SAFETY Act

Earlier this week, both chambers on Capitol Hill took steps that would increase the Department of Homeland Security’s (DHS) role in the area of cybersecurity.  On the Senate side, the Senate Homeland Security and Governmental Affairs Committee approved a DHS reauthorization bill that included amendments to rename and reorganize the DHS National Protection and Programs Directorate (NPPD), to increase protections for certain personally identifiable information (PII), and to emphasize the need for cybersecurity research.  On the House side, the House Homeland Security Committee approved the Cyber Incident Response Teams Act, which would establish teams within DHS devoted to cyber incident response.
Continue Reading DHS Cybersecurity Legislation Advances Through Capitol Hill

Congress enacted the SAFETY Act in 2002 in an effort to incentivize the development of anti-terrorism technologies following the attacks of September 11, 2001.  The Act affords liability protections to sellers of Qualified Anti-Terrorism Technologies (“QATTs”) in the event of an act of terrorism where QATTs are deployed.  Although the SAFETY Act’s protections have not yet been tested in court, a recent publication from the Department of Homeland Security’s Office of SAFETY Act Implementation (“OSAI”) further explains and reaffirms how the Act’s most significant liability protection—the government contractor defense—would operate to protect a SAFETY Act-approved company sued in court following a terrorist attack.
Continue Reading OSAI Issues Guidance on the Government Contractor Defense for Certified Anti-terror Technologies

Last week the Savannah River Site (“SRS”) in South Carolina, a large nuclear facility owned by the U.S. Department of Energy (“DOE”), went into a lock down after electronic and canine scans of a commercial delivery truck attempting to enter the facility indicated possible explosive residue on the vehicle.  Fortunately, the lock down was lifted a few hours later after law enforcement determined that there were no explosives on the truck.  The incident nonetheless attracted significant media attention presumably in view of the activities conducted at the facility, which is operated by private companies under contract with the DOE.  SRS processes and stores nuclear materials in support of U.S. national defense.  It also develops and deploys technologies to treat nuclear and hazardous waste left from the Cold War.

Based on publicly-available information about last week’s incident, SRS contractors did everything right:  they screened the vehicle as it approached the facility, prohibited entry and locked the facility down when a potential threat was detected, and called in law enforcement to secure the area and investigate.  There is, however, one more thing SRS contractors could have done — and still can do — obtain protection under the SAFETY Act, a post-9/11 risk mitigation program administered by the U.S. Department of Homeland Security (“DHS”) to incentivize the development and deployment of anti-terror technology.Continue Reading Lock Down of Nuclear Site:  False Alarm, with a Lesson Learned

On August 11, 2015, the Office of Management and Budget (OMB) issued a draft guidance memorandum intended to improve cybersecurity protections in federal acquisitions. Specifically, the proposed memorandum provides direction to federal agencies on “implementing strengthened cybersecurity protections in Federal acquisitions for products or services that generate, collect, maintain, disseminate, store, or provides access to Controlled Unclassified Information (CUI) on behalf of the Federal government.” CUI is defined in a recently issued proposed FAR rule as “information that laws, regulations, or Government-wide policies require to have safeguarding or dissemination controls, excluding classified information.”

Although the OMB memorandum is a laudable attempt to create uniformity across the federal government, the Guidance leaves many questions unanswered and the details of its implementation by federal agencies remains to be seen. As described below, even with this Guidance, contractors will continue to encounter inconsistent requirements for what constitutes a “cyber incident,” how quickly a cyber incident must reported to the government, and what security controls are considered “adequate” for safeguarding CUI.
Continue Reading OMB Issues New Draft Cyber Guidance for Contractors

We have already seen tremendous fallout from recent cyber attacks on Target, the U.S. Office of Personnel Management, Sony Pictures, and J.P. Morgan.  Now imagine that, instead of an email server or a database of information, a hacker gained access to the controls of a nuclear reactor or a hospital.  The potential consequences are devastating: death, injury, mass property destruction, environmental damage, and major utility service and business disruption.  Now what if there were a mechanism that would incentivize industry to create and deploy robust and ever-evolving cybersecurity programs and protocols in defense of our nation’s critical infrastructure?

In late 2014, Representative Michael McCaul (R-TX), Chairman of the House Committee on Homeland Security, proposed legislation that would surgically amend the SAFETY Act, which currently offers liability protection to sellers and users of approved anti-terrorism technologies in the event of litigation stemming from acts of terrorism.  Rep. McCaul’s amendment would broaden this protection to cybersecurity technologies in the event of “qualifying cyber incidents.”  The proposed legislation defines a “qualifying cyber incident” as an unlawful access that causes a “material level[] of damage, disruption, or casualties severely affecting the [U.S.] population, infrastructure, economy, or national morale, or Federal, State, local, or tribal government functions.”  Put simply, under the proposed legislation, a cyber incident could trigger SAFETY Act protection without being deemed an act of terrorism.Continue Reading SAFETY First: Using the SAFETY Act to Bolster Cybersecurity