Academic journal article Santa Clara High Technology Law Journal

Litigation Following a Cyber Attack: Possible Outcomes and Mitigation Strategies Utilizing the SAFETY Act

Academic journal article Santa Clara High Technology Law Journal

Litigation Following a Cyber Attack: Possible Outcomes and Mitigation Strategies Utilizing the SAFETY Act

Article excerpt

TABLE OF CONTENTS  INTRODUCTION I. LIABILITY SCENARIOS FOLLOWING A CYBER ATTACK       A. Scenario One            1. Claims Against the Chemical Company                 a. Negligence Claims                 b. Strict Liability Claims                 c. Contract Claims            2. Claims Against Other Entities                 a. Design Defect Claims                 b. Failure-to-Warn Claims         B. Scenario Two            1. Claims Against the Chemical Company            2. Claims Against Other Entities         C. Scenario Three            1. Claims Against the Chemical Company            2. Claims Against the Cyber Security Vendor                 a. Claims by the Chemical Company                 b. Claims by other Parties         D. Scenario Four            1. Claims Against the Chemical Company            2. Claims Against Other Entities         E. Scenario Five            1. Claims Against the Chemical Company            2. Claims Against Other Entities II. APPLICATION OF THE SAFETY ACT TO LIABLITY        RESULTING FROM A TERRORIST ATTACK          A. Background of the SAFETY Act          B. SAFETY Act Protections Available to Customers and           Other Entities          C. Application of SAFETY Act Protections to Cyber             Security Vendors and Their Customers CONCLUSION 

INTRODUCTION

Liability for a cyber attack is not limited to the attackers. An attack may be foreseeable in some circumstances, and the failure of the target or the other entities to take steps to prevent the attack can constitute a breach of duty to injured victims. in the absence of the protections provided by the Support Anti-Terrorism By Fostering Effective Technologies (SAFETY) Act, a cyber attack on a chemical facility could give rise to a number of common-law tort and contract claims (1) against the target of the attack and other entities, potentially including the target's cyber security vendors. This article discusses claims that might arise in various cyber attack scenarios and the effect of the SAFETY Act on these potential claims. (2)

The SAFETY Act is a tort liability management statute that was passed as part of the Homeland Security Act of 2002. (3) Under the SAFETY Act, entities that sell or otherwise deploy products that can be used to deter, defend against, respond to, mitigate, or otherwise combat "acts of terrorism" are eligible to receive liability protections. These liability protections can take the form of jurisdictional defenses, a cap on liability, or a presumption of immediate dismissal of third-party liability claims.

As discussed above, this article will review several scenarios to examine whether liability could be found against companies that make cyber security tools or against entities that purchase such tools. The article will then examine how the SAFETY Act could be utilized to mitigate or eliminate such liability.

I. LIABILITY SCENARIOS FOLLOWING A CYBER ATTACK

Cyber attacks are a well-recognized threat in today's world. (4) Companies are regularly subjected to breach attempts by individuals, organized crime, and even nation-states. These attacks have various motives, ranging from the theft of financial information or intellectual property to the disruption or destruction of operations, data, or physical facilities. (5) Below are several scenarios describing potential cyber attacks and an examination about the potential liability resulting from each.

A. Scenario One

A company that stores dangerous chemicals in large multi-thousand gallon tanks purchases cyber security software and hardware (physical devices attached to IT systems as a cyber security measure) to prevent outsiders from breaking into their industrial control systems. Through news reports and government-furnished intelligence, the company is well aware that, while it is not being specifically targeted by cyber-attackers, hackers have been breaking into chemical companies and seeking to take control of industrial control systems. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.