Liability for a cyber attack is not limited to the attackers. An attack may be foreseeable in some circumstances, and the failure of the target or the other entities to take steps to prevent the attack can constitute a breach of duty to injured victims. In the absence of the protections provided by the Support Anti-Terrorism By Fostering Effective Technologies (SAFETY) Act, a cyber attack on a chemical facility could give rise to a number of common-law tort and contract claims against the target of the attack and other entities, potentially including the target’s cyber security vendors. This article discusses claims that might arise in various cyber attack scenarios and the effect of the SAFETY Act on these potential claims.
The SAFETY Act is a tort liability management statute that was passed as part of the Homeland Security Act of 2002. Under the SAFETY Act, entities that sell or otherwise deploy products that can be used to deter, defend against, respond to, mitigate, or otherwise combat “acts of terrorism” are eligible to receive liability protections. These liability protections can take the form of jurisdictional defenses, a cap on liability, or a presumption of immediate dismissal of third-party liability claims.
This article reviews several scenarios to examine whether liability could be found against companies that make cyber security tools or against entities that purchase such tools. The article then examines how the SAFETY Act could be utilized to mitigate or eliminate such liability.
Brian E. Finch and Leslie H. Spiegel,
Litigation Following a Cyber Attack: Possible Outcomes and Mitigation Strategies Utilizing the Safety Act,
30 Santa Clara High Tech. L.J. 349
Available at: https://digitalcommons.law.scu.edu/chtlj/vol30/iss3/1