Both Jonathan Zittrain and I were interviewed for and cited in an article running in the Economist about computer viruses and liability, among other things. JZ is cited as saying that he thinks it’s unlikely that large software developers will be sued for buggy code that lets through viruses, in large measure because it could bankrupt a whole class of companies on whom our economy relies in part. To add to that idea, I’d be particularly against such a regime because it would almost certainly also establish too high of a barrier to entry to software markets for small software companies. They would have to price into their development costs far too much litigation risk, and/or insurance premium costs. No one wants that.
As for my comment that I could imagine a lawsuit against an organization that unknowingly but negligently transmitted a virus: I’m not saying such a regime would be a good thing (though some variant of it might have social utility, on balance) but rather that it might well happen. A few scenarios: 1. Consider a large organization, say a multinational corporation, does not install any virus-protection or other form of monitoring software for outgoing mail and hires someone, unknowingly but negligently, with a record of launching terrifying computer viruses on the world. That employee, using the organization’s network, sends a large number of infected messages outbound, and wreaks havoc. (Would your mind change if in this scenario #1 the organization were not a multinational corporation but rather a university, and the employee not an employee but a student?) 2. Imagine a board of directors, despite their fiduciary duty of care and despite fair warning from the company’s CTO, CIO and outside consultants, opting not to pay for a sensible upgrade to a computer network at a time at which computer viruses are particularly rampant, leaving the company network woefully unprotected against the onslaught. No regime of tort law will fix the computer virus problem, to be sure, and we shouldn’t look to it to do so. But we might well want a world in which the officers of companies in both scenarios 1 and 2 are in fact further incented to take reasonable steps to protect either the broader network or their own internal networks.