Locaria and Wool said they do not think that H.R. 3696 would provide the kind of liability protection for critical-infrastructure industrial-control-systems and applications-layer software that Stockton advocates. The bill would define a “qualified anti-terrorism or cybersecurity technology” (QATT) in essentially the same terms used in the current definition.
“As a result, there is no indication that ICS or other application developers' technologies would be covered unless they were intended for the 'specific purpose' of preventing, detecting, identifying, or deterring acts of terrorism or qualifying cyber incidents, or limiting the harm such acts might otherwise cause,” they added.
“An application that did receive designation or certification under the SAFETY Act would, of course, have a huge market differentiator, as all entities that purchase and implement the application are free from liability arising from attacks that qualify as acts of terrorism or qualifying cyber incidents – the only proper defendant in those cases would be the software developer, whose liability would be either limited or entirely eliminated depending on the level of protection granted by DHS,” said Locaria and Wool. “Coverage under the SAFETY Act can also reduce cyber insurance premiums, serve as a defense to accusations of negligence even where an incident does not qualify under the Act, and boost a product's reputation in the marketplace, among other benefits.”