Biden Administration Aims to Shift Liability for Cyberattacks to Software Developers

In response to major cyber-related attacks caused by software security flaws, such as the SolarWinds breach, the Biden administration is gearing up to crack down on software providers that distribute products with security flaws that make customers vulnerable to cyberattacks. 

One of the administration’s objectives, as stated in its March 2023 National Cybersecurity Strategy, is to develop legislation to (1) shift liability for cyber breaches to software companies that “fail to take reasonable precautions to secure their software” and (2) prevent software companies “with market power” from fully disclaiming liability by contract.¹ The administration’s stated goal is to “drive the market to produce safer products and services while preserving innovation and the ability of startups and other small- and medium-sized businesses to compete against market leaders.”²

The administration plans to include a “safe harbor” that shields companies from liability if they take reasonable steps to “securely develop and maintain their software products and services.”³ The safe harbor will purportedly require best practices that are similar to those included in the National Institute of Standards and Technology (NIST) Secure Software Development Framework⁴ and will evolve over time. This action will incentivize software developers to follow secure-by-design principles and perform prerelease testing, resulting in a greater level of security for both consumers and businesses.

The administration intends to convert these proposals into legislation with the assistance of both Congress and the private sector. In the interim, software developers should consider evaluating and updating their products and keep a close eye on what steps will be necessary to produce secure products and reduce liability for cyberattacks. Entities purchasing software products should also pay attention, as they may be able to seek compensation from software developers for cyberattacks.  

¹ National Cybersecurity Strategy, The White House, pp. 20–21 (Mar. 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf. 
² Id. 
³ Id.
⁴ See Karen Scarfone, et al., Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities, NIST (Feb. 3, 2022), https://www.nist.gov/publications/secure-software-development-framework-ssdf-version-11-recommendations-mitigating-risk.