Las Vegas Shooting Lawsuits: How They Will Impact the Cybersecurity World
Last week, MGM Resorts International filed nine pre-emptive lawsuits against the victims of last year’s mass shooting at the Mandalay Bay Hotel in Las Vegas. MGM, owner of the Mandalay, is asking federal courts around the country to declare that the company is not liable “for any claim for injuries arising out of or related to” the mass attack.
MGM’s legal theory turns on a before-now-little-noticed statute called the Support Antiterrorism by Fostering Effective Technologies Act of 2002, or the “Safety Act.” The law was passed after September 11, 2011, when airlines, security companies, and airplane manufacturers faced a wave of lawsuits. Congress, for its part, decided to protect companies from liability for claims related to an “act of terrorism” when Department of Homeland Security (DHS) approved technologies were deployed. To date, DHS has approved more than a thousand applications for Safety Act protection.
As the MGM lawsuits demonstrate, the benefits of Safety Act designation are substantial. For claims relating to an act of terrorism when Safety Act designated technologies are used: (1) damages cannot exceed the “limits of liability coverage,” (2) plaintiffs cannot recover punitive damages or pre-judgment interest; (3) any noneconomic damages may be “only in an amount directly proportional” to the defendant’s responsibility (i.e., no joint liability); and (4) federal courts have “exclusive” jurisdiction over any claim “for loss of property, personal injury, or death for performance or non-performance” of a “qualified technology in relation to an act of terrorism.” And any liability will be “capped” at the company’s DHS-approved liability insurance cut off.
For some companies, the benefits could be even greater: With technologies that are “certified” by DHS—a difficult designation that requires exhaustive review—companies are entitled to a “rebuttable presumption” that the government contractor defense applies. And if applied, that defense could shield a company from all liability arising from the use of an anti-terrorism technology.
So, why are we talking about the Safety Act on a data security blog, you ask? DHS itself has recognized that “cyber terrorism” would count as an “Act of Terrorism” under the Safety Act. Indeed, the text of the statute provides that “qualified anti-terrorism technology” may include any “service or technology,” including “information technology.” Likewise, the Act’s implementing regulations provides that “software development services, software integration services, threat assessments, vulnerability studies, and other analyses relevant to homeland security may be deemed” a certifiable technology. Companies—from Boeing to the American Chemistry Council—have already received Safety Act designations for their cybersecurity programs, plans, services and technologies.
Which brings us back to MGM’s pre-emptive law suits against the Las Vegas victims. By our count, these are the first cases in which courts will be asked to interpret the scope and protections of the Safety Act. And MGM’s legal argument is aggressive: MGM itself did not employ any Safety Act designated technology. Rather, MGM hired a professional security company, which in turn deployed services certified by the DHS. What’s more, the Secretary of Homeland Security has yet to certify the Mandalay shooting as an “Act of Terrorism.” Not to worry, says MGM, “neither the Act nor [its] regulations requires a formal certification” that a terrorist attack actually occurred.
With those issues, it is far from clear how MGM’s arguments will shake out. We will, of course, continue to monitor these cases.