DHS Anti-Terrorism Program Could Provide Cyberattack Liability Protection

  /     /     /  
Publicated : 22/11/2024   Category : security


DHS Anti-Terrorism Program Could Provide Cyberattack Liability Protection


The SAFETY Act can offer a layer of legal protection for cyber security vendors, providers, and enterprise security policies in the wake of an attack, an attorney says.



MIRCon -- Washington, D.C. -- A little-known Department of Homeland Security program for providing liability protection to US firms in the wake of terrorist or other attacks could also provide shelter for firms facing legal action in the wake of a cyberattack.
Brian Finch, a partner with the law firm Pillsbury Winthrop Shaw Pittman LLP and a cybersecurity legal expert, says the DHSs so-called
SAFETY Act
, which protects certified providers of anti-terrorism products and services, also can apply to providers of cyber security products and services -- and even to the cybersecurity policies of major corporations in the event of an attack.
Most private lawsuits against companies that have suffered data breaches thus far have been dismissed because the plaintiffs dont prove the breach caused them harm, Finch said in a presentation here yesterday. Consumers just get a new credit card. Its annoying, but I havent suffered any harm when a credit card is stolen in a breach. Even so, organizations need to prepare for litigation.
He warns that cleanup lawyers are beginning to take note of the potential for making money off data breach litigation. You had better prepare. There are deep pockets in this room, so you are going to be sued if you get breached, because the legal maneuvers are not going to stop.
Finch told Dark Reading in an interview that the DHSs SAFETY Act has mostly been underutilized for cyber security purposes, but awareness is growing. It would be more helpful in a black swarm event, where you suffer physical damage or loss of life with a cyberattack, versus just credit cards. Financial services firms or oil and gas companies would be prime candidates for coverage under the act.
He says the SAFETY Act, which was created in 2002 by the DHS to foster anti-terrorism technology development, applies to corporate security policies, as well, therefore protecting a SAFETY Act-certified corporate entity from liability in the wake of a big breach.
Richard Bejtlich, chief security strategist for FireEye, says the terror association with the statute likely explains its obscurity to the cyber security sector thus far.
There are two levels of certification, which requires an application and certification process by the DHS. So long as the impact is felt in the US financially or physically, liability protections are available, Finch said. That statute covers cyberattacks… and you dont need to prove it was a terrorist group or any specific adversary.
One level of certification provides a cap on liability, while the other provides immunity from liability. This second certification entitles a lawsuit to be dismissed, he said, even if someone [in your organization] missed a step.
But a SAFETY Act certification would not replace cyberinsurance; rather, it would go hand in hand with such a policy. You want to have cyberinsurance anyway, he says. This would cut [costs] of litigation and use insurance to cover any losses you suffered yourself.
To date, most certified by the SAFETY Act have been firms with physical security services or products, such as Morphix Technologies, which sells a chemical detection device. However, MorphoTrust USA, a document authentication vendor, is also certified. Finch estimates that cyber security products account for less than 3% of the SAFETY Act applications.
In the meantime, data breaches are getting more executive and board-level attention than ever, mostly thanks to high-profile attacks at Target and other big brands. That includes a plan for how to respond in the event of a breach.
Kevin Mandia, COO of FireEye Mandiant, maintains that security has already become a board of directors issue, whether companies are ready or not. Normally, were meeting with a board after a breach, he said here in his keynote address. But boards should become involved prior to a breach.
Every single person is on the clock during a breach. A bunch of CISOs are losing their job, Mandia said. We ask boards: How good do you want to be when their firm gets breached.
Finch concurs that many executive boards still dont fully understand cyber security risks. When Im talking to the C-suite or board, [many times] they truly dont understand what cyber security is all about and what a cyberthreat looks like. They are aghast when he tells them a breach or successful attack is inevitable.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
DHS Anti-Terrorism Program Could Provide Cyberattack Liability Protection