Whether it’s a new data breach, a scary new vulnerability to cyberattack, or fears of election meddling, it is more important than ever for U.S. authorities to have the tools they need to stop or mitigate cyber aggression.
It is also essential for the government to harness the expertise and innovation of the private sector.
This is where the SAFETY Act has played a significant role. Originally developed to spur security tools and services to counter terrorism, the SAFETY Act provided certain products with liability protections following an “act of terrorism.” This meant that if a certain cyber product failed to prevent an attack, the producers of that product would be protected from liability lawsuits.
This protection came in two forms: “designation” and “certification.” “Designation” provides:
- Exclusive federal jurisdiction over all claims arising out of or related to an “act of terrorism” that involve a SAFETY Act-approved product or service;
- A bar on punitive damages;
- A bar on prejudgment interest; and
- A cap on liability for claims arising out of or related to the act of terrorism equal to some portion of the SAFETY Act–approved seller’s/deployer’s insurance policy.
A “certification” provides the same protections but goes further, adding a rebuttable presumption of immediate dismissal of terrorism-related claims. This would create a direct path for producers to have liability claims dismissed.
These liability protections give powerful assurance to innovators that they will not end up entangled in legal disputes. Congress wanted to incentivize the development of security products to help keep the U.S. safe. Without these liability protections, innovation would have been chilled.
The SAFETY Act references “acts of terrorism,” and that definition was written so broadly that even cyber attacks can qualify for its protections. Indeed, a few cybersecurity products and services have already received such protections.
To help expand this pool of products and services, Congress should make it clear that the SAFETY Act applies to cyber attacks. The same underlying factors and requirements (such as unlawfulness, actual harm, etc.) would still apply, but the secretary of homeland security would be allowed to declare an event a “cyber incident”—a more apt term than “act of terrorism” for cyber attacks.
While they’re at it, Congress should also look to expand the SAFETY Act to apply to other countries that have companies working in this space. Israel would be a good candidate, given its vibrant security industry and fairly similar legal system. Additional candidates could include other allies like Canada and the United Kingdom.
Cyber threats will only grow as our world becomes more and more digital. Now is the time to expand cyber security through the SAFETY Act.
This piece originally appeared in the Daily Signal