In an August 6, 2014 article, Inside Cybersecurity quoted Venable partners Dismas Locaria and Brian Zimmet, and associate Jason Wool on their recommendations for owners and operators of critical infrastructure in dealing with cyber threats. In a Venable-hosted webinar on Tuesday: “Managing Liabilities from Cyber Threats Using the SAFETY Act,” they said that owners and operators of critical infrastructure should manage liability risks stemming from potential cyber attacks by adopting the federal framework of cybersecurity standards and pursuing liability protections under the Support Anti-Terrorism by Fostering Effective Technologies Act of 2002.
The cybersecurity framework, which was developed by the National Institute of Standards and Technology in response to President Obama's cybersecurity executive order, is making it easier to define a standard of care, said Zimmet. The firm urged critical-infrastructure owners and operators that might apply to the Department of Homeland Security for designation and certification under the SAFETY Act to include adoption of the federal framework as part of their application.
Companies that have their applications approved will gain the benefit of a liability cap that enables planning for a worst-case scenario, as well as immunity from liability in the case of an act of terrorism, said Locaria. SAFETY Act protections can also extend to customers of certified companies, he said. To date the law has not been invoked, nor has there been a request to invoke it, so it remains untested in that way.
Locaria noted that a bill recently passed by the House – H.R. 3696, the National Cybersecurity Infrastructure Protection Act – states that qualifying cyber incidents would also provide cause for liability protections under the SAFETY Act. But it remains uncertain whether the Senate will pass the legislation and whether it might be enacted, he said.