Categories & Search

A Shield From Cyber Liability: Beyond the Statute

Part 3 in a 3-Part Series

As we’ve written about in the past, the SAFETY Act has the potential to help companies mitigate their risk from cyber-terrorism.  As previously noted, the statute has never been fully tested in courts, so the full contours of its protection remain uncertain. Nonetheless, the benefits of SAFETY Act approval may extend well beyond those mandated by Congress: to the right company, SAFETY Act approval could be a significant market differentiator and, in the right circumstances, could be a powerful tool in litigation even when the Act does not itself apply.

This is the final installment in a three-part series. Be sure to read part one, which describes how the SAFETY Act applies to cybersecurity; and part two, which breaks down some of the basic concepts of SAFETY Act protection, including potentially eligible technologies and the benefits of SAFETY Act approval.

Reputational Considerations

Although the SAFETY Act was passed in 2002, its use is still in relative infancy, especially with respect to cybersecurity. As a result, companies have an opportunity to distinguish themselves as cybersecurity leaders by seeking and obtaining SAFETY Act approval. That approval could be a prestigious credential from the United States Department of Homeland Security (“DHS”), reflecting a company’s leadership in cybersecurity best practices. For companies in industries with an increased risk of cyberterrorism – including financial services, infrastructure, energy, sports, and entertainment – SAFETY Act approval could act as a business differentiator to the public, customers, shareholders, and the market.

On the flip side, as more and more companies adopt robust cybersecurity practices and seek review and approval from DHS, SAFETY Act approval has the potential to become a new gold standard in cybersecurity best practices. Companies that neglect their cybersecurity policies run the risk of suffering reputational harm associated with peers achieving SAFETY Act designation while they have not, in addition to exposing themselves to a cybersecurity event.

Litigation and Enforcement Considerations

As the MGM case concerning the October 2017 shooting at the Mandalay Bay Hotel highlights, a litigation defense based on the SAFETY Act raises a number of unresolved issues. However, even when a cybersecurity event is not declared to be an “act of terrorism” by the Secretary of Homeland Security, SAFETY Act designation may be a valuable tool in building a litigation defense and responding to government and media scrutiny.

By seeking and obtaining SAFETY Act approval, a company and its leadership team establishes a strong record that they took commercially reasonable steps to mitigate cybersecurity risks, and that record will speak volumes on the question of whether the company exercised reasonable care, as well as whether the company’s officers and directors satisfied their fiduciary duties. And even if the litigation management provisions of the SAFETY Act do not directly apply, DHS’s seal of approval is strong evidence to rebut claims of negligence – as well as derivative claims – in litigation, regulatory concerns, or even investigations in the law enforcement context.

Business Considerations

Finally, SAFETY Act approval has the potential for additional benefits as well. SAFETY Act approval by DHS may reduce insurance costs and improve the underwriting profile for a company, as it establishes that the company meets well-respected objective benchmarks for cybersecurity.

And for companies looking to reinforce or review their cybersecurity systems, policies, and practices, the SAFETY Act approval process is an exercise in good cyber-hygiene because it provides a strong incentive to examine existing practices and invest in industry-best practices. In pursuing DHS approval, a company conducts a full self-audit followed by a detailed review with feedback from DHS, which provides valuable insight into the strengths and weaknesses of a company’s cybersecurity program as the company progresses through DHS’s rigorous review process.

Conclusion

We will continue to cover the MGM case, DHS regulations, and other developments involving the SAFETY Act, especially as it regards cybersecurity, which continues to be a crucial component of corporate risk management for company managers and boards across a variety of industries.