doubt on this explanation for the weak market.


For example, rope manufacturers use a system of standardized strength ratings, since one cannot tell at the point of manufacture whether a rope will be used to tie packages or to suspend objects, for example. Of course, some highly specialized rope, such as climbing lines, carries extra assurance, which comes with added cost.


Michael Agranoff observes, "Such standards would not eliminate computer abuse, especially by 'insiders'; they would not eliminate computer-related negligence. They would, however, provide a 'curb on technology,' a baseline from which to judge both compensation for victims of computer abuse and the efficacy of measures to combat computer crime" (Agranoff, 1989, p. 275).


The terms and conditions governing the acquisition of operating-system and off-the-shelf software have many of the attributes of an adhesion contract (although whether there is a contract at all is open to debate). An adhesion contract is a standardized contract form offered on a "take-it-or-leave-it" basis, with no opportunity to bargain. The prospective buyer can acquire the item only under the stated terms and conditions. Of course, the "buyer" has the option of not acquiring the software, or of acquiring a competing program that is most likely subject to the same or a similar set of terms and conditions, but often the entire industry offers the item only under a similar set of terms and conditions.


The UCC upholds express warranties in Section 2-313. An express warranty is created when the seller affirms a "fact or promise, describes the product, and provides a sample or model, and the buyer relies on the affirmation, description, sample, or model as part of the basis of the bargain." By their very nature, express warranties cannot be disclaimed. The UCC will not allow a vendor to make an express promise that is then disclaimed. Language that cannot be reasonably reconciled is resolved in favor of the buyer.


Most recently, Logisticon, Inc., apparently gained telephone access to Revlon, Inc.'s computers and disabled software it supplied. Revlon, claiming dissatisfaction with the software, had suspended payments. While Logisticon argued it was repossessing its property, Revlon suffered a significant interruption in business operations and filed suit (Pollack, 1990).


Although it would be inequitable to impose liability for clearly unintended uses in unintended operating environments, a vendor should not escape all liability for breach of warranty simply because a product can be used across a wide spectrum of applications or operating environments.


That superior knowledge is an argument for promoting the technical steps discussed in the section titled "Consumer Awareness," such as shipping systems with security features turned on.


The Customer Warning System involves a point of contact for reporting security problems; proactive alerts to customers of worms, viruses, or other security holes; and distribution of fixes.


The Foreign Corrupt Practices Act is one step toward linking accounting and information security practices; it requires accounting and other management controls that security experts interpret as including computer security controls (Snyders, 1983). Also, note that an effort is under way on the part of a group of security practitioners to address the affirmative obligations of corporate officers and directors to safeguard information assets (personal communication from Sandra Lambert, July 1990).

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement