Symantec software snafu could set precedent

Symantec Corp.’s decision to compensate 50,000 users who lost their data via a faulty Norton antivirus update last month could set a precedent in how companies deal with software problems, Canadian technology executives said.

“It wouldn’t surprise me that if a similar problem arises in North America, that you’d see a similar type of remedy,” David Senf, analyst at IDC Canada, said. “It wouldn’t take the form of financial compensation, but it would take the form of free product for X period of time.”

Senf said that the Symantec snafu may give users in North America and Europe a point of reference when faced with similar issues in the future. “Users are going to be less forgiving when it comes to these types of faulty patches,” Senf said.

The situation began last month, when a software update to Chinese users caused Norton antivirus software to inadvertently identify two Windows XP files as malware and quarantine them. The mistake put tens of thousands of users face-to-face with the Blue Screen of Death. Following a flood of angry message board posts as well as two launched lawsuits, Symantec decided to provide a remedy. Symantec has offered affected consumers a 12-month Norton license extension and a copy of Norton Save & Restore 2.0. Business users can be eligible to receive Symantec Ghost Solution Suite licences, depending on how many PCs were affected.

In terms of Symantec’s legal responsibilities, experts said the company is protected by licencing agreements that governs the use of its products. “[The agreement says] they’re not going to make any promises that the operation of the software will be uninterrupted or that the software will be error-free,” Brock Smith, a partner at Vancouver-based Clark Wilson LLP’s Technology and Intellectual Property Practice Group, said. “It’s a balancing act that these companies have to do because they want to offer the software at a reasonable price, but at the same time, their not going to expose themselves to the economic risks of having a large lawsuit against them if something goes wrong.”

Smith said that because Symantec had no malicious intent, any legal action against the company would most likely be futile. He said that the one-year subscription Symantec is offering represents a move to save face rather than any onus on the firm to compensate users.

“Rather than hide behind the licence agreement, most of these companies are trying to do it in more of a PR exercise to make sure they maintain their customer base,” Smith said. “But, because of the significant loss here, I think this may just be the first round. They may find there’s pressure from the worldwide social network to do more than what they’ve done and it’s just a question of whether they’re going to dig their heels in.”

In order to keep customers happy, Symantec may have to roll out additional compensation packages, especially because of the company’s recent focus on the Chinese market.

“China is a very important market for them and they are really targeting it as their next growth area,” James Quinn, an analyst at Info-Tech Research Group, said. “It’s an underserved market space as far as their concerned and I can certainly understand their position given their stated intent there.”

Reports out of the Chinese news media have also indicated significant losses to small businesses. However, Symantec is not offering any monetary compensation or even a Norton extension for corporate customers.

“The message from Symantec is that if you use this product in your corporate environment and something went wrong – ‘we’re sorry, realistically, you shouldn’t have been using it in the corporate environment in the first place,’” Quinn said.

Michael Bolton, program chair at the Toronto Association of Systems and Software Quality, said that Symantec needs to take more responsibility at the testing level in order to prevent these avoidable problems.

“The question of negligence has to pass a reasonableness test and there are many ways of handling these things to reduce the risk of a problem cropping up,” Bolton said. “But, the real issue is that most companies trivialize testing and they turn it into a process of confirmation instead of investigation. If their processes were a little more investigatory, they would tend to identify problems more quickly.”

Related Download
A Guide to Print Security for Canadian Organizations Sponsor: HP
A Guide to Print Security for Canadian Organizations
IT security vulnerabilities are a growing cause for concern for organizations trying to protect their data from printer breaches.
Register Now