The question of whether software developers are (or ought to be) legally liable for bugs, errors, security vulnerabilities, or other defects in the software which they develop, and the extent to which they are (or ought to be) liable for the loss flowing from those defects, is not a new one and has been the subject of significant legal and academic debate since at least the 1980s. This article considers the liability of software developers in negligence and under the Australian Consumer Law (ACL), and also discusses whether insurance is available to offset these risks for the developer.
Liability in negligence
A customer who suffers loss or damage resulting from a defect in the software could bring an action in negligence against the software developer. Unlike liability for breach of contract, an action in negligence does not require a contractual relationship between the parties, therefore, the existence of an intermediary party (such as a retailer) does not prevent an action being brought against the software developer.
An action for negligence requires a plaintiff to establish the following elements:
- the existence of a duty of care;
- a breach of the duty of care; and
- loss or damage resulting from that breach.
Does a software developer owe their customers a “duty of care”?
There are numerous types of relationships, for example between a doctor and their patient, a school and its student, a parent and their child, and the manufacturer of a product and a user of the product, where it has been established by previous cases that one party owes the other a duty of care. These are known as “established duties of care”. There are currently no reported cases in Australia that establish a duty of care owed by software developers to end users of the software.
The lack of an established duty of care does not prevent a customer from bringing a claim in negligence against the software developer, but it does increase the burden of making such a claim. The customer would have to satisfy the Court that the software developer owed them a duty of care in these specific circumstances. This is often known as a “novel duty of care”.
Courts have been reluctant to recognise the existence of a duty of care in such cases of “pure economic loss”, due to considerations of public policy and fear of “opening the floodgates” and imposing liability in an indeterminate amount, to an indeterminate class of persons. Requiring some damage to the plaintiff’s person or to tangible property serves to limit the liability of potential defendants by constraining claims to a limited and ascertainable class of plaintiffs.
Nevertheless, there are arguments as to why the “floodgates” principle ought not to apply in the example situation. These include that the class of persons to whom the duty is owed would only be the customers, and that where the services provided to those customers are for economic matters, there is no reason in principle why the software developer should not be liable for economic losses which result.
How could a software developer “breach” their duty of care?
If it can be established that the software developer owed a customer a duty of care, the customer must then establish:
- what the software developer was required to do to discharge their duty of care (standard of care); and
- that the software developer’s conduct fell short of the standard of care.
In an action for negligence, the standard of care required of a particular software developer would be that of a reasonable software developer. In other words, to prove that the developer breached its duty of care, a customer would have to establish that the developer’s actions fell short of what a reasonable software developer would have done to ensure its software is free from defects.
What is required to meet the standard of care largely depends on what is the common practice in the software development industry in relation to software of this type. This may include:
- detailed testing of the software before commercial release;
- appropriate use of automated testing tools;
- having the source code of the software externally audited; and
- notifying customers who have been potentially affected by a defect in the software which the developer subsequently identifies and fixes.
The mere fact that the software contains a defect does not mean that the developer will have been negligent. If the developer took all the steps that a reasonable software developer in its position would have taken, it will have discharged its duty of care and will not be liable in negligence even if, despite having taken those steps, defects remain in the software. The more steps which the developer takes to detect and correct defects in the software, the less likely it is that it will be liable in negligence for any defects in the software.
Limitation of liability
If the software developer is in a contractual relationship with the customer, the parties can agree to limit or exclude their liability for negligence. Most software licence agreements provide that the licensor is not liable for negligence, or for any defects in the software whatsoever. In Australia, such a limitation would probably be unenforceable, either because it would exclude the licensor’s liability for breach of applicable consumer guarantees under the ACL (discussed below), or (at least in relation to customers who are individuals) that the limitation of liability was an “unfair contract term”.
Liability under the ACL
Part 3-2, Division 1 of the ACL contains numerous “consumer guarantees” which apply to the supply of goods and services to consumers. These consumer guarantees replace the “implied terms” which existed under the former Trade Practices Act 1974 (TPA).
Subject to exceptions, if a person acquires goods or services at a cost of $40,000.00 or less, the person acquires the goods or services “as a consumer” for the purposes of the ACL: s 7 AcL. Therefore, if customers acquire the relevant software for less than $40,000.00, then they will acquire it “as a consumer”.
There are some differences between the consumer guarantees which apply to “goods” and those that apply to “services”. For example, goods are subject to a consumer guarantee that they are of acceptable quality (see s 54 ACL), whereas services are subject to a consumer guarantee that they will be rendered with due care and skill (see s 60 ACL).
Consumer guarantee – goods of acceptable quality
Section 54 of the ACL contains a consumer guarantee that goods are of acceptable quality, which in this context will mean that they are as fit for all the purposes for which goods of that kind are commonly supplied, and as free from defects as a reasonable consumer fully acquainted with the state and condition of the goods (including any hidden defects of the goods) would regard as acceptable, having regard to:
- the nature of the goods;
- the price of the goods;
- any statement made about the goods on any packaging or label on the goods;
- any representation made about the goods by the supplier or manufacturer of the goods; and
- any other relevant circumstances relating to the supply of the goods.
This test is an objective one: are the goods as fit for purpose and free from defects as a reasonable consumer would regard as acceptable, having regard to the above matters. Goods are not required to be completely free from defects, they need only be as free from defects as a reasonable consumer would regard as acceptable.
A hypothetical analysis becomes difficult at this point, as much will depend on the exact nature and significance of the defect in the software. A “reasonable consumer” would be aware, at least on a conceptual level, that computer software can and does contain bugs, which can cause malfunctions, loss of desired functionality, data loss or corruption.
All that we can say with certainty at this point is that a defect in the software may result in the software not complying with the consumer guarantee of acceptable quality.
Consumer guarantee – services provided with due care and skill, and fit for purpose
If the software is “services” for the purposes of the ACL, rather than “goods”, then there is a consumer guarantee that the services will be rendered with due care and skill (see s 60 ACL), and also that the services are reasonably fit for any purpose that the consumer, by implication, makes known to the supplier (see s 61 ACL).
The standard of “due care and skill” is a common law negligence standard. If the software developer has been negligent in the development of the software, this consumer guarantee will not have been met. However, unlike a common law negligence action, it is generally not possible to contract out of liability for contravention of a consumer guarantee.
Recourse for failure to comply with consumer guarantee
If the software does not comply with either of the consumer guarantees discussed above, pursuant to sections 259(4), s 267(4), 259 and 267 of the ACL, the customer may “recover damages for any loss or damage suffered by the [customer] because of the failure to comply with the guarantee if it was reasonably foreseeable that the consumer would suffer such loss or damage as a result of such a failure.” [emphasis added].
This liability cannot be excluded by contract. Attempts to do so are void under section 276 of the ACL, and may in and of themselves contravene the provisions of the ACL against misleading or deceptive conduct (see s 18 ACL); or the making of a false or misleading representation concerning the existence, exclusion or effect of any condition, warranty, guarantee, right or remedy (see s 29(1)(m) ACL).
A supplier or manufacturer can in some circumstances limit their liability to replacing or resupplying the goods or services, or paying the costs of having them replaced or resupplied pursuant to section 64A of the ACL. However, this only applies where the goods or services are “other than … of a kind ordinarily acquired for personal, domestic or household use or consumption”.
An aggrieved customer who claims to have suffered losses as a result of a defect in the software would need to establish that:
- they suffered that loss because of the defect (causation); and
- it was reasonably foreseeable they would suffer such loss or damage as a result of the failure (foreseeability).
Availability of insurance
Whether in relation to claims for negligence or under the ACL, a software developer’s position will be improved if it takes robust measures to test and debug the software, so as to detect and correct defects in the software before they have the opportunity to cause loss to customers.
Although this will make it less likely that a customer will win any legal action against you, it will not prevent them from commencing such action, and the costs of defending such action would be significant, and may not be recoupable from the customer if they are unsuccessful. That said, the cost of commencing legal proceedings is prohibitive for the average consumer.
For this reason alone it would be desirable to investigate some kind of “product liability” or “software liability” insurance which would, amongst other things, pay towards the cost of defending any action brought against you by a customer.
- A software developer may be liable to customers who have suffered loss or damage due to defects in their software; and
- there are measures which a software developer can take to reduce the likelihood that it will be liable for such defects.
Related articles by Dundas Lawyers
If you need assistance with any aspect of software contracts, please telephone me for an obligation free and confidential discussion.
Malcolm Burrows B.Bus.,MBA.,LL.B.,LL.M.,MQLS.
Legal Practice Director
Telephone: (07) 3221 0013 | Mobile: 0419 726 535
This article is not legal advice. It is general comment only. You are instructed not to rely on the commentary unless you have consulted one of our Lawyers to ascertain how the law applies to your particular circumstances.