' Emily Huang | MTTLR

Practicing SAFETY: A “New” Way for Companies to Manage Cyber-Risk

MGM Resorts International stunned and enraged many after it filed a countersuit against the victims of the 2017 mass shooting in Las Vegas. MGM’s litigation launched into the public spotlight the theretofore obscure “Support Anti-Terrorism by Fostering Effective Technologies Act of 2002,” better known as the SAFETY Act. MGM planned to argue that the statute precludes a finding of liability on its part because MGM’s hired security company was publicly certified under the SAFETY Act. The legal question of whether the Act applied under these circumstances would have been a case of first impression, but the parties are now in mediation and there is a stay on all pending litigation related to the shooting. The SAFETY Act is still bound to make headlines in the years to come, but likely for its impact on cyber-terrorism rather than physical terrorism. After 9/11, Congress enacted the SAFETY Act to incentivize “the development and deployment of anti-terrorism technologies by creating [for such companies] a system of ‘risk management’ and a system of ‘litigation management’.” The Act, which gives regulatory authority to the Department of Homeland Security, provides three levels of substantial legal protection: Designation, DT&E Designation, and Certification.  These protections include a cap on third-party liability resulting from physical and cyber acts of terrorism. Moreover, the Act also specifies the seller of a given “technology” as the proper defendant in a lawsuit stemming from a particular act of terrorism.  This provision is known as the “government contractor defense” and effectively provides a liability shield for the consumers of a given “technology.” In the MGM lawsuit, for instance, MGM’s lawyers contended that the...

Mr. “Steal-Your-[Company’s Consumer Data]”: Cyber-Risks and Corporate Governance

Private entities and their directors cannot afford the cost of inaction in addressing cyber-attacks. As SEC Commissioner Luis A. Aguilar stated during a Public Statement on The Commission’s Role in Addressing the Growing Cyber-Threat, cyber-attacks on enterprises such as financial institutions and government agencies are becoming increasingly frequent and more sophisticated. In fact, according to the SEC’s Division of Intelligence’s list of global threats, this particular threat surpasses even terrorism. The cost of inaction can be significant. For example, there is the looming threat of litigation and potential liability for failing to implement adequate steps to comply with fiduciary duties in preventing cyber-attacks. There is the substantial threat of financial and reputational risks for both corporations and government agencies. There is also the risk of harm to an entity’s ability to grow, innovate, and, in turn, gain or maintain customers. Further, cybersecurity threats victimize the national and economic security of the United States by exploiting the connectivity of critical infrastructure systems. Fortunately, there are major steps that companies can take to mitigate cyber-risk. Back in June 2014, Commissioner Aguilar provided recommendations when he spoke at the New York Stock Exchange’s Conference, “Cyber Risks and the Boardroom.” In addition to spending sufficient time and resources to address cybersecurity issues, boards and their directors should be “asking themselves what they can, and should, be doing to effectively oversee cyber-risk management.” Boards should also focus on key oversight activities, such as assigning specific roles and responsibilities for privacy and security and concerning themselves with receiving frequent reports on data breaches and IT risks. In February 2014, the National Institute of Standards and...