1. COMP.SEC.100
  2. 4. Law and Regulation
  3. 4.7 Tort

Tort

A tort is any civil wrong other than a breach of contract. Several such issues need to be considered in the field of cybersecurity, but the treatment in this section is fairly general. A cybersecurity professional may need to study in detail principles of liability, such as causation of damage and the allocation of liability, as well as the situations in which liability may arise, particularly negligence and product liability, which are discussed below. Liability relating to data protection, defamation and intellectual property is addressed separately in those contexts.

Negligence

Most legal systems recognise the idea that people have certain duties towards others in their actions. If a person fails to fulfil such a duty and causes harm, the victim often has the right to compensation. Product liability is one example and is discussed in the following section. The duty considered here is the more abstract one of care and its neglect.

How far does the duty of care extend?

Liability typically has several limitations, for example as follows: Liisa may owe a duty of care to Pekka only if

  1. Liisa and Pekka are in some way close to each other in time and space,
  2. Liisa can reasonably foresee that her actions or omissions may cause harm to persons in a position similar to Pekka and
  3. it generally appears fair and reasonable, with respect to these actions, that persons like Liisa should be responsible towards persons in a position similar to Pekka.

Although expressed in abstract terms, several cybersecurity-related situations can be identified where Liisa may fail in her duty of care. Below is an illustrative list of typical actors and matters in which they have an evident duty of care. An interesting question arises when considering how far the duty extends, that is, who may be an injured party entitled to compensation (Pekka).

Retailer
Secure handling of data read from a customer’s payment card at the point of sale.
Email service provider

Management of security in email servers and related services.

Selection of security mechanisms to be deployed.

Business enterprise

Management of cybersecurity both in the company’s IT operations and in operational processes (e.g. manufacturing).

Selection of security mechanisms to be deployed.

Web service software developer
Implementation of standardised cryptographic protocols.
Trust service provider

Registration of the identity to be bound to a certificate.

Issuance of certificates.

Maintenance of the trust infrastructure.

Web browser developer
Selection of root certificates installed in the browser.

The case of the retailer is fairly clear. In the case of email services, one may ask whether responsibility extends to persons mentioned in an email message. Does the liability of a business enterprise extend to third parties who have no direct relationship with the company but are attacked by a hacker through the company’s network due to neglected security? An even broader group of potential victims may arise from failures in several of the matters listed later.

It is evident that compensation will never suffice for everyone. As the harms caused by different types of cybersecurity negligence become increasingly foreseeable, it is likely that legislators or courts will interpret the duty of care as extending to a progressively wider group of victims.

What is reasonable?

A failure by Liisa leading to tort requires that she should reasonably have taken care of the matter. Determining reasonableness resembles risk analysis. In both, one considers the probability of an adverse event (P), the magnitude of harm (H), and the cost of precautions (K). Assuming these could be determined, it would be reasonable—or at least rational—for Liisa to fulfil her duty if the expected harm H \(\times\) P exceeds K. In that case, the cost of precautions would be lower than the expected value of potential compensation.

In practice, such a mathematical calculation provides only a conceptual model for what can reasonably be required. In cybersecurity, the threshold of what is considered reasonable shifts as standardisation and regulation develop. Standards and best practices in the field offer guidance on how well security should be maintained, and these may influence judicial interpretation.

In addition to the aforementioned “good practices”, reasonableness in cybersecurity could also be assessed directly based on the nature of the harm. A simple example is a researcher developing a new type of virus that escapes into the Internet. Beyond defining the level of reasonableness, “good practices” or “clear harms” may, in some legal systems, become evidentiary rules that partially or wholly shift the burden of proof from the victim to the party causing the harm. To avoid liability, the latter would then need to demonstrate that their actions met what is reasonably expected—for example, in accordance with standards.

Interpretation of harm evolves

It should be recalled that the above framework for “fault analysis” does not apply to obligations based on contract.

The interpretation of both the duty of care and reasonable or rational behaviour may vary significantly between states. This is not surprising, as both concepts are social constructs based on the culture prevailing in a particular society at a given time.

The interpretation of the duty of care has generally expanded over the past century. The increasingly complex and interconnected nature of human activity continues to increase the likelihood that one person’s actions harm others. Likewise, the interpretation of what is “reasonable” has generally moved towards requiring more care, not less. These interpretations can be expected to continue evolving over the course of a single career, especially as cybersecurity harms become more predictable, more understandable, and easier to prove through new forensic methods.

It is also worth recalling that harmful acts committed in one state may be assessed according to the interpretations accepted in another, more demanding state (cf. jurisdiction).

Product liability

In many industrialised countries, legislation introduced in the latter half of the twentieth century imposed liability on manufacturers for defective products. Earlier interpretations generally held that computer software as such did not fall within the definition of a “product” under such laws. Nevertheless, under the Product Liability Act (in Finland 684/1990), a defect in a software component may be the cause of a defect in the product into which it has been incorporated. This type of liability arising from cybersecurity issues is likely to increase as physical control devices become increasingly connected to remote information systems.

A product connected to cyberspace may be, for example, an autonomous vehicle, an industrial control system, a pacemaker, a fly-by-wire vehicle, or a remotely controlled home thermostat. Product liability may arise in cases of personal injury or property damage, regardless of whether the defect is due to an error in functional decision-making or in cybersecurity. The former could occur, for example, if a vehicle veers into oncoming traffic after misinterpreting road markings. The same physical accident would be a consequence of cybersecurity failure if a poorly implemented authentication system allowed a hacker to modify control commands. A similar situation could occur in a fly-by-wire system, and in other examples cybersecurity failure might take the form of a hacker opening dam floodgates or setting a home thermostat to a dangerous temperature.

It was not until 2018 that the European Commission openly asked (Liability for emerging digital technologies) to what extent digital products should be defined as products under product liability law. Subsequently, the EU Product Liability Directive (PLD, from 1985) was revised. The revision entered into force at the end of 2024 and must have been transposed into national legislation by the end of 2026. Under the new PLD, software, artificial intelligence systems, cloud services, and digital manufacturing files fall within the scope of product liability. Product liability no longer applies only to manufacturers; importers, distributors, and service providers may also be held liable. Inadequate cybersecurity, including an unpatched vulnerability, may give rise to liability, but only if actual damage has occurred (as with the PLD more generally, although mental health is now also included). Damage is now interpreted, unlike before, to include the corruption or loss of data, provided that the data is not used exclusively for professional purposes (a similar limitation applies in the PLD to other types of property). Other directives and regulations, particularly the Cyber Resilience Act (CRA), are relevant in situations where damage has not yet occurred (see another section).

Answer the questions.

Hipster Inc. has developed a remotely controlled home thermostat. It can be controlled via a web application, in which the cryptographic algorithm has also been implemented by Hipster Inc., because the standard-compliant algorithm slowed the application too much. After the thermostat and its application have been on the market for some time, it is discovered that the application’s encryption can be broken due to an incorrect implementation of the cryptographic algorithm. In your opinion, what follows?

Hipster Inc. releases a software update and apologises for any inconvenience caused to customers,

Would Hipster Inc. be liable under product liability according to the revised PLD directive in the situation described above?
Posting submission...