Can A SAFETY Act Designated Product Provide Cyber-Attack Liability Protection?
“So if you use FireEye’s product you basically are prevented from being sued in the criminal justice system of America, which can save a lot of money.”
According to CEO Dave DeWalt’s recent comments, it sounds like the U.S. Government stamped FireEye with a seal of approval — a ringing endorsement that’s worth a closer look. FireEye, Inc. was issued “Certification” under the SAFETY Act for its Multi-Vector Execution (MVX) Engine and Cloud Platform. It isn’t the only SAFETY Act approved technology; DHS’s website lists hundreds of others. The SAFETY (Support Anti-Terrorism by Fostering Effective Technologies) Act was part of the enormous Homeland Security Act of 2002 that reshuffled several government agencies and created the behemoth Department. According to the SAFETY Act website, it “provides important legal liability protections for providers of Qualified Anti-Terrorism Technologies – whether they are products or services.” It was enacted to provide “incentives for the development and deployment of anti-terrorism technologies by creating a system of ‘risk management’ and a system of ‘litigation management.’”
The Act allows applicants to seek certain DHS designations for a technology or a service that is classified as “Qualified Anti-terrorism Technology,” or QATT. See 6 U.S.C. §§ 441, 444. If the QATT receives the designation, then the Act may protect or immunize the seller and even downstream users of the technology from liability under certain conditions. There are three designations that provide increasing levels of protection: 1) Developmental Testing and Evaluation (DT&E) Designation; 2) Designated; and 3) Certified. The protections include, among other things, caps on liability, a bar on punitive damages and prejudgment interest, federal jurisdiction over claims, and perhaps most importantly, the ability to invoke the “government contractor defense,” which can potentially immunize sellers from liability for certain claims. See 6 U.S.C. § 442(d); 6 CFR §§ 25.7, 25.8. These significant protections are triggered only by a cyber-attack arising from an “act of terrorism,” which essentially is defined as an unlawful act that is intended to cause mass destruction to a person or property in the United States, as determined by the Secretary of DHS. See 6 U.S.C. § 444; 6 CFR § 25.2.
The extent of the Act’s real world application in litigation is still unclear, however. The North Korean cyber-attack on Sony is a prime example. Sony is currently facing several class actions by former employees. Even though President Obama issued an Executive Order imposing economic sanctions on the isolated regime for a state-mounted “all-out assault on a movie studio because of a satirical movie starring Seth Rogen,” the Secretary of DHS has not yet designated the cyber-attack as an “act of terrorism.” It is not clear whether Sony was using SAFETY Act technology, and in any event, it remains to be seen what kind of “act of terrorism” will ultimately trigger its protections.