The legal obligation to provide timely security patching and automatic updates

Abstract

Do you use Office 365 or Windows 10? How about GoDaddy to support your website? Has it been a while since you connected your iPhone to Wi-Fi instead of merely running off your data? Or is your Samsung phone more than 2 years old? Would it surprise you to learn that some of these products no longer receive security support or automatic updates? If so, you may be surprised to hear that you are being exposed to security risks, as many cyber incidences are the direct result of an absence of security patching and automatic updates. There are many reasons for this. Most companies provide security patches, but they are not always timely and many are not automated, requiring manual effort (often unbeknownst to consumers and businesses). Timely security patching is, upon discovery or notification of a security flaw in a system or product, the release of a security update within a reasonable time that patches and updates the security of a system—sometimes this is automatic, sometimes the security patch is merely a notification that you can and should patch your own system. A contributing factor to this is that there is no legal obligation to provide security support, let alone timely security support. This means that there is no legal requirement to patch known security vulnerabilities and bugs or issue automatic updates. This paper asks whether or not Australia should have a legal obligation to ensure timely security patching and require automatic updates by default in all consumer systems. Our conclusion: yes, it should, since many companies cannot be relied on to self-regulate and put their client’s security interests first, and the stakes in cybersecurity have become too high to continue with the status quo. We conclude by presenting our recommended pathway for legal reform.