In the wake of the attacks on Sept. 11, 2001, Congress enacted the SAFETY Act, which, among other things, encouraged the development of new “anti-terrorism” technologies by giving those developers immunity from civil liability if their approved technologies failed to prevent an attack. The Department of Homeland Security’s Science and Technology Directorate responsible for implementation of the law notes that the “… SAFETY Act provides incentives for the development and deployment of anti-terrorism technologies by creating systems of risk and litigation management. The purpose of the Act is to ensure that the threat of liability does not deter potential manufacturers or sellers of effective anti-terrorism technologies from developing and commercializing technologies that could save lives.” Oh, and don’t try to go the the Office of SAFETY Act compliance and implementation website at www.safetyact.gov—it won’t resolve for security reasons.
The act has significant potential impact on cybersecurity consultants, technology providers, service providers and their customers. Indeed, technology providers can use the language of the statute to grant themselves potential immunity from civil liability if their customers are hacked. You know those provisions in your contracts with security vendors that are IN ALL CAPS AND BOLDFACE and talk about damages, caps on damages, indemnification and hold harmless? They may all be irrelevant.
The SAFETY Act regulations at 6 CFR Part 25 are intended to implement the statute and provide civil immunity for those who develop or deploy “anti-terrorism” technologies. However, the definition of “terrorism” includes any illegal act that causes harm and “uses or attempts to use instrumentalities, weapons or other methods designed or intended to cause mass destruction, injury or other loss to citizens or institutions of the United States.” So a DDoS attack, whether state-sponsored or not, is “terrorism” because it is unlawful, causes harm and uses a method designed to cause “loss to citizens or institutions of the United States.” Malware? Check. Phishing? Check. In fact, the challenge is to find a cyberattack method that is NOT defined as terrorism.
If a cybersecurity company develops or deploys a Qualified Anti-Terrorism Technology that has been approved by DHS, then the cybersecurity company is cloaked in what is called the “government contractor” immunity defense—in essence treated the same way that the sovereign government would be for liability purposes. The doctrine, endorsed by the U.S. Supreme Court, was originally intended to extend sovereign immunity afforded to the government to those the government contracted to perform government functions. So if the government had no liability for designing a defective helicopter that crashes into an apartment complex, the government contractor who did so on behalf of (and with the approval of) the government stands in the shoes of the government for the purposes of immunity. The SAFETY Act extends this doctrine. If you develop an anti-terrorist technology (and every cybersecurity technology likely qualifies) and it is approved or “qualified” by DHS, and you sell this to private entities, you get the immunity! And for qualification and approval, all you have to do is demonstrate to DHS that your “anti-terrorism” technology “will perform as intended, [and] conforms to the Seller’s specifications, and is safe for use as intended” and that the seller of the technology has conducted “safety and hazard analyses” and provide that information to DHS. Voilá! Immunity (unless you affirmatively committed fraud in connection with the application for qualification).
Not only do you get some immunity, but the SAFETY Act creates an exclusive Federal cause of action “for any claim for loss of property, personal injury, or death arising out of, relating to, or resulting from an act of terrorism when qualified anti-terrorism technologies have been deployed in defense against or response or recovery from such act and such claims result or may result
in loss to the Seller.” The government requires the Seller of a qualified anti-terrorism technology to purchase insurance up to a level that does not make its deployment financially prohibitive, but also provides that the Seller—the only entity that can be held liable for damages—only has liability for an “act of terrorism” up to the amount of insurance carried. Oh, and the statute only allows recovery of “actual” damages from the seller—no punitive damages, no collateral damage.
Even better, the act provides that if a company uses a qualified anti-terrorism technology, it gets immunity, too! The only entity that can be sued is the seller of the technology. So the buyer gets to blame the seller, and the seller gets immunity for anything except fraud. Since virtually any cybersecurity technology is designed to prevent exactly the kind of harm defined as terrorism in the regulation, any cybersecurity vendor could apply to DHS for approval. The seller gets qualified immunity. The buyer gets qualified immunity. The consumer—well, not great for them.
Think this is absurd? Ask survivors or relatives of victims of the Las Vegas shooting who have sued the Mandalay Bay resort. The resort used a Qualified Anti-Terrorism Technology in that they hired a security company whose “services” were approved by DHS to provide security. So Mandalay Bay is claiming that, by purchasing these security services, the hotel comes under the umbrella of the SAFETY Act, and has no liability for any act of terrorism (broadly defined) that might have caused injury to victims. So the act of a lone gunman inside the United States, not pursuant to any political ideology, is an act of “terrorism” because it harms U.S. citizens. Therefore, they can’t sue the Mandalay Bay hotel, because the hotel hired a security guard company whose “technology” (services) were certified by DHS.
No reason every cybersecurity service, consultant, assessment and technology can’t also be “certified.” Then the customers can simply point to the vendor if they get sued, and the vendor can point to the insurer or to their own immunity.
And the only one who loses out is the customer. What could go wrong?