For businesses, data privacy and protection has become an important aspect of everyday operations. Data breaches, such as those seen in the news at large companies including Target and Equifax, can result in costly regulatory compliance requirements and damage to a brand’s reputation. Businesses that wish to adopt data protection “best practices” need to be aware of the software their company uses and how that software could contribute to a disaster such as a data breach. A lack of proper policies and procedures governing the use and maintenance of software products can lead to serious consequences down the line.
First, what is Open Source Software?
Open Source Software is the byproduct of a movement in the software development community that wants software development to be an open and collaborative process. Anyone can access and edit the source code for open source software—source code is the text used by software developers to create and edit a program. Most commercial software products (or “proprietary software”) do not allow users to access or edit the software’s source code. Consumers that purchase a proprietary software product are usually required to sign or electronically “accept” a license stating that they will not copy, edit, or perform any other restricted actions to the software. For example, think of purchasing Microsoft Office (a proprietary software product), and the long list of restrictions in the license a user must accept in order to use the program. In contrast, open source software products usually have less restrictive licenses, and many open source software programs are free to use.
Open source software is usually free? That sounds great!
Open source software does have many benefits: it is often free to download, users can modify the software to fit their particular needs, and an extensive community of developers work on open source software programs. Many people use open source software without even knowing it, including popular programs such as WordPress and Mozilla Firefox. The open source community works to monitor for any hackers and attempts to quickly fix and update open source software programs, but even this is not enough to mitigate all threats.
So, there are risks associated with using Open Source Software?
Yes. A misconception exists that since open source software is usually free, that there are no strings attached to using such software. In reality, open source software requires quite a bit of maintenance.
- Users need to monitor for announcements about security-related issues or updates to their open source software products. Open source software users who do not understand this responsibility, or who ignore notices and updates, make themselves vulnerable to hackers.
- Because of the open and collaborative nature of open source software, the source code is available to the public. This means that hackers can access the code and make malicious changes, or a well meaning developer can make a mistake for a hacker to exploit.
- Users need to understand the open source software’s licenses and comply with any requirements. Failing to comply with an open source license can result in a lawsuit.
- Open source software typically does not offer warranties or indemnification, any legal risk associated with using the open source software product traces back to the user himself.
Are there any examples of open source software leading to a data privacy or security issue?
Yes. A hacker can wreak havoc regardless of the type of software. The significant difference is that a company using open source software is responsible for vigilantly checking for any issues with the software and making fixes themselves. A company using proprietary software company, however, has accept to customer support and security updates. Equifax’s historic 2017 data breach was traced back to a vulnerability in open source software they used. Equifax saw the notice about the software’s vulnerability and information about how to fix it, but left the problem unresolved for too long. Hackers noticed the open source software had not been updated and took advantage of this vulnerability to access the personal information (including social security numbers and addresses) of over 150 million U.S. citizens.
What can be done to mitigate the risks of using open source software?
Open source software can be a great resource for businesses, but it needs to be used properly. Hiring employees who understand all the requirements and risks associated with using open source software can be expensive, but a lawsuit or security issue like a data breach could be even more costly. Businesses who use open source software should have policies and procedures that require all open source software usage to be tracked, all notices and updates to be monitored, any relevant changes or updates to be made correctly and quickly, and for all license requirements to be complied with. At Gavin Law, our attorneys can help users understand licenses and license requirements as well as draft these crucial policies and procedures for employees.