SAFETY Act

Hunton Andrews Kurth LLP has represented a major energy company in obtaining a first-of-its-kind public SAFETY Act Certification of its enterprise-wide cybersecurity program.

Critical infrastructure owners and operators face serious cybersecurity threats from a variety of actors that seek to disrupt business operations and services to customers, inflict significant damage to systems and equipment, and steal valuable business information or personal information. A major cyber attack on a company that powers the electric grid, maintains communications networks, provides banking and financial services, manufactures essential goods, or provides other critical services to the country could cause catastrophic harm. The damage could include disruption of essential services, widespread economic losses, bodily injury, serious reputational harm, and years of expensive litigation. 

Companies facing this exposure are now turning to the Supporting Anti-Terrorism by Fostering Effective Technologies Act, or “SAFETY Act,” for a Designation or Certification of their cybersecurity program that protects their reputation and limits their legal liability for damages associated with “acts of terrorism” that overcome their cyber defenses. Administered by the Department of Homeland Security (DHS), SAFETY Act Designation or Certification of a company’s enterprise-wide cybersecurity program can provide significant benefits, including:

• A Reputation for Cybersecurity Excellence – Cyber attacks can destroy a company’s reputation, leading to customer attrition and lower profits. A SAFETY Act Designation or Certification by DHS constitutes a public validation of the maturity and robustness of the company’s cybersecurity program by the government agency responsible for protecting the country’s critical infrastructure from cyber attacks. Certification carries the added benefit of placement on DHS’s “Approved Products List for Homeland Security,” but both awards provide a powerful measure of reputational protection in the wake of a major data breach or cyber attack.
• Best Practice – SAFETY Act Designation or Certification helps a company show that its cybersecurity program is a best practice that meets the “standard of care” in cybersecurity or data breach litigation.
• Cost Savings – SAFETY Act Designation or Certification indicates a lower company risk profile and can lead to cost savings on insurance premiums while also supporting procurement of more expansive insurance coverage.
• Legal Protections – The SAFETY Act provides substantial legal protections against claims arising from an “act of terrorism.” Companies with SAFETY Act Certified technologies and services can assert the Government Contractor Defense, which broadly forecloses most state and federal claims. Legal protections associated with SAFETY Act Designated or Certified technologies and services also include:
  • Liability limited to insurance required by DHS;
  • Exclusive jurisdiction in federal court;
  • A bar against punitive damages and pre-judgment interest; and
  • Limits on non-economic damages.
• Regulatory Compliance and Certainty – Obtaining SAFETY Act Designation or Certification demonstrates to regulators that a company meets the government’s rigorous standards for protecting cyber assets, reducing the possibility of regulatory non-compliance and associated costs.
• Competitive Advantage – DHS permits technologies and services granted SAFETY Act Designation or Certification to display its SAFETY Act seal of approval. This can boost a company’s competitive advantage, giving potential investors and vendors assurance that a company’s cyber protection practices meet DHS’s high standards.

Hunton Andrews Kurth LLP recently represented an energy company in obtaining the country’s first-ever SAFETY Act Certification or Designation for its enterprise-wide cybersecurity program. Combining talented lawyers from fourteen different practices, our energy sector security team and our cyber and physical security task force work with companies in the electric utility, oil and natural gas, financial, communications and other critical infrastructure sectors to minimize the risks or consequences of a serious security incident. Coupled with the strength of our firm’s preeminent cybersecurity practice, we are poised to guide critical infrastructure companies in all sectors with a broad range of cyber and physical security challenges.