We have already seen tremendous fallout from recent cyber attacks on Target, the U.S. Office of Personnel Management, Sony Pictures, and J.P. Morgan.  Now imagine that, instead of an email server or a database of information, a hacker gained access to the controls of a nuclear reactor or a hospital.  The potential consequences are devastating: death, injury, mass property destruction, environmental damage, and major utility service and business disruption.  Now what if there were a mechanism that would incentivize industry to create and deploy robust and ever-evolving cybersecurity programs and protocols in defense of our nation’s critical infrastructure?

In late 2014, Representative Michael McCaul (R-TX), Chairman of the House Committee on Homeland Security, proposed legislation that would surgically amend the SAFETY Act, which currently offers liability protection to sellers and users of approved anti-terrorism technologies in the event of litigation stemming from acts of terrorism.  Rep. McCaul’s amendment would broaden this protection to cybersecurity technologies in the event of “qualifying cyber incidents.”  The proposed legislation defines a “qualifying cyber incident” as an unlawful access that causes a “material level[] of damage, disruption, or casualties severely affecting the [U.S.] population, infrastructure, economy, or national morale, or Federal, State, local, or tribal government functions.”  Put simply, under the proposed legislation, a cyber incident could trigger SAFETY Act protection without being deemed an act of terrorism.

The House Committee on Homeland Security plans to reconsider Representative McCaul’s 2014 amendment in the coming weeks.  In anticipation, the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies held a hearing earlier this week to examine whether the SAFETY Act framework ought to be leveraged as a tool in our effort to prevent the next big cyber attack.  As foreshadowed during the hearing testimony, we believe the time is right to seriously consider an extension of the SAFETY Act:

  1. Incentivize Cybersecurity Development: In its present form, the SAFETY Act has proven to be an effective tool to facilitate the development–and use–of anti-terrorism technologies. The protection has allowed companies to lean forward in innovation and deployment of anti-terrorism products and security programs, without the fear of unbounded liability.  Although some cyber technologies are beginning to engage in the SAFETY Act program, those technologies are only protected in the case of an act of terrorism (which is a high bar–the Boston Marathon bombing was not declared an act of terrorism).  This broadened scope of liability protections for proven cybersecurity technologies will incentivize providers of cybersecurity technologies to innovate, as the likelihood of requiring such protection is higher when, as with most cyber attacks, the perpetrator and his/her motives are not always known. Thus, the SAFETY Act can only reach its full cyber potential with an amendment.  Furthermore, the SAFETY Act application process requires applicants to demonstrate the proven effectiveness of their technology, including the technology’s ability to adapt to evolving threats.  Furthermore, an applicant must demonstrate to OSAI the continuous improvement of its technology in order to earn renewal of its protection.  In other words, the SAFETY Act application process alone often compels an applicant to improve its technology.
  1. The Timing is Perfect: Not only is the country’s attention already focused on cybersecurity following high-profile cyber attacks, the Office of SAFETY Act Implementation (“OSAI”), which reviews all applications for protection has demonstrated the ability to evolve and address emerging technologies of increasing complexity and varying deployments.  For instance, OSAI has recently granted protection to the Port Authority of New York/New Jersey for a sophisticated set of anti-terrorism technologies deployed at the World Trade Center and at multiple airports, and to four large sports stadiums for their multilayered security programs.  Furthermore, waiting for a tragic cyber attack will ultimately make this effort more difficult, as the cybersecurity provider and insurance markets will dry up for fear of enterprise-threatening litigation.
  1. Complements Current Information-Sharing Bills: The attention from cyber attacks has sparked Congress to introduce information-sharing bills focusing on cybersecurity. Amending the SAFETY Act complements, and does not conflict with, these efforts.  The amendment would broaden protection to include attacks that materially damage and severely affect the nation beyond information-sharing activities.  It is also unclear whether the information-sharing bills as currently drafted would cover “downstream” suppliers of cyber technology to information-sharing companies, thus potentially eliminating some of their incentive to innovate. Working together, the information-sharing bills and an amended SAFETY Act would provide a “belt and suspenders” incentive regime, ultimately serving to improve the nation’s cyber profile.
  1. Stimulate the Cybersecurity Insurance Industry: The current market for cybersecurity insurance is quite limited, especially for key sectors, such as the energy, health, and financial industries.  When available, such insurance is expensive and often contains significant exclusions.  Amending the SAFETY Act to explicitly cover non-terror-based cyber incidents will expand the market, as sellers of cybersecurity technologies would be required to obtain certain levels of cybersecurity insurance in order to retain the protection offered by the SAFETY Act.

Markup if the amendment is expected by mid-September, and coalitions of industry are already forming in support of the amendment.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Raymond Biagini Raymond Biagini

A distinguished counselor and litigator, Raymond Biagini has risen to national prominence in a number of high-profile tort cases, defending commercial and government contractors in:

  • “Contractor on the Battlefield” tort litigation;
  • the Exxon Valdez litigation;
  • the Cell Phone Radiation Hazards lawsuits;
  • the “Fen-Phen”

A distinguished counselor and litigator, Raymond Biagini has risen to national prominence in a number of high-profile tort cases, defending commercial and government contractors in:

  • “Contractor on the Battlefield” tort litigation;
  • the Exxon Valdez litigation;
  • the Cell Phone Radiation Hazards lawsuits;
  • the “Fen-Phen” litigation;
  • the nationwide Repetitive Stress Injury suits;
  • claims arising out of “friendly fire” accidents during Operation Desert Storm; and
  • “war crimes” allegations filed against manufacturers of military weapons systems sold to Israel.

Ray is widely recognized for his expertise in defending “contractors on the battlefield” in tort litigation, and he has established ground-breaking legal principles at the federal appellate level which immunize defense contractors from tort liability arising out of combatant scenarios.

Ray also has an extensive product liability prevention practice, counseling companies on mechanisms for reducing their tort exposure for products and services sold to government and commercial entities. He is significantly involved in counseling companies selling “homeland security” products and services, such as chemical/biological detection devices, perimeter security systems, biometric identity products, and airport security systems. Ray conceptualized and authored key provisions of the SAFETY Act, a new federal statute that is part of the Homeland Security Act of 2002. The SAFETY Act protects companies from tort lawsuits arising out of the sale of homeland security products and services. 

Ray has represented some of the world’s largest aerospace, defense and pharmaceutical companies, including Kellogg Brown & Root, Lockheed Martin, BAE SYSTEMS, Boeing, Textron, SAIC, Teledyne, Eon Labs, Unisys, and Philips Electronics. He is a frequent public speaker on risk mitigation techniques.

Photo of Scott A. Freling Scott A. Freling

Scott is sought after for his regulatory expertise and his ability to apply that knowledge to the transactional environment. Scott has deep experience leading classified and unclassified due diligence reviews of government contractors, negotiating transaction documents, and assisting with integration and other post-closing…

Scott is sought after for his regulatory expertise and his ability to apply that knowledge to the transactional environment. Scott has deep experience leading classified and unclassified due diligence reviews of government contractors, negotiating transaction documents, and assisting with integration and other post-closing activities. He has been the lead government contracts lawyer in dozens of M&A deals, with a combined value of more than $76 billion. This has included Advent’s acquisition of Maxar Technologies for $6.4 billion, Aptiv’s acquisition of Wind River for $3.5 billion, Veritas Capital’s sale of Alion Science and Technology to Huntington Ingalls for $1.65 billion, and Peraton’s acquisition of Perspecta for $7.1 billion.

Scott also represents contractors at all stages of the procurement process and in their dealings with federal, state, and local government customers. He handles a wide range of government contracts matters, including compliance counseling, claims, disputes, audits, and investigations. In addition, Scott counsels clients on risk mitigation strategies, including obtaining SAFETY Act liability protection for anti-terrorism technologies.

Scott has been recognized by Law360 as a MVP in government contracts. He is a past co-chair of the Mergers and Acquisitions Committee of the ABA’s Public Contract Law Section.