PCM

SOURCE:NET Computer Malpractice
Copyright (c) Cem Kaner. All rights reserved. This was originally published in Software QA, Volume 3, #4, p. 23.
Malpractice is a widely discussed type of lawsuit. Unfortunately, it is also widely misunderstood, with misinformation spread in private discussions, in the press, and in political discussions. For example, several people have insisted to me that software developers are sued “all the time” for malpractice. This is absolutely untrue. Depending on what you’re willing to count as a “computer malpractice” case, the number of successful computer malpractice lawsuits in the United States is between one (1) and five (5).
For the moment, computer malpractice is a losing lawsuit because to be sued for malpractice (professional negligence), you must be (or claim to be) a member of a profession. Software development and software testing are not professions as this term is usually used in malpractice law. Therefore, malpractice suits against programmers and testers fail.
Introduction: Definition of computer malpractice
A malpractice suit involves professional negligence. Computer malpractice involves professional negligence when providing computer-related services. In any negligence suit, the plaintiff must prove:
Duty. If you provide services to someone, you have a legal responsibility (a duty) to exercise reasonable care in providing the services. For example, if you provide consulting services, your duty is to take reasonable care to provide good advice. If you provide data backup and archiving services, your duty is to take reasonable measures to ensure that you copy the right data and that you keep it safe. HYPERLINK “http://www.badsoftware.com/malprac.htm” \l “1″ 1

Negligent breach of the duty. If you gave bad advice, you might or might not have been negligent. To prove negligence, the plaintiff has to show that no reasonable person in your situation would have given the advice that you gave. Similarly, if a data archiving service loses its client’s data, it has probably committed a breach of contract, but it might or might not have committed negligence. To prove negligence, the plaintiff would have to prove that the service didn’t take reasonable measures to safeguard the data.
Consider this example of software support advice. People call you when they have problems running their software. One day, you advise a caller that her problems come from an insufficiently-compatible video card. Actually, the caller has set one of the program’s display options incorrectly and replacing the video card won’t help. Have you committed negligence? Maybe. We can’t tell, just based on these facts, because we don’t know what a reasonable support advisor would have done.
Let’s add three facts. First, suppose that you have a database of common problems and this problem was in the database. Second, suppose that the caller’s description was specific enough that you would have easily found the problem (and the solution) in the database if you looked. Third, suppose that most software support providers would have used this database if they had it. This last point establishes a standard of care - most support advisors would have checked the database. If you don’t check the database, and you provide expensive bad advice, you can be accused of acting unreasonably.
Prevailing standard of care. The fundamental difference between an ordinary suit for negligence and a suit for malpractice lies in the definition of the prevailing standard of care. HYPERLINK “http://www.badsoftware.com/malprac.htm” \l “2″ 2
If someone sues you for ordinary negligence, they will compare your behavior to what any reasonable person would have done under the circumstances.
If they sue for malpractice, they will compare your behavior to what a reasonable member of your profession would have done. Professional standards are much higher and much better documented. (For example, they might be written down in ANSI standards documents.) Therefore, if you act negligently in a professional capacity, it will be easier to prove your negligence by comparing you to other professionals than by comparing you to any reasonably bright and careful person who might undertake to provide the services that you provided.
In complex situations, different reasonable people will collect and evaluate information very differently. This makes the plaintiff’s task difficult but the principle is the same. She’ll have to show that you didn’t approach the problem in any of the ways that reasonable people do, or that no reasonable person would have approached it in the way that you did.
History of computer malpractice suits
Few published court cases involve claims of computer malpractice. Of those that exist, most involve a brief statement by the Court that there is no such thing in the law as “computer malpractice.” Therefore, that aspect of the lawsuit is rejected and the Court moves on to discuss more interesting parts of the case. Here are the main American cases that discuss malpractice in detail.
The case of Chatlos Systems v. National Cash Register Corp. (1979) HYPERLINK “http://www.badsoftware.com/malprac.htm” \l “3″ 3 is the first important computer malpractice case. An NCR salesman did a detailed analysis of Chatlos’ business operations and computer needs, and advised Chatlos to buy NCR equipment. Relying on NCR’s advice, Chatlos bought a system that never provided several promised functions. Chatlos sued. NCR was held liable for breach of contract. In its Footnote 1, the Court discussed Chatlos’ claim of malpractice:
·ð T h e n o v e l c o n c e p t o f a n e w t o r t c a l l e d ‘ c o m p u t e r m a l p r a c t i c e ‘ i s p r e m i s e d u p o n a t h e o r y o f e l e v a t e d r e s p o n s i b i l i t y o n t h e p a r t o f t h o s e w h o r e n d e r c o m p u t e r s a l e s a n d s e r v i c e . P l a i n t i f f e q u a t e s t h e s a l e a n d s e r v i c i n g o f c o m p u t e r s y s t e m s w i t h e s t a b l i s h e d theories of professional malpractice. Simply because an activity is technically complex and important to the business community does not mean that greater potential liability must attach. In the absence of sound precedential authority, the Court declines the invitation to create a new tort.
This refusal to recognize the validity of a lawsuit for computer malpractice has been widely quoted.
The next interesting case was Invacare Corp. v. Sperry Corp. HYPERLINK “http://www.badsoftware.com/malprac.htm” \l “4″ 4 Invacare claimed that it had relied on advice of Sperry employees when it leased a Univac computer and sued for fraud, breach of contract, and negligence. Sperry argued that the negligence suit couldn’t succeed because there is no cause of action for computer malpractice. Bowing to the Chatlos decision, the Court agreed that there is no such thing as computer malpractice. But, the Court said, Invacare wasn’t claiming that Sperry’s acts constituted malpractice. Invacare’s claim was that the system was so inadequate for the job that no reasonable person would have recommended it. This is just a lawsuit for ordinary negligence, not professional negligence, and the Court allowed it to proceed.
In 1985, the Internal Revenue Service ruled that if a program goes beyond purely mechanical assistance in the preparation of a tax return, the author of the program is a tax return preparer. HYPERLINK “http://www.badsoftware.com/malprac.htm” \l “5″ 5 The IRS can fine a tax preparer who acts negligently, or particip a t e s i n f r a u d o n t h e I R S .
·ð W h e n a n i n d i v i d u a l o r a c o m p a n y s e l l s a s o f t w a r e p r o g r a m t o a c u s t o m e r t o a i d i n t h e p r e p a r a t i o n o f a t a x r e t u r n , I R S n o t e d , a c u s t o m e r m a y b e u n a w a r e t h a t t h e p r o g r a m i s i n c o m p l e t e o r i n a d e q u a t e a n d t h e r e f o r e m a y u s e i t t o c r eate an erroneous return.
If using the computer program results in an understatement of tax liability for the taxpayer, the software company may be subject to a penalty. HYPERLINK “http://www.badsoftware.com/malprac.htm” \l “6″ 6
This IRS ruling is not a malpractice ruling, but it addresses an important point in the larger area of professional misconduct, and it reflects a well accepted principle of malpractice. Someone who provides bad legal advice can be sued for legal malpractice whether they’re a lawyer or not. Someone who provides bad medical care can be sued for medical malpractice whether they’re a doctor or not. Someone who provides bad engineering while claiming to be a professional engineer can be sued for engineering malpractice, whether they are licensed as a professional engineer or not. The IRS ruling extended this principle to computer programs that provide professional services. I haven’t seen such a lawsuit yet, but it seems likely that a software company can be sued for legal, medical, engineering, architectural, or other malpractice if it claims to provide these professional services and provides them incompetently.
The recent case of State v. Despain (1995) HYPERLINK “http://www.badsoftware.com/malprac.htm” \l “7″ 7 illustrates the same point. A non-lawyer bought a computer program that printed legal forms. She helped clients fill out the forms. This was held to be the unauthorized practice of law. The Court carefully pointed out that the sale of computer software that merely contai n s ( a n d p r i n t s ) b l a n k l e g a l f o r m s i s n o t t h e p r a c t i c e o f l a w . B u t ( p . 5 7 8 )
·ð t h e p r e p a r a t i o n o f l e g a l d o c u m e n t s f o r o t h e r s t o p r e s e n t i n . . . c o u r t c o n s t i t u t e s t h e p r a c t i c e o f l a w w h e n s u c h p r e p a r a t i o n i n v o l v e s t h e g i v i n g o f a d v i c e , c o n s u l t a t i o n , e x p l a n ation, or recommendation on matters of law. Further, instructing other individuals in the manner in which to prepare and execute such documents is also the practice of law.
If your company provides a program that promises legal, medical, dental, architectural or other professional engineering services and advice, think carefully about what you provide and what your marketing materials claim that you provide. If your program appears to be providing professional services, your company might be sued not for computer malpractice but for legal or medical or dental (etc.) malpractice.
1986 brought the main case (I think it is the only case) that unambiguously recognizes a valid suit for computer malpractice. The Chatlos decision came in New Jersey and was followed in many other States. But laws do differ from State to State. This case, Data Processing Services, Inc. v. L.H. Smith Oil, Corp. (1986) HYPERLINK “http://www.badsoftware.com/malprac.htm” \l “8″ 8, was decided in Indiana. The Court stated that (p. 319):
·ð T h o s e w h o h o l d t h e m s e l v e s o u t t o t h e w o r l d a s p o s s e s s i n g s k i l l a n d q u a l i f i c a t i o n s i n t h e i r r e s p e c t i v e t r a d e s o r p r o f e s s i o n s i m p l i e d l y r e p r e s e n t t h e y p r e s e n t t h e s k i l l a n d w i l l e x h i b i t t h e d i l i g e n c e o r d i n a r i l y p o s s e s s e d b y w e l l i n f o r m e d m e m b e r s o f t h e t r a d e o r p r o f e s s i o n .
T h e C o u r t d e c i d e d t h a t t h i s p r i n c i p l e a p p l i e s j u s t a s w e l l t o c o m p u t e r p r o g r a m m e r s a s i t d o e s t o l a w y e r s , a r c h i t e c t s , b u i l d i n g c o n t r a c t o r s , e t c . I t t h e n u p h e l d a f i n d i n g o f l i a b i l i t y o n D P S ‘ p a r t b y n o t i n g t h a t ( p . 3 2 0 ) :
·ð ( a ) D P S r e presented it had the necessary expertise and training to design and develop a system to meet the needs of Smith; (b) DPS lacked the requisite skills and expertise to do the work; (c) DPS knew it lacked the skill and expertise; (d) DPS should have known Smith was dependent upon DPS’s knowledge and abilities; and, (e) DPS should have foreseen Smith would incur losses if DPS did not perform as agreed.
Diversified Graphics, Ltd. v. Groves (1989) HYPERLINK “http://www.badsoftware.com/malprac.htm” \l “9″ 9 was the next successful malpractice case. Diversified hired the accounting firm of Ernst & Whinney (E & W) to help choose a computer system. Diversified sued for professional negligence & won. In its appeal, E & W argued that Diversified had failed to define the professional standard of care or to show how E & W had violated the standard. Though the Court explicitly stated that this was a computer case (not an accounting case), it determined the standard of care from E & W’s own “Guidelines to Practice” which included management advisory practice standards that had been incorporated by the American Institutes of Certified Public Accountants (AICPA). It’s not a big stretch to hold an accounting firm liable for computing consulting malpractice when the proof of the malpractice is proof of failure to follow AICPA standards.
In 1991, Wang Laboratories was sued for negligence and gross negligence. HYPERLINK “http://www.badsoftware.com/malprac.htm” \l “10″ 10 Wang sold a computer and a service contract to Orthopedic & Sports Injury Clinic. While attempting to fix the computer, Wang’s employee used, and corrupted, the Clinic’s last backup disk, thereby losing five years of the clinic’s medical and accounting data. (Oops.) The contract limited the amount of damages that Orthopedic could collect from Wang, but Louisiana law (and many other States’ laws) allows the plaintiff to recover all damages if the defendant committed gross negligence.