11.29.22 – Since its passage two decades ago, the Support Anti-terrorism by Fostering Effective Technologies Act of 2002 (the SAFETY Act) has been one of the most successful liability management programs offered by the Department of Homeland Security (DHS). The ongoing wave of ransomware attacks on American businesses—particularly on critical infrastructure owners and operators—offers yet another opportunity to utilize the SAFETY Act to harden defenses against potentially devastating cyberattacks while simultaneously using a federal safe harbor against claims of allegedly insufficient cybersecurity programs.
Background on the SAFETY Act
Under the SAFETY Act, any product or service (i.e., a technology) that can be used in part or in whole to deter, defend against, respond to, mitigate, or otherwise combat terrorist attacks—including cyberattacks—is eligible to receive specific liability protections. To receive these protections, the effectiveness of these technologies is evaluated and approved by DHS’s Office of SAFETY Act Implementation (OSAI).
The liability protections come in two forms: “Designation” and “Certification.”
Designation protections include:
Certification protection provides:
If a technology has SAFETY Act Certification, Plaintiffs can only defeat the above presumption of dismissal by: (a) showing fraud or willful misconduct in the submission of a SAFETY Act application to DHS or; (b) demonstrating that the claims do not relate to the SAFETY Act-approved product or service.
These protections are intentionally powerful: Congress created the SAFETY Act to ensure the wide-scale deployment of effective and useful security products and services to reduce the likelihood of terrorist attacks. The SAFETY Act aims to encourage the development of innovative technologies to decrease terrorist attacks, rather than bolster legal disputes over which private party should be held liable for the attack.
How Does the SAFETY Act Apply to Ransomware Defenses?
SAFETY Act applications have been approved for a variety of security tools and services, ranging from bomb-sniffing dogs to internal policies and procedures for in-house security programs. A variety of cybersecurity technologies have also received SAFETY Act protections, including cybersecurity planning methodologies and tools designed to identify new or previously unidentified malware.
In each SAFETY Act application, DHS must first decide the threshold question—whether the product or service is eligible for SAFETY Act coverage. Generally, a technology is eligible for coverage if it in some way deters, defeats, responds to, or mitigates a serious threat. If the technology does, DHS then proceeds with a technical review of the submission to determine whether the product or service is indeed “effective,” among other related criteria.
Consistent with that history, companies that have developed anti-ransomware products or services should be eligible for SAFETY Act protections if they can specifically identify how their product or service addresses ransomware threats.
Examples of anti-ransomware capabilities that would fit into the mold of past SAFETY Act awards includes:
How Can Companies Obtain SAFETY Act Protections for Ransomware Defenses?
There are two primary ways companies can obtain SAFETY Act protections that would apply in the event of a ransomware attack.
First, as noted above, companies can apply for SAFETY Act protections. In this application, the company must provide specific details regarding the capabilities and operations of the anti-ransomware product or service they are seeking protections for under the SAFETY Act. This will likely include specific information on:
OSAI may wish to undertake additional outreach to ensure that developers of cybersecurity technologies take advantage of SAFETY Act protections.
The second way companies can take advantage of SAFETY Act protections is by purchasing anti-ransomware products or services from companies that hold SAFETY Act Designation or Certification awards. Under the statute, awards carry “flow down” protections meaning that only the seller of the SAFETY Act-approved product or service—not the customer or end user of that technology—may face third-party tort claims for the performance or non-performance of an approved technology. Companies worried about ransomware attacks should look into purchasing SAFETY Act-approved cybersecurity solutions as another way to limit their potential exposure to ransomware-related liability.
How To Get Started with The SAFETY Act Application Process
Pillsbury’s SAFETY Act Liability Management Team has helped over 100 applicants successfully obtain SAFETY Act protections. Pillsbury’s team is prepared to assist anyone looking to determine how they can utilize the process to minimize liability stemming from a ransomware attack. Please contact Pillsbury’s SAFETY Act team for further information.