A Shield From Cyber Liability: Integrating SAFETY Act Protections Into Institutional Cyber Governance
An obscure federal law called the SAFETY Act recently captured national headlines when MGM Resorts International invoked it in a series of pre-emptive, declaratory judgment law suits against the victims of the 2017 Route 91 Harvest Festival shooting in Las Vegas. MGM sued the victims in an effort to avoid liability in connection with the tragedy. MGM owns the Mandalay Bay hotel, where Stephen Paddock, from his 32nd floor suite, shot and killed 58 people and wounded hundreds more who were attending a the music festival next door.
MGM’s audacious strategy raises a host of questions regarding the scope of the Act’s immunity protections, many of which may remain unanswered since MGM has now paused the declaratory judgment suits, as well as related litigation, in favor of private mediation.
Today, and over the next few weeks, we will take a broader look at the SAFETY Act and its potential significance in the field of cybersecurity. This post is the first in a three-part series that will describe why, in appropriate circumstances, the SAFETY Act can serve as an invaluable tool to help manage litigation risk related to cybersecurity.
For organizations with sensitive data (whether it be financial or health information, material non-public information, trade secrets, or personally identifiable information, among other categories of data), hacking, phishing, ransomware and other flavors of cybercrime are becoming an increasingly pervasive organizational risk. As domestic and international criminals become more sophisticated, experts predict that the economic damage related to cybersecurity incidents will continue to rise. One report suggests that the cost of cybercrime globally is estimated to be more than $2 trillion in 2019, almost four times the estimated cost in 2015.
Another recent study estimated that a data breach in the U.S. costs, on average, nearly $8 million, and a “mega breach” (one involving 50 million records) could have a total cost of $350 million. In just the past month, news broke of a phishing attack that comprised 500,000 records, including personal data and health information, from the San Diego Unified School District, and a group called “The Dark Overlord” reported that it hacked into a law firm’s system, installed ransomware, and has since been threatening to sell the firm’s confidential information on the dark web.
SAFETY Act Basics
The SAFETY Act – short for the Support Anti-Terrorism by Fostering Effective Technologies Act of 2002 – was passed in response to the wave of litigation against airlines, security companies, and airplane manufacturers that followed the September 11th terrorist attacks. The statute was intended to encourage companies to develop and implement anti-terrorism technologies by providing various safeguards to sellers and users of the technologies.
Companies that submit a confidential application detailing their anti-terrorism technology to the Department of Homeland Security (DHS) undergo a rigorous review process and, if approved, are eligible to receive a range of liability protections when that technology is involved in an act of terrorism. The protections generally include a cap on liability that cannot exceed the company’s liability insurance limit, as well as a bar on punitive damages and pre-judgment interest.
Cyber Programs as Technology Under the SAFETY Act
To date, there have been more than 900 public approvals of anti-terrorism technologies under the SAFETY Act. According to publicly available information, the majority of those approvals relate to technologies focused on physical security. The Act, however, also acknowledges the importance of cybersecurity anti-terrorism technology by including “information technology” as a category of eligible anti-terrorism technology. In its implementing regulations for the Act, DHS explicitly recognized that acts of “cyber terrorism” fall within the Act’s definition of an “act of terrorism.”
So far, very few companies have received public approval under the Act for their cybersecurity technologies. For example, just last fall, Southern Company, the Atlanta-based energy company, obtained SAFETY Act approval for its “Cybersecurity Risk Management Program,” which, according to the public description, includes its governance, network security, data protection, incident response, training, and other cybersecurity policies.
The SAFETY Act is not for every organization. There is a matrix of variables that comes into play when deciding whether a business might be a suitable candidate for SAFETY Act consideration. The standards are high and not every organization will fit within its mandate.
But for companies that qualify and are willing to put in the time and effort necessary to make that determination, the benefits can be substantial. It can assist a company both in ensuring that its cyber defenses are set at a high level to prevent a cybercrime incident, as well as decreasing risk to the company (and its officers and directors) if one occurs. In preparing for SAFETY Act consideration, a company undergoes an intensive self-audit to ensure that its cybersecurity defenses are sufficiently robust. Through the confidential application process, DHS may request more information or even highlight areas needing improvement.
In appropriate cases, SAFETY Act approval will no doubt become an increasingly important component of cybersecurity risk management in a variety of industries.
In the coming weeks, we will dive deeper into the statutory framework and benefits of the SAFETY Act, review examples of cybersecurity approvals, and hone in on the various non-statutory benefits that a company and its leadership acquires with SAFETY Act approval.