Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:25 PM
Connect Directly

DHS Anti-Terrorism Program Could Provide Cyberattack Liability Protection

The SAFETY Act can offer a layer of legal protection for cyber security vendors, providers, and enterprise security policies in the wake of an attack, an attorney says.

MIRCon -- Washington, D.C. -- A little-known Department of Homeland Security program for providing liability protection to US firms in the wake of terrorist or other attacks could also provide shelter for firms facing legal action in the wake of a cyberattack.

Brian Finch, a partner with the law firm Pillsbury Winthrop Shaw Pittman LLP and a cybersecurity legal expert, says the DHS's so-called SAFETY Act, which protects certified providers of anti-terrorism products and services, also can apply to providers of cyber security products and services -- and even to the cybersecurity policies of major corporations in the event of an attack.

Most private lawsuits against companies that have suffered data breaches thus far have been dismissed because the plaintiffs don't prove the breach caused them harm, Finch said in a presentation here yesterday. "Consumers just get a new credit card. It's annoying, but I haven't suffered any harm" when a credit card is stolen in a breach. Even so, organizations need to prepare for litigation.

He warns that "cleanup lawyers" are beginning to take note of the potential for making money off data breach litigation. "You had better prepare. There are deep pockets in this room, so you are going to be sued" if you get breached, because the legal maneuvers are not going to stop.

Finch told Dark Reading in an interview that the DHS's SAFETY Act has mostly been underutilized for cyber security purposes, but awareness is growing. "It would be more helpful in a 'black swarm' event, where you suffer physical damage or loss of life with a cyberattack, versus just credit cards." Financial services firms or oil and gas companies would be prime candidates for coverage under the act.

He says the SAFETY Act, which was created in 2002 by the DHS to foster anti-terrorism technology development, applies to corporate security policies, as well, therefore protecting a SAFETY Act-certified corporate entity from liability in the wake of a big breach.

Richard Bejtlich, chief security strategist for FireEye, says the "terror" association with the statute likely explains its obscurity to the cyber security sector thus far.

There are two levels of certification, which requires an application and certification process by the DHS. "So long as the impact is felt in the US financially or physically, liability protections are available," Finch said. "That statute covers cyberattacks… and you don't need to prove it was a terrorist group" or any specific adversary.

One level of certification provides a cap on liability, while the other provides immunity from liability. This second certification entitles a lawsuit to be dismissed, he said, even if "someone [in your organization] missed a step."

But a SAFETY Act certification would not replace cyberinsurance; rather, it would go hand in hand with such a policy. "You want to have cyberinsurance anyway," he says. "This would cut [costs] of litigation and use insurance to cover any losses you suffered yourself."

To date, most certified by the SAFETY Act have been firms with physical security services or products, such as Morphix Technologies, which sells a chemical detection device. However, MorphoTrust USA, a document authentication vendor, is also certified. Finch estimates that cyber security products account for less than 3% of the SAFETY Act applications.

In the meantime, data breaches are getting more executive and board-level attention than ever, mostly thanks to high-profile attacks at Target and other big brands. That includes a plan for how to respond in the event of a breach.

Kevin Mandia, COO of FireEye Mandiant, maintains that security has already become a board of directors issue, whether companies are ready or not. "Normally, we're meeting with a board after a breach," he said here in his keynote address. But boards should become involved prior to a breach.

"Every single person is on the clock during a breach. A bunch of CISOs are losing their job," Mandia said. "We ask boards: How good do you want to be" when their firm gets breached.

Finch concurs that many executive boards still don't fully understand cyber security risks. "When I'm talking to the C-suite or board, [many times] they truly don't understand what cyber security is all about and what a cyberthreat looks like." They are "aghast" when he tells them a breach or successful attack is inevitable.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/9/2014 | 8:36:21 AM
Certification process
The SAFETY Act sounds like a pretty useful safety net for specific market segments. Curious about the certification process. Is it mostly a paper trail?
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-23
WebAppick WooCommerce Product Feed 2.2.18 and earlier is affected by: Cross Site Scripting (XSS). The impact is: XSS to RCE via editing theme files in WordPress. The component is: admin/partials/woo-feed-manage-list.php:63. The attack vector is: Administrator must be logged in.
PUBLISHED: 2019-07-23
VCFTools vcfools prior to version 0.1.15 is affected by: Heap Use-After-Free. The impact is: Denial of Service or possibly unspecified impact (eg. code execution or information disclosure). The component is: The header::add_FILTER_descriptor method in header.cpp. The attack vector is: The victim mus...
PUBLISHED: 2019-07-23
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regre...
PUBLISHED: 2019-07-23
HAProxy through 2.0.2 allows attackers to cause a denial of service (ha_panic) via vectors related to htx_manage_client_side_cookies in proto_htx.c.
PUBLISHED: 2019-07-23
MODX Revolution Gallery 1.7.0 is affected by: CWE-434: Unrestricted Upload of File with Dangerous Type. The impact is: Creating file with custom a filename and content. The component is: Filtering user parameters before passing them into phpthumb class. The attack vector is: web request via /assets/...