Congress on cybersecurity: Recent bill limits liability

In the days leading up to its August 2014 recess, the US House of Representatives passed a number of bills aimed at strengthening cybersecurity.  Those measures include H.R. 3696—known as the National Cybersecurity and Critical Infrastructure Protection Act of 2014—which seeks to facilitate cybersecurity efforts, research, and information sharing not only among federal, state, and local governments but also between the public and private sectors.  To that end, the bill proposes potentially significant amendments to the Support Anti-terrorism by Fostering Effective Technologies Act of 2002, or the SAFETY Act, for short.  Those amendments, if enacted, could extend the SAFETY Act's liability protections to cybersecurity efforts.

In 2002, Congress enacted the SAFETY Act, as part of the Homeland Security Act, to incentivize the development and use of "qualified anti-terrorism technologies" by providing liability protections for those selling such technologies.  The Act, however, sets forth only broad parameters for defining "acts of terrorism" that trigger the liability protections.  The recently passed H.R. 3696 bill would clarify, if not alter, the SAFETY Act's application in the cybersecurity context.

Section 202 of H.R. 3696 proposes to amend the SAFETY Act by inserting the terms "cybersecurity" and "qualifying cyber incident" alongside each reference to the Act's original terms of "anti-terrorism" and "act of terrorism," respectfully.  For instance, the amendment would result in the following emphasized insertions in the Act's "Extent of Liability" provision:

Notwithstanding any other provision of law, liability for all claims against a Seller arising out of, relating to, or resulting from an act of terrorism or qualifying cyber incident when qualified anti-terrorism or cybersecurity technologies have been deployed in defense against or response or recovery from such act and such claims result or may result in loss to the Seller . . . shall not be in an amount greater than the limits of liability insurance coverage required to be maintained by the Seller under this section.

See SAFETY Act § 864(c), 6 U.S.C. § 443.  If the amendment is enacted, the SAFETY Act could therefore limit liability in circumstances involving a "qualifying cyber incident" even if the incident does not meet the requirements of an "act of terrorism."

Indeed, H.R. 3696 distinguishes a "qualifying cyber incident" from an "act of terrorism," by setting forth different and more precise requirements:

  1. REQUIREMENTS.—A qualifying cyber incident meets the requirements of this subparagraph if—
    1. the incident is unlawful or otherwise exceeds authorized access authority;
    2. the incident disrupts or imminently jeopardizes the integrity, operation, confidentiality, or availability of programmable electronic devices, communication networks, including hardware, software and data that are essential to their reliable operation, electronic storage devices, or any other information system, or the information that system controls, processes, stores, or transmits;
    3. the perpetrator of the incident gains access to an information system or a network of information systems resulting in—
      1. misappropriation or theft of data, assets, information, or intellectual property;
      2. corruption of data, assets, information, or intellectual property;
      3. operational disruption; or
      4. an adverse effect on such system or network, or the data, assets, information, or intellectual property contained therein; and
    4. the incident causes harm inside or outside the United States that results in material levels of damage, disruption, or casualties severely affecting the United States population, infrastructure, economy, or national morale, or Federal, State, local, or tribal government functions.

An "act of terrorism," on the other hand, requires (i) an "unlawful" act (ii) that "causes harm . . . in the United States, or .. . in or outside of the United States" in the case of a US air carrier or vessel and (iii) that "uses or attempts to use instrumentalities, weapons or other methods designed or intended to cause mass destruction, injury or other loss to citizens or institutions of the United States."  SAFETY Act § 865(2), 6 U.S.C. § 444.

H.R. 3696 and the proposed amendment to the SAFETY Act have thus far been received positively, although the next step of the legislative process—when and whether the Senate will take up the bill—remains unclear.  One thing is certain: cybersecurity and related issues will continue to influence and affect not only national security but also private industry in this country and abroad.


Contacts