I like this proposal by Derek Bambauer and Melanie Teplinsky for imposing responsibility on software development:
As part of the National Cybersecurity Strategy, the Biden administration seeks to “develop legislation establishing liability for software products and services,” which would include “an adaptable safe harbor framework to shield from liability companies that securely develop and maintain their software products and services.” We propose that this software liability regime incorporate one safe harbor and one “inverse safe harbor.” The first would shield software creators and vendors from liability if they follow enumerated best practices in design, development, and implementation. The second—the inverse safe harbor, or sword—would automatically impose liability on developers who engage in defined worst practices. The safe and inverse safe harbors will provide certainty to regulated entities, reduce administrative costs, and create incentives for improving security. This article describes the twin safe harbors, their policy goals, and the key design criteria for their success. [Lawfare]
OK, so I don’t much care for the terminology. Positive ‘safe harbor,’ sure. ‘Inverse safe harbor’? No. How about ‘poison pill,’ ‘irresponsible,’ or ‘your greed blinds you to everything’?
I’ll think on it, yeah.