As we’ve discussed in previous posts, the SAFETY Act has the potential to serve as a valuable tool for companies looking to mitigate risk from cyber-terrorism. This is part two of a three-part series; be sure to read part one, which describes how the SAFETY Act applies to cybersecurity.
In this post, we break down some of the basic concepts that are crucial to understanding the power—and limitations—of SAFETY Act protection. First, we look at what kind of technology is eligible for protection under the SAFETY Act, as well as some recent examples of approved SAFETY Act cybersecurity applications. Next, we dive into the three different levels of approval, before finally turning to the statutory benefits of those approvals.
“Qualified Anti-Terrorism Technologies”
Under the statute, the Secretary of Homeland Security is authorized to designate qualified anti-terrorism “technologies” for SAFETY Act protection. Technology is defined broadly to include “any product, equipment, service (including support service), device or technology (including information technology)” that prevents, detects, identifies, or deters acts of terrorism or limits their harm.
The SAFETY Act’s implementing regulations provide an additional level of depth to the statute by defining “technology” to include “software development services, software integration services, [and] threat assessments.”
A handful of businesses have already obtained SAFETY Act approvals for their cyber-related technology. As discussed in part one, Southern Company, an energy company, obtained approval for its “Cybersecurity Risk Management Program,” which broadly covers its data protection and network security policies and programs. But other companies have obtained SAFETY Act approval for their cybersecurity-related products or services as well. Companies such as Honeywell Technology Solutions Inc., Lauren Innovations, LLC, Alert Logic, Inc., and Acuity Solutions Corporation have approvals on cybersecurity platforms and products used to prevent, mitigate, or respond to cybersecurity crises.
The wide variety of technologies approved by DHS demonstrates that “qualified anti-terrorism technologies” can encompass many different kinds of cybersecurity programs, services, and technologies—including both technologies designed to be sold to third-parties and technologies developed for internal use. As a result, the SAFETY Act can cover products and services well beyond the scope of what might be considered “traditional” anti-terrorism technologies.
Tiers of Protection
For each approved technology, DHS offers three different possible approvals, which is determined based on the “confidence of effectiveness.”
The first level, Developmental Test & Evaluation (“DT&E”), is for technologies that, according to DHS, show potential but require additional evidence of effectiveness. Generally, DT&E approvals are limited in duration (three years at the longest), and may be limited to a number of sites or events.
The second tier, Designation, is for technology with proven effectiveness and confidence of repeatability. Designations can last up to five years, and cover any and all deployments. Both DT&E and Designation offer liability caps based on a company’s insurance limits, as described below, in addition to other protections.
Finally, the highest level of approval, Certification, is reserved for technology with consistently proven effectiveness and a high confidence of enduring effectiveness. In recent years, obtaining a Certification has become increasingly difficult and requires an exhaustive review by DHS. Not only do Certifications last five years and cover all deployments, but such companies defending against litigation based on a declared act of terrorism are entitled to a rebuttable presumption that the government contractor defense applies, which would shield a company from liability arising from the use of the qualified anti-terrorism technology.
Benefits of Approval
The benefits of SAFETY Act approval at any level can be substantial.
First, in response to an act of terrorism involving that company’s qualified anti-terrorism technology, a company’s liability is capped at its total liability insurance, which must be maintained at a level set by DHS. The Act further limits potential liability by precluding punitive damages and pre-judgment interest, and limiting joint and several liability for non-economic damages.
Companies with SAFETY Act approvals are also assured that their litigation will take place in federal court. Under the Act, federal courts have exclusive jurisdiction over “all actions for any claim for loss of property, personal injury, or death arising out of, relating to, or resulting from an act of terrorism when qualified anti-terrorism technologies have been deployed.”
As illustrated by the MGM case, establishing federal jurisdiction may be easier said than done; to date, there are no judicial decision on this issue, although the jurisdictional issue was raised in early court hearings. The MGM case concerned the October 2017 Route 91 Harvest Festival mass shooting at the Mandalay Bay Hotel in Las Vegas. Following the incident, MGM brought more than a dozen declaratory judgment lawsuits against the victims, alleging that the SAFETY Act shielded MGM from liability. To date, DHS has not made a determination as to whether the incident constituted an “act of terrorism” under the statute. And now that the MGM case is in private mediation, the SAFETY Act continues to not be tested in court.
That said, the benefits of approval under the SAFETY Act extend beyond merely those conferred by the statute: in the right circumstances, SAFETY Act designation can be a seal of approval that has an impact even outside of related litigation. In our final installment, we will cover some of the non-statutory benefits of SAFETY Act approval and how it can complement a company’s broader cybersecurity strategy.
