Businesses Should Consider the SAFETY Act a Core Part of Their Ransomware Defense Program
- The SAFETY Act, a liability management program managed by the Department of Homeland Security, can be used by businesses to limit or eliminate potential liability associated with ransomware attacks.
- To take advantage of liability protections, companies must proactively submit a SAFETY Act application with the Department of Homeland Security.
- Companies can also limit potential ransomware-related liability by purchasing SAFETY Act-approved products or services.
11.29.22 - Since its passage two decades ago, the Support Anti-terrorism by Fostering Effective Technologies Act of 2002 (the SAFETY Act) has been one of the most successful liability management programs offered by the Department of Homeland Security (DHS). The ongoing wave of ransomware attacks on American businesses—particularly on critical infrastructure owners and operators—offers yet another opportunity to utilize the SAFETY Act to harden defenses against potentially devastating cyberattacks while simultaneously using a federal safe harbor against claims of allegedly insufficient cybersecurity programs.
Background on the SAFETY Act
Under the SAFETY Act, any product or service (i.e., a technology) that can be used in part or in whole to deter, defend against, respond to, mitigate, or otherwise combat terrorist attacks—including cyberattacks—is eligible to receive specific liability protections. To receive these protections, the effectiveness of these technologies is evaluated and approved by DHS’s Office of SAFETY Act Implementation (OSAI).
The liability protections come in two forms: “Designation” and “Certification.”
Designation protections include:
- Exclusive federal jurisdiction over all claims arising out of or related to an “act of terrorism” that involve a SAFETY Act-approved product or service;
- A bar on punitive damages;
- A bar on prejudgment interest; and
- A cap on third-party tort liability for claims arising out of or related to the act of terrorism equal to some portion of the SAFETY Act-approved seller’s/deployer’s insurance policy.
Certification protection provides:
- All the same liability protections as a Designation; and
- A rebuttable presumption of immediate dismissal of any terrorism-related claims.
If a technology has SAFETY Act Certification, Plaintiffs can only defeat the above presumption of dismissal by: (a) showing fraud or willful misconduct in the submission of a SAFETY Act application to DHS or; (b) demonstrating that the claims do not relate to the SAFETY Act-approved product or service.
These protections are intentionally powerful: Congress created the SAFETY Act to ensure the wide-scale deployment of effective and useful security products and services to reduce the likelihood of terrorist attacks. The SAFETY Act aims to encourage the development of innovative technologies to decrease terrorist attacks, rather than bolster legal disputes over which private party should be held liable for the attack.
How Does the SAFETY Act Apply to Ransomware Defenses?
SAFETY Act applications have been approved for a variety of security tools and services, ranging from bomb-sniffing dogs to internal policies and procedures for in-house security programs. A variety of cybersecurity technologies have also received SAFETY Act protections, including cybersecurity planning methodologies and tools designed to identify new or previously unidentified malware.
In each SAFETY Act application, DHS must first decide the threshold question—whether the product or service is eligible for SAFETY Act coverage. Generally, a technology is eligible for coverage if it in some way deters, defeats, responds to, or mitigates a serious threat. If the technology does, DHS then proceeds with a technical review of the submission to determine whether the product or service is indeed “effective,” among other related criteria.
Consistent with that history, companies that have developed anti-ransomware products or services should be eligible for SAFETY Act protections if they can specifically identify how their product or service addresses ransomware threats.
Examples of anti-ransomware capabilities that would fit into the mold of past SAFETY Act awards includes:
- Tools designed to identify or stop ransomware at system perimeters;
- Software intended to slow or stop the spread of ransomware that has penetrated systems;
- Secured backup programs designed to allow for quick recovery from ransomware damage; and
- General ransomware incident response policies and procedures.
How Can Companies Obtain SAFETY Act Protections for Ransomware Defenses?
There are two primary ways companies can obtain SAFETY Act protections that would apply in the event of a ransomware attack.
First, as noted above, companies can apply for SAFETY Act protections. In this application, the company must provide specific details regarding the capabilities and operations of the anti-ransomware product or service they are seeking protections for under the SAFETY Act. This will likely include specific information on:
- The individual components of the product or service;
- How the product or service was developed;
- How the product or service is quality checked before it is deployed;
- Evidence that proves that the product or service is “effective;”
- Processes used to continually improve the product or service; and
- Associated training, service, updates, and other ongoing “quality control” offerings.
OSAI may wish to undertake additional outreach to ensure that developers of cybersecurity technologies take advantage of SAFETY Act protections.
The second way companies can take advantage of SAFETY Act protections is by purchasing anti-ransomware products or services from companies that hold SAFETY Act Designation or Certification awards. Under the statute, awards carry “flow down” protections meaning that only the seller of the SAFETY Act-approved product or service—not the customer or end user of that technology—may face third-party tort claims for the performance or non-performance of an approved technology. Companies worried about ransomware attacks should look into purchasing SAFETY Act-approved cybersecurity solutions as another way to limit their potential exposure to ransomware-related liability.
How To Get Started with The SAFETY Act Application Process
Pillsbury’s SAFETY Act Liability Management Team has helped over 100 applicants successfully obtain SAFETY Act protections. Pillsbury’s team is prepared to assist anyone looking to determine how they can utilize the process to minimize liability stemming from a ransomware attack. Please contact Pillsbury’s SAFETY Act team for further information.