FireEye offers new details on customer liability shields under the SAFETY Act

FireEye's external counsel offers additional insight into what the SAFETY Act means for customers

1 2 Page 2
Page 2 of 2

What about product updates? Finch offered an outline for that as well:

  • When a company makes 'generational' changes to a product or service, such as slightly improved hardware or updates to software that while improving performance and effectiveness but do not radically change the device or service, those changes are automatically included.
  • Part of the reason why those changes are automatically included is that as part of the application process, the applicant is required to explain how they make such changes (in other words what is their 'continuous improvement process'). DHS anticipates and expects that a product or service will not remain static, and that as time goes on lessons learned will be incorporated into the technology/service. Indeed if you don’t have a process for explaining how you will improve their product, I dare say you will have a hard time earning SAFETY Act protections.
  • If you make a revolutionary change to the product or service (let's say you go from gasoline propulsion to all electric or from punch card computing to the latest iOS operating system), that type of 'revolutionary' change will be considered 'material' by DHS and requires you to notify the SAFETY Act Office. Depending on the circumstances of the change, the awardee will either have to 'modify' the award to reflect that change or file a completely new application.
  • The key factor is whether the change is 'material' – that drives whether you notify DHS of the change. And even more specifically, where a company could encounter serious issues is if the 'material' change impacts the performance or efficacy of the product or service in a negative way. DHS will be most concerned if a change somehow alters the ability of the product/service to counter threats, or if the change so fundamentally alters the product that it is no longer the 'same' it initially reviewed.

So how are customers protected? Where does their liability shield come from, and how can it be applied under the SAFETY Act?

"Technically when a SAFETY Act 'Designation' or 'Certification' award is made, the seller of the approved product or service is the only proper defendant claims out of or related to said product/service," Finch said.

"Therefore any claims made against the customer alleging that the product/service didn’t work, was defective, etc. etc. are not allowed under federal law, and must therefore be dismissed. So essentially the customer can have any and all claims (when the SAFETY Act is triggered under federal law) related to the approved product/service that arise out of the cyber-attack in question immediately dismissed. That’s a very nice protection for the customer."

There was an additional question asked that didn't receive an answer before this article was published. It centers on what happens to the liability protection if the customer doesn't implement the product properly, or there are errors with configuration. If an answer is given, this story will be updated.

So if a cyber-attack can be placed under the conditions of the SAFETY Act, then FireEye's customers are shielded. So how does the SAFETY Act define an act of terrorism?

"An act meets the requirements of this subparagraph if the act- (i) is unlawful; (ii) causes harm to a person, property, or entity, in the United States, or in the case of a domestic United States air carrier or a United States-flag vessel (or a vessel based principally in the United States on which the United States income tax is paid and whose insurance coverage is subject to regulation in the United States), in or outside the United States; and (iii) uses or attempts to use instrumentalities, weapons or other methods designed or intended to cause mass destruction, injury or other loss to citizens or institutions of the United States."

Given the definition, it's a bit of a stretch to see attacks such as those against Sony or Anthem classed as terror acts, but not impossible. Yet, it would require some serious arguments in Washington.

But if that happens, is it in the best interest for those operating in the public and private sectors? Would we then see any attack that causes significant losses and harm to a firm (e.g. Sony / Anthem / Home Depot) that's traced to a foreign actor tagged as terrorism?

For now, there is plenty of room for debate on the topic, and everyone is encouraged to comment below or email their thoughts directly. If new information on this topic surfaces, such as responses to FOIA requests, you'll see it here first.

Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Microsoft's very bad year for security: A timeline