A New Nominee As One of History’s Worst Bugs?

We didn’t start out paying attention to developments relating to Sony BMG Music Entertainment’s recent effort to restrict copying by including anti-piracy software on some music CDs. But events have spun out of Sony’s control, and the debacle just demands attention as an example of how not to manage risk, how not to handle public relations and generally how not to run your business.

The bad news has just kept stacking up, not only for Sony, but also for its affected customers.

· Wanting to prevent unauthorized copying, Sony has been adding restrictive software on some of its music CDs. Apparently about eight months ago it started using a new type of software created by a British company, First 4 Internet. The software would restrict the number of copies made. Sony reportedly shipped 4.7 million CDs with that software; Sony says about 2.1 million of those discs were sold.

When run in a computer, the software seeks the user’s agreement to a license agreement. It then installs the software onto the hard drive and makes itself invisible by telling the computer to hide from view any software that starts with “$sys$.” Presumably the purpose was to prevent computer users from removing or disabling the copy protection software. Critics say this is the kind of tactic used by those who create malicious software.

Once the news broke that Sony had done this and that the software created a security vulnerability, it didn’t take long for virus writers to begin adding those characters to the beginning of existing viruses, to hide the viruses on a machine and make it more difficult for users, and even anti-virus software, to find and remove the now-hidden viruses. The viruses of choice were capable of permitting a third party to take over control of the affected computers.

· Sony announced it had temporarily suspended production of CDs with that software.

· Microsoft announced it would update its anti-spyware software to find and remove the cloaking portion of the software.

· Sony released a web-based uninstaller of at least part of the software. But security researchers soon alleged that under at least some circumstances the removal tool itself can open a “huge security hole” on a computer. According to reports, the uninstaller stays on a computer system after the uninstall, and it allows any web page to download and install code, without authenticating that the code is coming from Sony.

· Computer Associates decided the software was spyware because it was designed to send back reports on music listening habits of the computer user.

· Sony announced a recall of the original discs.

· Researchers discovered information indicating the flawed software had been installed on more than half a million computer networks in at least 165 countries.

· An official with the Department of Homeland Security, at a conference in Washington, D.C., sent a message to Sony and other companies: “It’s very important to remember that it’s your intellectual property – it’s not your computer.”

Referencing fears of an avian flu outbreak in the U.S., Stewart Baker said such an event would require availability of remote access for large numbers of the population, and “keeping the infrastructure functioning is going to be a matter of life and death, and we take it very seriously.”

Class action lawsuits were filed in New York and California. In Texas, the attorney general filed a civil suit against Sony seeking civil penalties of $100,000 per violation of that state’s Consumer Protection Against Computer Spyware Act.

Sony likely has the financial assets to withstand the problems created in this fiasco. Nonetheless, we wonder whether Sony and the contractor that developed the software, First 4 Internet, have insurance that will apply to the claims.

For Sony, insurance covering product recall would help.

For both Sony and First 4 Internet, coverage for liability stemming from use of their product might be helpful. General liability coverage probably would not be the best choice because of the likelihood of disputes over the absence of property damage or bodily injury. Other disputes could also arise, such as whether the events amounted to an “occurrence.”

Given the nature of the problems, errors and omissions coverage might be helpful for part of the financial losses suffered by third parties, but coverage issues there could focus on the fact that most policies are basically designed to cover negligence and exclude intentional acts. Most E&O policies also exclude cost of recall.