FireEye offers new details on customer liability shields under the SAFETY Act | CSO Online

Fundamental security insight to help you minimize risk and protect your organization

Page 2 of 2

What about product updates? Finch offered an outline for that as well:

So how are customers protected? Where does their liability shield come from, and how can it be applied under the SAFETY Act?

"Customers are protected in the following way: technically when a SAFETY Act “Designation” or “Certification” award is made, the seller of the approved product or service is the only proper defendant claims out of or related to said product/service," Finch said.

"Therefore any claims made against the customer alleging that the product/service didn’t work, was defective, etc. etc. are not allowed under federal law, and must therefore be dismissed. So essentially the customer can have any and all claims (when the SAFETY Act is triggered under federal law) related to the approved product/service that arise out of the cyber-attack in question immediately dismissed. That’s a very nice protection for the customer."

There was an additional question asked that didn't receive an answer before this article was published. It centers on what happens to the liability protection if the customer doesn't implement the product properly, or there are errors with configuration. If an answer is given, this story will be updated.

So if a cyber-attack can be placed under the conditions of the SAFETY Act, then FireEye's customers are shielded. So how does the SAFETY Act define an act of terrorism?

"An act meets the requirements of this subparagraph if the act- (i) is unlawful; (ii) causes harm to a person, property, or entity, in the United States, or in the case of a domestic United States air carrier or a United States-flag vessel (or a vessel based principally in the United States on which the United States income tax is paid and whose insurance coverage is subject to regulation in the United States), in or outside the United States; and (iii) uses or attempts to use instrumentalities, weapons or other methods designed or intended to cause mass destruction, injury or other loss to citizens or institutions of the United States."

Given the definition, it's a bit of a stretch to see attacks such as those against Sony or Anthem classed as terror acts, but not impossible. Yet, it would require some serious arguments in Washington.

But if that happens, is it in the best interest for those operating in the public and private sectors? Would we then see any attack that causes significant losses and harm to a firm (e.g. Sony / Anthem / Home Depot) that's traced to a foreign actor tagged as terrorism?

For now, there is plenty of room for debate on the topic, and everyone is encouraged to comment below or email their thoughts directly. If new information on this topic surfaces, such as responses to FOIA requests, you'll see it here first.

http://www.csoonline.com/article/2918614/disaster-recovery/fireeye-offers-new-details-on-customer-liability-shields-under-the-safety-act.html?page=2