Finding a Cyber Safe Harbor in the SAFETY Act

Does your company provide or use a cybersecurity product or service? Are you concerned about the potential liability for yourself, your distributors and your customers if your cybersecurity product is used in an attempt to thwart cyber terrorism? You should be. Late last month the Department of Homeland Security (DHS) certified two cybersecurity products under the Support Anti-terrorism by Fostering Effective Technologies (SAFETY) Act, a law passed in the wake of 9/11 that encourages the development of anti-terrorism technologies by providing liability protections for developers and users of approved technologies, products and services. Designation or certification under the SAFETY Act may help your company and its customers manage their potential exposure for the use of your products or services to combat cyber terrorism.

What is the SAFETY Act?

The SAFETY Act protects developers and sellers of Qualified Anti-Terrorism Technologies (“QATTs” or “qualified technologies”) by limiting liability for claims arising out of, relating to, or resulting from an act of terrorism where their qualified technologies were deployed to defend against, respond to or recover from such act. The SAFETY Act also provides a safe harbor for qualified technology users by requiring that all terrorism-related causes of actions be filed against the qualified technology sellers, effectively shielding buyers, users, or other persons or entities from third-party claims related to the use of a qualified technology during a terrorist act. The SAFETY Act rules provide three different tiers of protection:

• Developmental Testing and Evaluation (DT&E): This introductory level is utilized while anti-terrorism technologies are under development or are being modified. This tier is subject to use and deployment limitations set by DHS. While the designation is active (usually no longer than 36 months), the manufacturer can avail themselves to the risk and litigation management protections discussed under the Designated
• Designated: This is the entry level for developed products and services. Anti-terrorism technologies that obtain this designation benefit from the risk and litigation provisions under the SAFETY Act. The risk and litigation management provisions provide for exclusive jurisdiction in Federal courts, a cap on liability, and specify that sellers can only be held liable for the percentage of noneconomic damages that are proportionate to their responsibility. The provisions further bar punitive damages or prejudgment interest, and reduce plaintiff’s recovery by the amount of collateral sources of compensation.
• Certified: The certified tier includes all of the benefits of Designated, plus the seller can claim the “Government Contractor” affirmative defense and the qualified technologies are listed on DHS’s approved list. The government contractor defense which limits all liability can only be rebutted by evidence showing that the seller acted fraudulently or with willful misconduct in submitting information to DHS to obtain this certification. This heightened level of protection is only obtainable by Designated qualified technologies that are able to demonstrate to DHS that their technology performs as intended, conforms to the seller’s specification and is safe for use as intended.

In order to be considered for inclusion as a qualified technology, a company must submit an application that demonstrates its technology is effective, capable and properly developed. The SAFETY Act and rules also contain certain technical and economic criteria that DHS considers when evaluating the application. In addition, the applicant must make certain financial disclosures and obtain a sufficient amount of liability insurance set by DHS. The full application and evaluation process can take as long as 120 days. Companies can also submit a pre-application to get preliminary feedback from DHS about whether their product is a good candidate for inclusion under the SAFETY Act and what information will need to be submitted in a full application. Once achieved, the Designated and Certified levels are good for five years and can be renewed.

Advantages for Sellers and Buyers: Promoting SAFETY by Limiting Liability

Through this liability shield, the SAFETY Act tries to foster an atmosphere where sellers and users are confident that they can produce and use products designed to reduce the risk or occurrence of acts of terror without exposing themselves to enormous third-party claims. Thus, companies on the forefront of combatting or defending against cyber terrorism should be aware of the advantages that come with either having their products designated or certified under the SAFETY Act, or using products that have already been approved as qualified technologies by DHS. Yet companies should understand that the SAFETY Act’s safe harbors do not guard against all legal liabilities. For instance, the SAFETY Act only applies to claims relating to instances that are deemed “acts of terrorism” – namely, unlawful acts that cause harm and use or attempt to use devices intended to cause mass destruction or loss. Also, while buyers and downstream users of qualified technologies are immune from liability related to their use in defense against, response to or recovery from acts of terrorism, buyers and users should be aware that they are not immune under the SAFETY Act from claims that they negligently operated a qualified technology. DHS maintains http://www.SafetyAct.gov/ which contains more information about how to submit an application for your technology and the list of qualified technologies for prospective buyers.