Cyberinsurance and the SAFETY Act

Cyberinsurance and the SAFETY Act

Data breaches and cyberincidents will only proliferate in the years to come and the demand for cyberinsurance has increased dramatically as Companies incorporate the threat of data incidents into enterprise risk management and insurance risk transfer mechanisms. While the Support Antiterrorism by Fostering Effective Technologies (SAFETY) Act (Subtitle G of Title VIII of the Homeland Security Act of 2002) can protect an entity from “enterprise threatening” liability resulting from an attack on their own facilities or an attack on a third party to which products, technologies, advice or services were provided whether by physical attack on persons or property or to acts of cyberterrorism that cause physical and/or financial harm, cyberinsurance is still necessary because a breach of data security will likely result in both what the insurance industry refers to as first-party and third-party losses.

First-party cyberinsurance coverage

First-party cyberinsurance coverage typically insures against direct monetary losses from electronic theft of funds and loss of or damage to data or software programs; and certain indirect losses sustained by a Company such as the expenses of restoring or re-creating lost, corrupted, or stolen data; business interruption costs attributed to network damage or failure; and the increased costs of operation incurred for investigating and mitigating the loss.
Among the elements of loss which are of particular concern in the case of a cybersecurity breach and must be addressed by cyberinsurance are crisis management, notifications to those affected by the cybersecurity breach, credit monitoring, forensic investigations, and the costs associated with defense of government regulatory action including government agency investigations, and the legal fees associated with the need to hire independent attorneys such as privacy counsel.

Third-party liability coverage

It is not unusual for a company to be named in litigation within days of announcing a cybersecurity breach. Comprehensive cyber insurance must also provide coverage for the financial liability of the Company to third parties resulting from a breach of data security particularly important where the Company has contractual indemnification obligations which may be triggered by corruption of third-party data or denial of access to Company systems following a cybersecurity breach.

Comprehensive general cybersecurity liability coverage

Cybersecurity insurance must now provide coverage for failure to follow cybersecurity “best practices”; for violations of privacy or consumer data protection laws; for breaches of contract including explicit and applied agreements to protect personal information and customers’ data; for regulatory investigations arising from a cybersecurity breach; and failures by outsourced service providers.

Cyberextortion

“Cyberextortion” includes threats to distribute malware to any and all computers and other devices which may be attached to the Company networks, including those of which Company management executives may be unaware even exist such as the special purpose computers which operate vital Company machines and processes. Other popular examples of cyberextortion include locking up data and then threatening to destroy it and threats to disclose publicly distribute Company confidential and proprietary information.
Cyberextortion insurance is even more critical than the “kidnap and ransom” insurance which some companies have been forced to purchase for their operations overseas.

Limiting liability: The SAFETY Act

The Support Antiterrorism by Fostering Effective Technologies (SAFETY) Act (Subtitle G of Title VIII of the Homeland Security Act of 2002) can protect an entity from “enterprise threatening” liability resulting from an attack on their own facilities or an attack on a third party to which products, technologies, advice or services were provided whether by physical attack on persons or property or to acts of cyberterrorism that cause physical and/or financial harm.
The Act provides immunities, liability protections, damage caps and other incentives for approved entities who use, supply, design, manufacture, provide or are otherwise involved in preventing, deterring, mitigating, responding to or recovering from a terrorism event to ensure that the threat of potential liability does not limit or deter the development, manufacture, deployment, use or commerialization of products, technologies, procedures, software, system integration, advice, and services that could prevent or mitigate a terrorist attack.
There are three different “levels” of SAFETY Act protection that can be granted—Designation, Developmental, Testing & Evaluation Designation (DT&E), and the highest level, “Certification”—to the product or service that the United States Department of Homeland Security has approved as the qualified anti-terrorism technology or “QATT”.
The designation lasts for five years, and any technology deployed during that time is protected for the lifetime of its deployment.
Benefits provided under SAFETY Act designation include:

  • A limitation, or “cap” on a parties liability equal to the amount of liability insurance coverage that party is required to carry by the DHS.
  • Exclusive jurisdiction in Federal court for all related suits.
  • Punitive damage claims are barred.
  • Non-compensatory damages are barred.
  • Non-economic damages including pain and suffering, mental anguish, and loss of consortium are barred unless the plaintiff was physically harmed.
  • Pre-judgment interest on an award which is normally imposed by the court from the date of the event until the date the ultimate award is determined is barred.
  • Joint and several liability for non-economic damages is prohibited. Only that percentage of the ultimate claim amount that is directly attributed to the given defendant’s negligence can be recovered.
  • Liability would be reduced for other compensation that may be available to the claimant from collateral sources such as insurance recoveries or other defendants.

These protections also extend to downstream entities in the distribution chain of the “designated” technology.
SAFETY Act designation has been granted to products and services in a variety of fields, including intelligent video systems, engineering services, risk and vulnerability assessment services, security guard services, explosives detection equipment, and building security plans.

Portions of this webpage were developed from analysis of Limiting Liability Before a Data Breach by Allison Brecher, a senior litigation counsel and director of information management and strategy and Orrie Dinstein, global privacy leader at Marsh & McLennan Companies. It appeared online in the ALM publication, Corporate Counsel, on March 26, 2015.