Trial lawyers have watched with increasing interest in recent months as malicious computer viruses and worms -- all exploiting security flaws in Microsoft software -- have crashed computers and networks around the world. It is only a matter of time, they said, before the class-action suits against Microsoft start dropping.
The first came last week, filed in State Superior Court in Los Angeles, asserting that Microsoft engaged in unfair business practices and violated California consumer protection laws by selling software riddled with security flaws. The suit seeks class-action status. More such suits are anticipated.
The litigation, legal experts said, is an effort to use the courts to make software subject to product liability law -- a burden the industry has so far avoided and strenuously resisted.
"For a software company to be held liable would be a real extension of liability as it now stands," said Jeffrey D. Neuburger, a technology lawyer at Brown Raysman Millstein Felder & Steiner.
To date, software companies have sidestepped liability suits partly by selling customers a license to use their programs -- not actual ownership -- with a lengthy list of caveats and disclaimers. So the warranty programs offered by PC makers, for example, cover hardware but not software.
The industry has argued that software is a highly complex product, often misused or modified by consumers. Assigning responsibility for a failure, the argument goes, would be unfair to any single company.
Besides, software executives say, the industry is a fast-changing global business that is largely led by United States companies. Opening the industry up to product liability lawsuits, they say, would chill innovation and undermine the competitiveness of American companies.
Yet whether the software industry can remain beyond the reach of product liability is still not certain. The modern economy -- from office work to financial markets to power grids -- depends increasingly on software. And the trial lawyers are not the only ones who think software makers should face stronger incentives to create products that are more reliable and secure.
Outside of the courthouse, regulations and legislation may also be deployed to prod the industry toward more secure software. A report last year by a National Academy of Sciences panel, made up largely of computer scientists from universities and companies, included the recommendation that "policy makers should consider legislative responses to the failure of existing incentives to cause the market to respond adequately to the security challenge."
The debate over software liability seems certain to become more intense, computer security experts say, and some shift toward holding software makers responsible for defects may be inevitable.
"The broad issue is, as a matter of policy, do we want suppliers of products and systems that are critical to our economy to be able to absolve themselves of all liability," said Mark D. Rasch, a former federal prosecutor who is a senior vice president of Solutionary Inc., a computer security firm.
But class-action suits against Microsoft over security matters, legal experts say, will be hard-fought and difficult to win. Such cases are trying to break new ground in a way that recent class-action antitrust suits against Microsoft, for example, did not.
In the antitrust cases, the class-action plaintiffs filed in the wake of the landmark federal case that found the company was a monopoly that had repeatedly abused its market power. Microsoft has tried to settle its antitrust class actions, including agreeing to pay a $1.1 billion settlement in California earlier this year.
Microsoft, by contrast, has suffered no reverses in court that would establish any liability for flawed software. In the current case, it is conceding nothing. Microsoft issued a statement saying that developing the most secure software possible was a top priority for the company.
"This complaint misses the point," the Microsoft statement added. "The problems caused by viruses and other security attacks are the result of criminal acts by the people who write viruses."
The suit was filed by an experienced product liability lawyer, Dana B. Taschner, on behalf of Marcy Levitas Hamilton, a Los Angeles film editor, and other members of the proposed class.
The 19-page complaint is a broad-brush document arguing that Microsoft's Windows operating system, which runs 90 percent of all personal computers in the world, is poorly designed, flaw-ridden, and that the company ships software it knows is riddled with security flaws. The complaint adds that Microsoft's system for warning the public of security problems is so confusing and technically complex that it is of little use to the ordinary computer user.
Because of Microsoft's insecure software, the complaint asserts, Ms. Hamilton suffered identity theft -- someone obtained unauthorized access to her Social Security number and bank account information, which was stored on her computer.
Still, a big hurdle for class-action plaintiffs, legal experts say, will be the standard software license. It is what all computer users see and click to agree to -- even if they seldom read it -- when they start a new machine or load a new software program. For the plaintiffs to prevail, a judge will have to rule, in effect, that the software license is unenforceable or is overridden by another standard, like the "fit for intended use" rule that applies to most consumer products.
Class-action lawyers say they are confident that this standard will eventually be applied. "As a matter of policy, I think the courts will find that software companies have basic obligations to provide a product that does what it is supposed to do," said Terry Gross, a partner of Gross & Belsky, a firm in San Francisco. "And that the companies cannot avoid those obligations just because of the language in the license."
Copyright 2003 The New York Times Company