As data breach legislation and cybersecurity policy continue to develop across the United States at the state and national levels, a new cybersecurity development in the private sector has caught our attention.
The Department of Homeland Security (DHS) recently certified the first cybersecurity products under the Support Anti-Terrorism by Fostering Effective Technologies Act (SAFETY Act) of 2002. With this certification from the DHS, the seller of the cybersecurity products and the companies that use or deploy the products are all afforded certain liability protections under the SAFETY Act from “claims arising out of, relating to, or resulting from an act of terrorism.”
Limitations of Liability Under the SAFETY Act
The SAFETY Act, a law passed under the Homeland Security Act of 2002 as Subtitle G to Title VIII, limits liability for claims that result from an act of terrorism when a qualified anti-terrorism technology (defined by the law to include information technology) has been deployed.
The statute provides liability protection in two ways. First, it limits the total liability that results from such claims to the amount of liability insurance that the seller of the product is required to maintain, as determined by the DHS.
Second, and perhaps more significantly, the statute provides that if “a product liability or other lawsuit [is] filed for claims arising out of, relating to, or resulting from an act of terrorism when qualified anti-terrorism technologies . . . have been deployed in defense against or response or recovery from such act,” then the government contractor defense is available as a rebuttable presumption for the seller and users of the technology. This rebuttable presumption can only be overcome “by evidence showing that the Seller acted fraudulently or with willful misconduct in submitting information to the Secretary during the course of the Secretary’s consideration of [the qualified anti-terrorism technology].” Thus, the statute creates a method for companies to eliminate claims at the motion to dismiss stage of litigation.
Which “Acts” Are Covered?
Although these liability protections only apply to claims relating to acts of terrorism, the term “act of terrorism” appears to have broad application, including acts outside the United States that only cause financial harm to persons or entities in the United States.
The SAFETY Act defines an act of terrorism as “any act that the Secretary determines meets the requirements under subparagraph (B), as such requirements are further defined and specified by the Secretary.” Subparagraph (B) states that an “act meets the requirements of this subparagraph if the act (i) is unlawful; (ii) causes harm to a person, property, or entity, in the United States . . . and (iii) uses or attempts to use instrumentalities, weapons or other methods designed or intended to cause mass destruction, injury or other loss to citizens or institutions of the United States.”
As interpreted and further defined by the Office of the Secretary of the DHS in its Final Rule, an act of terrorism “on foreign soil may indeed be deemed an ‘Act of Terrorism’ for purposes of the SAFETY Act provided that it causes harm in the United States.” The DHS also “interprets ‘harm’ in this context to include harm to financial interests,” thus potentially bringing cyber attacks to US companies within the definition.
Because these liability protections have not yet been tested in data breach litigation, it will be interesting to see how courts apply them. We will watch for developments in this area and to see how the DHS certification of cybersecurity products affects the broader discussion on cybersecurity policy and legislation.