Congress enacted the SAFETY Act in 2002 in an effort to incentivize the development of anti-terrorism technologies following the attacks of September 11, 2001.  The Act affords liability protections to sellers of Qualified Anti-Terrorism Technologies (“QATTs”) in the event of an act of terrorism where QATTs are deployed.  Although the SAFETY Act’s protections have not yet been tested in court, a recent publication from the Department of Homeland Security’s Office of SAFETY Act Implementation (“OSAI”) further explains and reaffirms how the Act’s most significant liability protection—the government contractor defense—would operate to protect a SAFETY Act-approved company sued in court following a terrorist attack.
Continue Reading OSAI Issues Guidance on the Government Contractor Defense for Certified Anti-terror Technologies

Last week the Savannah River Site (“SRS”) in South Carolina, a large nuclear facility owned by the U.S. Department of Energy (“DOE”), went into a lock down after electronic and canine scans of a commercial delivery truck attempting to enter the facility indicated possible explosive residue on the vehicle.  Fortunately, the lock down was lifted a few hours later after law enforcement determined that there were no explosives on the truck.  The incident nonetheless attracted significant media attention presumably in view of the activities conducted at the facility, which is operated by private companies under contract with the DOE.  SRS processes and stores nuclear materials in support of U.S. national defense.  It also develops and deploys technologies to treat nuclear and hazardous waste left from the Cold War.

Based on publicly-available information about last week’s incident, SRS contractors did everything right:  they screened the vehicle as it approached the facility, prohibited entry and locked the facility down when a potential threat was detected, and called in law enforcement to secure the area and investigate.  There is, however, one more thing SRS contractors could have done — and still can do — obtain protection under the SAFETY Act, a post-9/11 risk mitigation program administered by the U.S. Department of Homeland Security (“DHS”) to incentivize the development and deployment of anti-terror technology.

Continue Reading Lock Down of Nuclear Site:  False Alarm, with a Lesson Learned

We have already seen tremendous fallout from recent cyber attacks on Target, the U.S. Office of Personnel Management, Sony Pictures, and J.P. Morgan.  Now imagine that, instead of an email server or a database of information, a hacker gained access to the controls of a nuclear reactor or a hospital.  The potential consequences are devastating: death, injury, mass property destruction, environmental damage, and major utility service and business disruption.  Now what if there were a mechanism that would incentivize industry to create and deploy robust and ever-evolving cybersecurity programs and protocols in defense of our nation’s critical infrastructure?

In late 2014, Representative Michael McCaul (R-TX), Chairman of the House Committee on Homeland Security, proposed legislation that would surgically amend the SAFETY Act, which currently offers liability protection to sellers and users of approved anti-terrorism technologies in the event of litigation stemming from acts of terrorism.  Rep. McCaul’s amendment would broaden this protection to cybersecurity technologies in the event of “qualifying cyber incidents.”  The proposed legislation defines a “qualifying cyber incident” as an unlawful access that causes a “material level[] of damage, disruption, or casualties severely affecting the [U.S.] population, infrastructure, economy, or national morale, or Federal, State, local, or tribal government functions.”  Put simply, under the proposed legislation, a cyber incident could trigger SAFETY Act protection without being deemed an act of terrorism.

Continue Reading SAFETY First: Using the SAFETY Act to Bolster Cybersecurity