Speaker 02.21.24
02.21
Legal Risks Associated with Insecure Software Development Practices
1:00PM - 3:00PM EST
11493 Sunset Hills Road
Suite 100
Reston, Virginia 20190
Service
As technology has made the world smaller, it’s also increased the reach and risk posed by terror and cyberattacks. Among its many strategies and tactics for identifying, avoiding and mitigating such risks, Pillsbury’s Global Security team brings significant experience to bear concerning one particularly effective means of protection: the Support Anti-Terrorism by Fostering Effective Technologies Act of 2002 (the SAFETY Act).
What Is the SAFETY Act?
Created to “facilitate and promote the development and deployment of anti-terrorism technologies that will save lives,” the SAFETY Act provides companies with a unique way to limit or eliminate liability in the event of an “act of terrorism” (physical or cyber). An owner or seller of “anti-terror technology,” which can be either a product or a service, may apply for significant liability protections from the Department of Homeland Security (DHS). If a product or service receives SAFETY Act “Certification,” then it is presumably entitled to immunity from tort claims arising from an act of terrorism. Under SAFETY Act “Designation,” the tort liability is limited to the amount of insurance required to be maintained (as determined by the DHS), and under both circumstances, cases may be brought only in federal court.
Why Should I Worry about Liability from Terrorist or Cyberattacks?
Since 2001, numerous courts have held that a terrorist attack is a “reasonably foreseeable” event, the possibility of which a company must take reasonable measures to mitigate or avoid. Such rulings have translated into millions of dollars in damages to victims. At the same time, the number of cyberattacks has skyrocketed across all sectors of the U.S. economy, yielding an all-too-familiar string of news reports involving data breaches and the compromise of intellectual property. As the frequency and intensity of such attacks have increased, so has the litigation resulting from them. As new rules and new standards of care come into play, it’s easy to anticipate that, just as with acts of terrorism, courts may deem cyber attacks are also “reasonably foreseeable.” Yet with both physical and virtual attacks, there exists no consistent, single definition of what exactly constitutes a “reasonable” anti-terror measure. As a result, companies who have people (employees or customers), properties, products or services that are involved in or affected by a terrorist or cyberattack can face potentially ruinous liability concerns in the aftermath.
How Can the SAFETY Act Protect Me or My Company?
Any company or property owner that makes, sells or otherwise deploys a product or service that can be used to combat terrorism can and should seek SAFETY Act protections. Examples of products and services that could qualify for SAFETY Act protections include physical security services (including risk assessments, contract security services and internal emergency planning), explosives detection devices, engineering services (including the design and construction of facilities), and cybersecurity products. As long as the product or service has some use against terrorism, it is eligible for SAFETY Act protections.
In the case of cybersecurity, the SAFETY Act is a particularly efficient means of minimizing or eliminating a company’s liability exposure before a cyberattack even occurs. Companies can apply for SAFETY Act protections and can market them knowing that their liability exposure is limited. Buyers of cybersecurity tools and services can also benefit. Under the SAFETY Act, they are not exposed to liability for claims arising out of or related to the use of the SAFETY Act-approved products or services. So long as the products or services have some use against cyber attacks, they are eligible for SAFETY Act protections.
What is Eligible for SAFETY Act Protections?
A wide variety of products and services are eligible for protections under the SAFETY Act. Examples of products and services that have received SAFETY Act protections include intelligent video systems, engineering services, risk and vulnerability assessment services, security guard services, explosives detection equipment, and building security plans. Given the prevalent need for cybersecurity tools and their widespread use by terrorists and criminals, nearly all cybersecurity products are eligible for SAFETY Act protections. This includes anti-virus programs, firewalls, mobile security systems, mobile applications, information-sharing policies and procedures, and network monitoring services.
The Pillsbury Path to Obtaining SAFETY Act Protections
Members of the Global Security team are extremely well-versed in the SAFETY Act, having prepared well over 150 applications for a wide variety of services and products. Firm attorneys regularly speak and write on the SAFETY Act, and have even testified before the House Committee on Homeland Security and SAFETY Act implementation.