Class-action lawsuit against HP for not disclosing vulnerabilities has huge implications
Time for software developers to accept their security responsibilities
Published 15:15, 12 December 11
On December 1, 2011 a Class-action lawsuit was filed in United States District Court Northern District of California against Hewlett-Packard, alleging violations of The California Consumer Legal Remedies Act for Injunctive Relief and the California Unfair Competition Law based on non-disclosure of a known security vulnerability (read the filing here)
Nature of the Action
- Plaintiff brings this action individually and as a class action against Hewlett-Packard Company (“Hewlett-Packard” or “HP” or “Defendant”) on behalf of all others who purchased a Hewlett-Packard printer (the “HP Printers”).
- The HP Printer’s suffer from a design defect in the software (which is also sometimes referred to as “firmware” ) that is resident on the HP Printers, which allow computer hackers to gain access to the network on which the HP Printers are connected, steal sensitive information, and even flood the HP Printers, themselves, with commands that are able to control the HP Printers and even cause physical damage to the BP Printers themselves.
- Despite Defendant’s knowledge of the design defect in the software of the HP Printers. Defendant has failed to disclose the existence of the defect to consumers
- As a result of the facts alleged herein, Defendant has violated California laws governing consumer protection.
Regulatory compliance mandates strong-arm organisations to implement control after control at a cost of billions of dollars annually to compensate for inherent flaws, vulnerabilities and exposures in 3rd party software, yet the developers themselves remain largely unaffected by these punitive laws and regulations.
The argument against punitive or regulatory oversight of commercial software development organisations has primarily been that the costs the industry would incur would ultimately result in a significant reduction of innovation. I believe one could just as easily argue that the organisations that spend significant resources on implementing security and operational controls to compensate for inherent flaws in the 3rd party software they purchase are already experiencing a significant impact to their ability to innovate.
Do I think the burden of implementing security controls needs to also be carried by software developers - absolutely!
Do I think we should look for government oversight, laws and regulations to force software developers to adopt security as part of the software development lifecycle - no, but what would be so wrong with something like PCI being completely rewritten so that software developers would have to adhere to a base set of security processes and tools if they want to sell their software to companies that process credit card transactions.
Either way this lawsuit could be the catalyst that launches this discussion into the main stream.