Data Security Law Blog

In Search of Immunity: MGM Fights to Define SAFETY Act Protection

Memories of the massacre of dozens of concertgoers at a Las Vegas music festival last year are unlikely to fade soon. In the deadliest shooting in U.S. history, Stephen Paddock killed 58 people and wounded hundreds from his perch within the Mandalay Bay hotel, owned by MGM Resorts International.

A legal battle is now underway over liability for the shooting and the first ever legal test of a little known federal law – the Support Antiterrorism by Fostering Effective Technologies Act of 2002 or SAFETY Act – will start later this month in a San Francisco courtroom. The SAFETY Act was enacted after the Sept. 11th terrorist attacks to provide different levels of legal protection for companies that developed antiterrorism technologies – including cybersecurity technologies and programs – and then passed a rigorous process administered by the U.S. Department of Homeland Security.

Since the Las Vegas shooting, more than 400 victims have sued MGM Resorts International and Live Nation, organizer of the music festival. 

Until recently, those lawsuits proceeded as expected: state law claims sounding in negligence, wrongful death, and related claims.

But last month, those cases took an unexpected turn when MGM commenced an aggressive legal strategy of its own: it filed declaratory judgment actions against the victims of the shooting (both those who had already brought claims, and those who had not) and filed motions to remove the cases already pending to federal court. MGM’s legal maneuver hinges on the interpretation of the SAFETY Act.

By its terms, the act provides sweeping liability protections for companies that develop innovative security products and services that meet with DHS’s approval. The act caps the amount of damages victims can recover and permits only a single lawsuit or “federal cause of action” when there’s an “act of terrorism” and a Safety Act qualified product or service is involved. The statute is generally understood to only apply where the Secretary of Homeland Security has declared an “act of terrorism,” whether it be an act of mass physical violence or a large scale cyberattack.

MGM’s recent legal maneuvers are premised on the argument that the hotel hired a security firm with Safety Act certification to safeguard the concertgoers who were attacked. By doing so, MGM argues, it should also receive the law’s benefits and not suffer any legal exposure, regardless of any fault on its part that is unrelated to its retention of the DHS-certified firm. MGM concedes in its court filings that there is scant legal authority, aside from the text of the statute and regulations themselves, to support its position that the Safety Act’s protections extend to a buyer of the security firm’s services.

MGM’s position is novel and, some might say, aggressive in at least two critical ways. First, on its face, the act’s coverage is linked to the occurrence of an “act of terrorism,” which is an event declared by the Secretary of Homeland Security to fit the statutory framework. DHS has made clear that the “Act does not limit liability for harms caused by anti-terrorism technologies when no Act of Terrorism has occurred.” While MGM claims that the security firm at issue has requested an “act of terrorism” declaration from DHS, no such declaration has been made. And second, according to the victims, their claims against MGM do not seek to recover for any failure of the security firm at issue, but rather for alleged failures by MGM’s in-house security team in allowing the gunman to spend days creating a virtual armory in his suite in the Mandalay Bay hotel.

In July, MGM asked the Panel on Multidistrict Litigation to consolidate more than a dozen suits filed in connection with the shooting before a single federal court.  In its motion papers, MGM argued that “[c]entralization is particularly important in light of the novel question of federal law presented in these actions regarding the scope of the federal SAFETY Act.”  MGM’s motion for consolidation is scheduled for oral argument before the MDL Panel in San Francisco on September 27.

The MGM lawsuits – however decided – will have potentially far-reaching consequences for every company that has received the Safety Act’s protections, whether for physical or cybersecurity products or services, and will help define the scope of protection provided by the law. We will continue to report on these lawsuits, and other developments around the Safety Act.