Data Security Law Blog

MGM’s Fight for SAFETY Act Protection Takes a Timeout

MGM Resorts International has hit the pause button in its gambit to shield itself from liability stemming from the October 2017 shooting at the Mandalay Bay Hotel in Las Vegas.

As we reported previously, MGM has brought more than a dozen declaratory judgment lawsuits against the victims in the deadliest mass shooting in modern U.S. history, arguing that claims against the casino giant are barred by federal law. MGM has released a statement saying it hopes to avoid years of litigation by exploring potential settlement options, and adding that “years of protracted litigation is in no one’s best interest.”

Federal judges have signed off on the parties’ agreement to put all court action on hold in favor of private mediation.

MGM’s move is hardly surprising given the stakes involved in litigating the first-ever lawsuits brought under the federal law at issue – the Support Anti-Terrorism by Fostering Effective Technologies Act of 2002 or the SAFETY Act. The SAFETY Act provides liability protections for Department of Homeland Security-approved technologies that help in the fight against terrorism: those technologies range from, for example, infrastructure for enhanced air traffic management and security to corporate policies and procedures to secure digital networks from cyber intrusions. By mediating the MGM cases, the parties seek to avoid litigating difficult issues of first impression that would set the only judicial precedent under the SAFETY Act.

The agreement to seek mediation comes after the federal Panel on Multidistrict Litigation denied MGM’s request to consolidate the thirteen federal suits regarding the shooting – nine declaratory judgment actions brought by MGM and four individual negligence actions naming MGM as a defendant – that are pending.  The MDL panel denied MGM’s request in large part because there were simply not enough cases pending to justify centralization and, in the MDL Panel’s view, “it is possible that, instead of expanding, the federal litigation will lose its multidistrict character or cease altogether.”

Beyond consolidation of the cases, attorneys for MGM and four of the victims fought over whether the plaintiffs’ individual negligence cases should be removed – or moved – from Nevada state court to federal court.

That argument highlighted three critical issues regarding SAFETY Act protections, each of which will, no doubt, play a central role in future SAFETY Act litigation.

Exclusive Federal Jurisdiction

As a threshold question in the removal argument, the court pressed MGM’s lawyers on whether litigation under the SAFETY Act must be in federal court. The text of the SAFETY Act provides for original and exclusive federal jurisdiction for claims “arising out of, relating to, or resulting from an act of terrorism when qualified anti-terrorism technologies have been deployed in defense against or response or recovery from such act and such claims result or may result in loss to the Seller.”

During the argument, the court focused on the applicability of this provision at length with MGM’s counsel, not only seeking to identify evidence that each of the jurisdictional elements was satisfied, but also parsing the requirements for coverage of the Act’s substantive protections—such as whether MGM’s contractor had the requisite liability insurance—to determine whether the court had jurisdiction. To that end, the court ordered jurisdictional discovery followed by supplemental briefing on the jurisdictional issue, which is now on hold pending mediation.

The court also noted an apparent disconnect between the two core sections of the law delineating the scope of substantive coverage and jurisdiction: on the one hand, the law provides that a federal cause of action can only be brought for injuries that are “proximately caused by sellers” of qualified anti-terrorism technology. On the other, language requiring proximate causation is absent in the law’s section granting district courts with jurisdiction over SAFETY Act claims.

Who Gets the Act’s Benefits?

The court raised two additional points that lie at the heart of the SAFETY Act. The Act describes liability protection and litigation management benefits arising from “claims for injuries that are proximately caused by sellers that provide qualified anti-terrorism technology.” The regulations promulgated by DHS provide that “[s]uch cause of action may be brought only against the Seller of the Qualified Anti-Terrorism Technology and may not be brought against the buyers, the buyers’ contractors, or downstream users of the Technology, the Seller’s suppliers or contractors, or any other person or entity.” MGM’s litigation position is that the statute itself allows for its protections to extend beyond only “sellers,” so long as the relevant injuries were proximately caused by the seller. As a practical matter, MGM’s argument is that, despite the fact that it has never earned a designation or certification under the SAFETY Act, it is entitled to the Act’s protections because it had hired a security contractor that deployed its own DHS-designated technology during the festival that became the target of the shooting. The judge and the parties explored this question in depth, including whether DHS – and its regulations – would be entitled to Chevron deference in interpreting the Act.

Declaration that Shooting was an Act of Terrorism

Finally, the parties sparred over whether MGM could use the Act as a shield without a formal declaration by the Secretary of Homeland Security that the 2017 shooting was an “act of terrorism.” The Act provides three requirements for an incident to qualify as an act of terrorism: the act must be unlawful, it must cause harm in the United States, and it must involve “instrumentalities, weapons or other methods designed or intended to cause mass destruction.”

DHS has not issued a determination as to whether the Mandalay Bay shooting qualifies as an act of terrorism. But in July 2018, DHS issued a statement acknowledging that the DHS Secretary possesses the authority to make such a determination, and to date, has not don so with respect to the Las Vegas shooting.

For now, however, these questions will remain unanswered, pending the outcome of mediation.  Although MGM may be the first to assert a defense under the SAFETY Act, it is unlikely to be the last.  The Act has the potential to provide protections to a broad range of companies and services, including those aimed at defending against cyber intrusions.  We will continue to monitor the MGM cases and report on developments regarding the SAFETY Act.