In a March 11, 2014 article, Inside Cybersecurity quoted Venable partner Dismas Locaria and associate Jason Wool on how the Support Anti-Terrorism by Fostering Effective Technologies Act of 2002 (SAFETY Act) applies to infrastructure software developers in cyber attacks. A proposed House bill, H.R. 3696, says the Act – as it is currently written – offers liability coverage to these developers. While some analysts agree with this take on the SAFETY Act, others, like former Pentagon homeland-defense chief Paul Stockton, disagree, arguing that the Act needs to be updated to provide relief to makers of critical infrastructure industrial control systems and applications-layer software.
Locaria and Wool said they do not think that H.R. 3696 would provide the kind of liability protection for critical-infrastructure industrial-control-systems and applications-layer software that Stockton advocates. The bill would define a “qualified anti-terrorism or cybersecurity technology” (QATT) in essentially the same terms used in the current definition.
“As a result, there is no indication that ICS or other application developers' technologies would be covered unless they were intended for the 'specific purpose' of preventing, detecting, identifying, or deterring acts of terrorism or qualifying cyber incidents, or limiting the harm such acts might otherwise cause,” they added.
“An application that did receive designation or certification under the SAFETY Act would, of course, have a huge market differentiator, as all entities that purchase and implement the application are free from liability arising from attacks that qualify as acts of terrorism or qualifying cyber incidents – the only proper defendant in those cases would be the software developer, whose liability would be either limited or entirely eliminated depending on the level of protection granted by DHS,” said Locaria and Wool. “Coverage under the SAFETY Act can also reduce cyber insurance premiums, serve as a defense to accusations of negligence even where an incident does not qualify under the Act, and boost a product's reputation in the marketplace, among other benefits.”
Locaria and Wool said they do not think that H.R. 3696 would provide the kind of liability protection for critical-infrastructure industrial-control-systems and applications-layer software that Stockton advocates. The bill would define a “qualified anti-terrorism or cybersecurity technology” (QATT) in essentially the same terms used in the current definition.
“As a result, there is no indication that ICS or other application developers' technologies would be covered unless they were intended for the 'specific purpose' of preventing, detecting, identifying, or deterring acts of terrorism or qualifying cyber incidents, or limiting the harm such acts might otherwise cause,” they added.
“An application that did receive designation or certification under the SAFETY Act would, of course, have a huge market differentiator, as all entities that purchase and implement the application are free from liability arising from attacks that qualify as acts of terrorism or qualifying cyber incidents – the only proper defendant in those cases would be the software developer, whose liability would be either limited or entirely eliminated depending on the level of protection granted by DHS,” said Locaria and Wool. “Coverage under the SAFETY Act can also reduce cyber insurance premiums, serve as a defense to accusations of negligence even where an incident does not qualify under the Act, and boost a product's reputation in the marketplace, among other benefits.”