MIRCon -- Washington, D.C. -- A little-known Department of Homeland Security program for providing liability protection to US firms in the wake of terrorist or other attacks could also provide shelter for firms facing legal action in the wake of a cyberattack.
Brian Finch, a partner with the law firm Pillsbury Winthrop Shaw Pittman LLP and a cybersecurity legal expert, says the DHS's so-called SAFETY Act, which protects certified providers of anti-terrorism products and services, also can apply to providers of cyber security products and services -- and even to the cybersecurity policies of major corporations in the event of an attack.
Most private lawsuits against companies that have suffered data breaches thus far have been dismissed because the plaintiffs don't prove the breach caused them harm, Finch said in a presentation here yesterday. "Consumers just get a new credit card. It's annoying, but I haven't suffered any harm" when a credit card is stolen in a breach. Even so, organizations need to prepare for litigation.
He warns that "cleanup lawyers" are beginning to take note of the potential for making money off data breach litigation. "You had better prepare. There are deep pockets in this room, so you are going to be sued" if you get breached, because the legal maneuvers are not going to stop.
Finch told Dark Reading in an interview that the DHS's SAFETY Act has mostly been underutilized for cyber security purposes, but awareness is growing. "It would be more helpful in a 'black swarm' event, where you suffer physical damage or loss of life with a cyberattack, versus just credit cards." Financial services firms or oil and gas companies would be prime candidates for coverage under the act.
He says the SAFETY Act, which was created in 2002 by the DHS to foster anti-terrorism technology development, applies to corporate security policies, as well, therefore protecting a SAFETY Act-certified corporate entity from liability in the wake of a big breach.
Richard Bejtlich, chief security strategist for FireEye, says the "terror" association with the statute likely explains its obscurity to the cyber security sector thus far.
There are two levels of certification, which requires an application and certification process by the DHS. "So long as the impact is felt in the US financially or physically, liability protections are available," Finch said. "That statute covers cyberattacks… and you don't need to prove it was a terrorist group" or any specific adversary.
One level of certification provides a cap on liability, while the other provides immunity from liability. This second certification entitles a lawsuit to be dismissed, he said, even if "someone [in your organization] missed a step."
But a SAFETY Act certification would not replace cyberinsurance; rather, it would go hand in hand with such a policy. "You want to have cyberinsurance anyway," he says. "This would cut [costs] of litigation and use insurance to cover any losses you suffered yourself."
To date, most certified by the SAFETY Act have been firms with physical security services or products, such as Morphix Technologies, which sells a chemical detection device. However, MorphoTrust USA, a document authentication vendor, is also certified. Finch estimates that cyber security products account for less than 3% of the SAFETY Act applications.
In the meantime, data breaches are getting more executive and board-level attention than ever, mostly thanks to high-profile attacks at Target and other big brands. That includes a plan for how to respond in the event of a breach.
Kevin Mandia, COO of FireEye Mandiant, maintains that security has already become a board of directors issue, whether companies are ready or not. "Normally, we're meeting with a board after a breach," he said here in his keynote address. But boards should become involved prior to a breach.
"Every single person is on the clock during a breach. A bunch of CISOs are losing their job," Mandia said. "We ask boards: How good do you want to be" when their firm gets breached.
Finch concurs that many executive boards still don't fully understand cyber security risks. "When I'm talking to the C-suite or board, [many times] they truly don't understand what cyber security is all about and what a cyberthreat looks like." They are "aghast" when he tells them a breach or successful attack is inevitable.