The SAFETY Act is a highly effective risk management tool created to incentivize the development of anti-terrorism technologies—broadly defined—the SAFETY Act created a program to provide protections to providers of products and services meant to prevent or mitigate physical and cyber-attacks. Among other benefits, companies receiving SAFETY Act coverage for their technologies have their potentially liability associated with an act of terrorism capped at the amount of insurance coverage required by the U.S. Department of Homeland Security (“DHS”). Companies seeking to reduce their exposure to liability associated with cyber or physical attacks should consider applying for designation or certification under the SAFETY Act. DHS has also approved a wide variety of other technologies and security programs for protection under the SAFETY Act.
Nearly every business is vulnerable to potential cyber or physical attacks. The liabilities arising in connection with cyber incidents can be huge and are an increasing focus for businesses, large and small. Equifax paid $700M to resolve government investigations and consumer claims arising out of a data breach, and T-Mobile paid $500M to settle a data breach class action. Potential liability is not limited to the organization; directors and officers also face the specter of individual liability. For example, last year, the Delaware Chancery Court ruled that officers owe a duty of oversight (since clarifying that this duty will be analyzed under the same standard as fir directors), opening the door for civil breach of oversight claims to be brought against both directors and officers.
What Is the SAFETY Act?
Congress passed the Supporting Anti-Terrorism by Fostering Effective Technologies (“SAFETY”) Act[1] in 2002 following the September 11 terrorist attacks. The Act created a program administered by the DHS to promote the development of “qualified anti-terrorism technologies” meant to safeguard against “acts of terrorism.” The SAFETY Act defines acts of terror broadly. Included are any acts that are unlawful and cause harm in the United States using methods intended to cause mass losses.
Act of terrorism means any act [that]. . .
(1) Is unlawful.
(2) Causes harm, including financial harm, to a person, property, or entity, in the United States, or in the case of a domestic United States air carrier or a United States-flag vessel . . . in or outside the United States.
(3) Uses or attempts to use instrumentalities, weapons or other methods designed or intended to cause mass destruction, injury or other loss to citizens or institutions of the United States.
49 C.F.R. 50.201. In passing this legislation, and in its continuing support of this program, Congress seeks to encourage companies to invest in a wide range of anti-terrorism technologies.
Importantly, products, services, and systems can be protected. The DHS notes that “qualified anti-terrorism technologies” is defined very broadly to include “any qualifying product, equipment, service (including support services), device, or technology (including information technology)” that merits protection. For example, many types of services— design, consulting, engineering, and software development and/or integration—qualify as “technology,” as do threat assessment and vulnerability studies. In fact, DHS has determined that an enterprise-wide cyber governance framework can qualify as a certified “technology” for purposes of the SAFETY Act. The DHS also lists detection systems, blast mitigation materials, screening services, sensors and detectors, decision support software, security plans, and crisis management systems as eligible for protection.[2]
The Act makes three levels of protection available for qualifying technologies; in order of protection, they are: (1) Development, Testing, and Evaluation Designation, (2) Designation, and (3) Certification.[3] Each has differing standards, terms, and accompanying protections. Some recent recipients of SAFETY Act protection include:
- National Football League: Certification for guidelines for stadium security management to deter and defend against terrorist attacks at sports stadiums;
- Leidos: Designation for a non-intrusive inspection system to scan motorized vehicles;
- Hardwire, LLC: Designation for a physical shield installed over vulnerable cable bridge components;
- ASIS International, Inc.: Designation for a certification and re-certification program for security professionals based on examinations;
- American Petroleum Institute: Certification for its standard providing requirements and guidance for managing cyber risk for the oil and natural gas pipeline industry.[4]
What Are the Benefits of Designation and/or Certification?
Designation or certification as a qualified anti-terrorism technology (“QATT”) entitles the creators or users of qualified technologies to powerful liability protections in the event of a declared act of terrorism. These benefits may include, depending on the level of designation or certification, exclusive federal jurisdiction and choice of law where the attack occurred, caps on liability, prohibition of punitive damages, and government contractor immunity.
The SAFETY Act also offers meaningful reputational benefits. The technology will be placed on the DHS’s Approved Technologies list, and the creator is entitled to use a DHS seal of approval in public materials. The federal government also commonly requires SAFETY Act certification for its contractors. Companies can transfer certification along with the technology in the event of a sale or merger.
Finally, SAFETY Act protection can prove highly valuable in other contexts where the safety and security of a company’s products, services, or operations is scrutinized— whether by regulators, investors, customers, or jurors. A SAFETY Act certification or designation could be a pivotal factor in the evaluation of a company’s conduct and potential liability in the wake of a cyber or physical incident causing substantial harm—even if the event is not declared an act of terrorism that would trigger the Act’s statutory protections. Insurers may also consider SAFETY Act protection in underwriting liability policies, particularly cyber and D&O liability. This is a huge opportunity for policyholders to demonstrate that they should receive the benefit of lower premiums and greater coverage given the proactive steps they have taken to reduce liability by ensuring state of the art technology and obtaining recognition of those efforts through SAFETY Act certification or designation.
How Is Technology Certified?
Companies seeking SAFETY Act protection must file a petition with the DHS. More on this process will be addressed in Part 2 of this series.
[1] See 6 U.S.C. § 441 et seq.
[2] See SAFETY Act 101 Briefing at 3, Dep, Dep’t of Homeland Security, available at https://www.safetyact.gov/externalRes/refDoc/refGroup/8/SAFETY%20Act%20101%20Briefing.pdf.
[3] Id. at 6.
[4] See SAFETY Act, Approved Technologies, Dep’t of Homeland Security, https://www.safetyact.gov/lit/at/aa.