The legal obligation to provide timely security patching and automatic updates

Alana Maurushat, Kathy Nguyen

Research output: Contribution to journalArticlepeer-review

Abstract

Do you use Office 365 or Windows 10? How about GoDaddy to support your website? Has it been a while since you connected your iPhone to Wi-Fi instead of merely running off your data? Or is your Samsung phone more than 2 years old? Would it surprise you to learn that some of these products no longer receive security support or automatic updates? If so, you may be surprised to hear that you are being exposed to security risks, as many cyber incidences are the direct result of an absence of security patching and automatic updates. There are many reasons for this. Most companies provide security patches, but they are not always timely and many are not automated, requiring manual effort (often unbeknownst to consumers and businesses). Timely security patching is, upon discovery or notification of a security flaw in a system or product, the release of a security update within a reasonable time that patches and updates the security of a system—sometimes this is automatic, sometimes the security patch is merely a notification that you can and should patch your own system. A contributing factor to this is that there is no legal obligation to provide security support, let alone timely security support. This means that there is no legal requirement to patch known security vulnerabilities and bugs or issue automatic updates. This paper asks whether or not Australia should have a legal obligation to ensure timely security patching and require automatic updates by default in all consumer systems. Our conclusion: yes, it should, since many companies cannot be relied on to self-regulate and put their client’s security interests first, and the stakes in cybersecurity have become too high to continue with the status quo. We conclude by presenting our recommended pathway for legal reform.
Original languageEnglish
Pages (from-to)437-465
Number of pages29
JournalInternational Cybersecurity Law Review
Volume3
Issue number2
DOIs
Publication statusPublished - 2022

Open Access - Access Right Statement

This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Fingerprint

Dive into the research topics of 'The legal obligation to provide timely security patching and automatic updates'. Together they form a unique fingerprint.

Cite this