Liability for a cyber attack is not limited to the attackers. An attack may be foreseeable in some circumstances, and the failure of the target or the other entities to take steps to prevent the attack can constitute a breach of duty to injured victims. In the absence of the protections provided by the Support Anti-Terrorism By Fostering Effective Technologies (SAFETY) Act, a cyber attack on a chemical facility could give rise to a number of common-law tort and contract claims against the target of the attack and other entities, potentially including the target’s cyber security vendors. This article discusses claims that might arise in various cyber attack scenarios and the effect of the SAFETY Act on these potential claims.

The SAFETY Act is a tort liability management statute that was passed as part of the Homeland Security Act of 2002. Under the SAFETY Act, entities that sell or otherwise deploy products that can be used to deter, defend against, respond to, mitigate, or otherwise combat “acts of terrorism” are eligible to receive liability protections. These liability protections can take the form of jurisdictional defenses, a cap on liability, or a presumption of immediate dismissal of third-party liability claims.

This article reviews several scenarios to examine whether liability could be found against companies that make cyber security tools or against entities that purchase such tools. The article then examines how the SAFETY Act could be utilized to mitigate or eliminate such liability.



To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.