Companies that are victims of cyberattacks increasingly find themselves also targeted by plaintiffs’ lawyers, who bring lawsuits alleging their security measures were negligent. Anthem Inc. last year agreed to pay $115 million to customers affected by an attack believed to have been perpetrated by a foreign government. Computer chip manufacturers have faced dozens of lawsuits based on the mere prospect that consumers will suffer damage from hacking.
Such lawsuits are more than a costly nuisance. They paralyze security innovation and expansion. Fortunately Sen. Steve Daines of Montana has introduced a bill that can stem this tide by clarifying that an existing federal liability-management law applies specifically to cyberattacks.
The Support Anti-Terrorism by Fostering Effective Technologies Act of 2002, known as Safety Act, is one of the most successful post-9/11 antiterror measures. Companies voluntarily submit information to the Department of Homeland Security in order to demonstrate that their security products or services are safe, well-constructed, regularly updated, and effective.
Once an applicant has passed the department’s rigorous examination process, it is eligible to have any civil culpability for “contributing to the success” of an attack limited to a set dollar figure. That creates an incentive to develop effective security products and services, ranging from bomb-sniffing dogs to exquisitely prepared security plans. All have received Safety Act protections over the past 15 years.
But cybersecurity vendors are sorely underrepresented in the list of Safety Act awardees. There is little mystery why: Federal courts can allow the use of Safety Act protections only after the Homeland Security Secretary has formally declared that an “act of terrorism” has occurred. Vendors misunderstand that and assume the act has to be committed by a recognized terrorist group such as al Qaeda or Islamic State. But in fact it’s the act, not the actor, that defines terrorism.
Mr. Daines’s proposal would clarify the point by giving the homeland security secretary the authority to trigger the Safety Act after a “cyber incident”—no reference to terrorism required. That small change would overcome an unfounded and harmful belief.
Making the Safety Act’s protections apply explicitly to cyberattacks is consistent with its purpose: ensuring the widespread availability of affordable and effective security. With Mr. Daines’s language in place, more thoroughly vetted companies would be available to help build solid cybersecurity programs without worrying about endless, pointless litigation.
The Cyber Safety Act is a rare bird in Congress: a virtual no-brainer. The cybersecurity community’s hesitance to embrace the 2002 Safety Act because of an overly fussy reading of the term “act of terrorism” cannot continue. If it does, the Safety Act will remain sitting on the virtual sidelines, making the fight against cyberattacks all that much tougher.