' Practicing SAFETY: A “New” Way for Companies to Manage Cyber-Risk | MTTLR

Practicing SAFETY: A “New” Way for Companies to Manage Cyber-Risk

MGM Resorts International stunned and enraged many after it filed a countersuit against the victims of the 2017 mass shooting in Las Vegas. MGM’s litigation launched into the public spotlight the theretofore obscure “Support Anti-Terrorism by Fostering Effective Technologies Act of 2002,” better known as the SAFETY Act. MGM planned to argue that the statute precludes a finding of liability on its part because MGM’s hired security company was publicly certified under the SAFETY Act. The legal question of whether the Act applied under these circumstances would have been a case of first impression, but the parties are now in mediation and there is a stay on all pending litigation related to the shooting. The SAFETY Act is still bound to make headlines in the years to come, but likely for its impact on cyber-terrorism rather than physical terrorism.

After 9/11, Congress enacted the SAFETY Act to incentivize “the development and deployment of anti-terrorism technologies by creating [for such companies] a system of ‘risk management’ and a system of ‘litigation management’.” The Act, which gives regulatory authority to the Department of Homeland Security, provides three levels of substantial legal protection: Designation, DT&E Designation, and Certification.  These protections include a cap on third-party liability resulting from physical and cyber acts of terrorism. Moreover, the Act also specifies the seller of a given “technology” as the proper defendant in a lawsuit stemming from a particular act of terrorism.  This provision is known as the “government contractor defense” and effectively provides a liability shield for the consumers of a given “technology.” In the MGM lawsuit, for instance, MGM’s lawyers contended that the company was the “consumer” and the security company it had hired for the music festival was the “seller.”

The Act broadly defines “anti-terrorism technologies” as “any qualifying product, equipment, service (including support service), device, or technology (including information technology).” Thus, the term covers company security programs involving physical tactics and procedures. The National Football League, for instance, obtained DHS approval for its Best Practices Program, “a comprehensive set of guidelines for stadium security management designed to deter and defend against terrorist attacks at sports stadiums.” The Atlanta Falcons Stadium Company also obtained its own SAFETY designation for the Mercedes-Benz Stadium Security Program, which is comprised of “physical and electronic security equipment, tools, emergency planning processes and procedures, and trained personnel” to ensure safety within stadium premises.

Not only does a company’s physical security services qualify as “anti-terrorism technologies”, but so do a company’s critical infrastructure cybersecurity programs. In September 2018, DHS publicly approved certification for the Southern Company’s Cybersecurity Risk Management Program. The Southern Company, an energy firm that successfully obtained SAFETY certification, has an internal cybersecurity program that “manages cybersecurity risk through governance, strategic direction, network security and data protection, business assurance, incident response, training, and policies and guidance.”

The “first of its kind,” the SAFETY certification of the Southern Company’s program surely will not be the last. Even though acquiring DHS approval requires the applicant to undergo a rigorous process and meet demanding statutory criteria, the benefits of SAFETY protections are apparent. This is especially true for companies that collect private consumer data to conduct business —especially considering the recent rise in hacking, data breaches, and other cybercrimes. And in light of the EU’s passage of the General Data Protection Regulation and the California Legislature’s recent enactment of the California Consumer Privacy Act, it is clear that legislative control is tightening over corporate use of sensitive information. Accordingly, companies will be heavily scrutinized in an event of a cyber-attack.

The socioeconomic ramifications of a single cyber-attack are extensive. These include financial harm, government investigations, regulatory fines, public backlash, negative industry reputation, and even shareholder lawsuits. Given that cybercrime and data-based terrorism are an increasingly prevalent aspect of digital life, all companies that operate in critical infrastructure industries should exercise responsible institutional governance.  Fortunately, they can achieve this by deploying DHS-approved cybersecurity programs to protect their reputation and limit the potentially devastating effects of cyber-attacks.*

*Emily Huang is Notes Editor on the Michigan Technology Law Review. She can be reached at ehhuang@umich.edu.

Submit a Comment

Your email address will not be published. Required fields are marked *