Is a Product Manager responsible for preventing corporate identity theft?

As product managers, we are responsible for identifying and prioritizing the features for our products.  Then we spend time with Development to create new capabilities and with Marketing, Sales, and customers extolling the benefits that these capabilities will provide.

One of our key assumptions is that each new capability is valuable to some (and hopefully, all) of our customers and potential customers.

However, in today’s litigious environment, shouldn’t product managers also be concerned with protecting their own company?

In an enterprise software application, a wide variety of users perform various functions, including many that could expose their company to risks.  For example, new product designs are reviewed and approved in Product Lifecycle Management or PLM systems,  raw materials are acquired in ERP systems, and confidential legal matters are managed and reviewed in document management systems.

Each of these systems have one thing in common — it is possible for an “authorized user” to perform an action that could put their company in a compromising situation.  And if someone has stolen this user’s identity and a terrible situation results — do you think that they will attempt to hold the enterprise software vendor responsible?

Of course they will.

If today’s legal system allows the manufacturer to be held liable when someone falls off the top of one of their step ladders, it will be easy to hold the enterprise software company responsible when the strategy of a defense team in a high-profile legal matter is downloaded and released to the public by someone who guessed the lead counsel’s password.

And what about a situation where a new part in an automobile is approved by a well-meaning administrative assistant who misunderstood which part their boss said to approve.  When this approved part is later discovered to be faulty and results in the deaths of a number of people, don’t you think that the company will complain that it was “too easy” for the assistant to pretend to be her boss and that the software should have done a better job of detecting and preventing this action?   Unfortunately, the answer is probably “yes”.

Thus, I believe Product Management needs to expand the criteria that we use to evaluate potential product capabilities, as follows:

  1. Riskiness — Capabilities that the product absolutely must have to protect the viability of “our” company.
  2. Must Have — Capabilities that the product must have in order to be effective in the market place.
  3. Should Have — Capabilities that the product should have, but are not required.
  4. Nice to Have — Capabilities that we would like to have, but are not required.

This approach will result in more time being spent resolving “Risk” issues and less time on user-visible features that could generate revenue — which could also threaten the continued existence of the software company.  Oh joy!!   Yet another trade-off for Product Management to balance.

So, what do you think?  Does this topic ever come up in your product planning?  Or does your company depend on the fine print of your license agreements to protect itself?

Advertisements

2 Responses to Is a Product Manager responsible for preventing corporate identity theft?

  1. gopalshenoy says:

    I am not sure if this is going to be a problem because software industry has always gotten away with the licensing agreement clause that says that anything you do with the software is your responsibility and the vendor cannot be held responsible for the action. Here is a typical license agreement clause I found on the web. The last two paragraphs clearly say that the vendor is not responsible for anything that happens based on the use of the software.

    Notwithstanding anything else in this Agreement:

    Neither party shall be liable for any indirect, special, incidental, punitive or consequential damages, including but not limited to loss of data, business interruption, or loss of profits, arising out of the use of or the inability to use the Licensed Materials.

    Licensor makes no representation or warranty, and expressly disclaims any liability with respect to the content of any Licensed Materials, including but not limited to errors or omissions contained therein, libel, infringement of rights of publicity, privacy, trademark rights, moral rights, or the disclosure of confidential information.

    Except for the express warranties stated herein, the Licensed Materials are provided on an “as is” basis, and Licensor disclaims any and all other warranties, conditions, or representations (express, implied, oral or written), relating to the Licensed Materials or any part thereof, including, without limitation, any and all implied warranties of quality, performance, merchantability or fitness for a particular purpose. Licensor makes no warranties respecting any harm that may be caused by the transmission of a computer virus, worm, time bomb, logic bomb or other such computer program. Licensor further expressly disclaims any warranty or representation to Authorized Users, or to any third party.

    • David Fulton says:

      Gopol,
      You make an excellent point. Perhaps the license agreement provides a company enough protection. But I can’t help but believe that some enterprising attorney will claim that a software provider didn’t do “enough” to protect their customers from corporate identity theft and a sympathetic jury will award a substantial amount. Which would really turn the enterprise software industry upside down.
      I guess we’ll have to wait, see what happens, and hope for the best. Thanks for the comment.
      -dave-

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: