…Brandon Pugh, policy director for cybersecurity and emerging threats at the right-leaning R-Street Institute and an international law officer in the U.S. Army Reserve, told SC Media he was skeptical about the utility of creating a new category of software liability around security, saying the mission may be righteous, but the reality of many software-enabled data breaches can be messy. With cyberattacks so prevalent, a poorly structured liability regime could allow bad actors to take advantage of that ambiguity to target good and bad companies alike.

“Ultimately, I’m all for having strong secure software. But at the same time, I do not want to see a new liability regime that’s created and exploited for financial reasons and potentially sets up companies for failure,” said Pugh in an interview. “Like we see so many other times when something is well-intentioned but unfortunately ambitious, individuals can use it for reasons that were not intended.”

As legislative counsel for the minority office in the New Jersey General Assembly, Pugh helped craft a bill that would have eschewed a private right of action to sue companies for data breaches in lieu of a legal safe harbor for companies, if they could demonstrate their cybersecurity programs “reasonably conform” to established industry standards. It also would have allowed companies to get a (non-binding) assessment from the New Jersey Department of Law and Public Safety on whether the plan would qualify for liability protections.

The bill never made it through the General Assembly, but Utah, Connecticut and Ohio have passed similar legislation, and Pugh believes something like it could serve as a model for safe harbor in a national software liability regime…