The SAFETY Act: Providing Critical Liability Protections For Cyber And Physical Security Efforts

Since September 11, 2001, Americans have been keenly aware of the need to better protect both the people and assets of the United States from those who may be intent on doing us harm. We have seen, and largely accepted, increased physical security measures at airports, government facilities, and even sporting event venues. Requirements that once would have seemed a gross invasion of privacy are now commonplace. Some of these requirements were federally mandated; however, because the private sector owns and operates the vast majority of critical infrastructure, the government has been reluctant (or perhaps unable) to impose sweeping security measures across all swaths of life. Nevertheless, despite the cost of some of these measures, we have seen the private sector increase physical security efforts in an effort to better protect the public and manage the risk of liability that could arise from an attack. In some instances, these measures were also implemented to obtain a little-known government "carrot," namely liability protection under a federal statute referred to as the SAFETY Act (or "Act").

We have been recently bombarded with both fact and fiction about the vulnerabilities of our critical infrastructure to cyber intrusion and attack. Some in Congress have sought to adopt comprehensive cybersecurity regulation, but legislative efforts to adopt such regulation have fallen short. In lieu of mandatory regulation, the federal government has sought to encourage owners and operators of critical infrastructure to adopt baseline cybersecurity measures to protect their assets, primarily through the adoption of a new Cybersecurity Framework by the National Institute of Standards and Technology ("NIST"). In its promotion of the NIST Cybersecurity Framework, the government has sought to identify incentives for owners and operators of critical infrastructure to adopt the framework. The SAFETY Act is one of the few tools in the government's toolbox that can provide concrete, achievable benefits for owners and operators of critical infrastructure. In this context, the SAFETY Act may also serve not only to incentivize the improvement of an organization's cybersecurity, thereby better protecting its assets, but may also benefit the organization at-large, in non-terror contexts.

The SAFETY Act

In the wake of 9/11, Congress passed the Homeland Security Act of 2002 with a little known section called the "Support Anti-Terrorism by Fostering Effective Technologies Act of 2002," or the "SAFETY Act."1 The purpose of the SAFETY Act was to encourage the development and deployment of anti-terrorism products and services (collectively referred to by the statute and herein as "technologies") by granting various risk management protections.

The SAFETY Act, when enacted, held tremendous promise for protecting sellers of new, as well as established, technologies that were needed to combat terrorism and remove impediments to bringing such technologies to and/or maintaining their place in the market. It did so by establishing two levels of protection from third-party liability - Designation and Certification - that may arise from injury, loss of life, or damage to property or businesses arising...