March 2017, Vol. 244, No. 3

Features

How SAFETY Act Can Manage Liability Risks Arising From Pipeline Threats

Oil and gas pipelines form networks covering several million miles in the United States and are an efficient, relatively secure means of moving oil and natural gas. Because of the nature of their cargo, pipelines also present the risk of substantial personal, property, and environmental damage in the event of a physical or cyberattack.

Pipelines have long been a physical target for terrorists and recent years have brought a consistent drumbeat of warnings of potential physical attacks on oil and gas pipelines.[1]  Furthermore, pipelines are operated by sophisticated sensory control and data acquisition systems, and this reliance on information technology for operations has increased the possibility of a destructive cyberattack on an oil or natural gas pipeline.[2] There have been several high-profile cyberattacks on industrial control systems (“ICS”) in recent years, including Stuxnet and other malware targeting ICS software.[3]

The purpose of this article is to highlight the Support Anti-Terrorism by Fostering Effective Technologies Act, more commonly known as the SAFETY Act, as a vehicle for managing the liability risks arising from these threats. The SAFETY Act is a little-known statute Congress enacted in 2002 that offers substantial benefits – in the form of liability limitations, competitive advantages, and potentially reduced costs for insurance coverage – to owners and operators of pipelines that adopt robust physical and cybersecurity practices. The application of the SAFETY Act to owners and operators of critical infrastructure is a relatively new development and offers an additional measure that pipelines can adopt to manage their liability risks arising out of a physical or cyberattack.

What is the SAFETY Act?

The SAFETY Act was enacted as part of the broader Homeland Security Act of 2002 to help facilitate development and deployment of anti-terrorism products and services (referred to in the statute as “technologies”) by granting various liability protections. In particular, the SAFETY Act provides covered “technologies” with two basic types of protection – Designation and Certification – against third-party liability for injury, loss of life, or damage to property or businesses arising from an “Act of Terrorism.”

For a technology that has been granted Designation, third-party liability for damages arising out of an act of terrorism is capped at the level of the applicant’s insurance coverage, which the Department of Homeland Security’s Office of SAFETY Act Implementation (“OSAI”) determines as part of the application process. A grant of Designation by OSAI also carries with it a series of additional risk mitigation measures, including:

• Exclusive jurisdiction in Federal Court for all lawsuits;
• A bar against punitive damages and pre-judgment interest;
• A limitation on non-economic damages; and
• Liability only in proportion to the responsibility of the seller of the technology.

Certification provides the same protections as those provided by Designation, but also includes more complete liability protection by allowing the seller of the covered technology to assert the Government Contractor Defense (a broad defense which forecloses most claims). This Defense may only be rebutted by proving with clear and convincing evidence that fraud or willful misconduct occurred by the seller in submitting information to DHS. Each certified technology also is designated as an “Approved Product for Homeland Security” by DHS.

The Act notes that the only proper party defendant to a lawsuit arising from an act of terrorism is the seller of that technology. Customers, clients, subcontractors and vendors that either consume the technology or support the seller in deploying the technology are immune from liability.

How Does the SAFETY Act Apply to Pipelines?

In recent years, the federal government has focused its attention on cyber and physical security for critical infrastructure, and has sought to encourage industries that own or operate critical infrastructure to improve their security practices. This increased attention on critical infrastructure security is a result of a sharpening of the risks posed to critical infrastructure by nation states, terrorist groups, and other adversaries who might wish to disrupt American life on a broad basis.

Several events have triggered this heightened concern, including the identification and release of the Stuxnet worm, which targets industrial control systems used to operate critical infrastructure, efforts by third parties to hack into information technology systems used to run electric grids and manufacturing companies, and, in the case of pipelines, physical attacks on oil and gas pipelines with an intent to cause widespread damage and economic disruption. These concerns were amplified recently by warnings from DHS that natural gas pipelines have been the targets of sophisticated phishing and related cyberattacks.

The government’s efforts to facilitate improved cyber and physical security primarily have assumed the form of encouraging information-sharing about threats and promulgating best practices in security. However, OSAI has been quietly holding out the SAFETY Act as a potential benefit for critical infrastructure companies to improve their cyber and physical security efforts. As outlined, the SAFETY Act applies to “technologies” and the definition of “technologies” extends to “services” including those a company provides to itself. In recent years, OSAI has granted SAFETY Act Certification to certain physical security companies – that is, they granted SAFETY Act Certification to the physical security programs being offered by these security companies. OSAI has indicated that it is willing to grant to critical infrastructure companies Certification for their own, internal cyber and physical security programs if they can demonstrate that those programs meet the applicable criteria.

SAFETY Act Mitigation of Industry Liability Risks

The pipeline industry faces substantial and continuing liability risks arising from its operations.  The limited number of incidents in recent years illustrates the scale of destruction and injury that can occur if something goes wrong. The industry’s continued and strong focus on pipeline safety, and its compliance with both federal and state pipeline safety regulation, has reduced substantially the risk of such events. It is impossible to eliminate these risks entirely; rather, the industry is faced with the task of managing those risks as best it can.

The SAFETY Act offers pipelines the ability to better manage their potential liability for at least the portion of pipeline safety concerns associated with cyber or physical attacks. The SAFETY Act provides two complementary avenues for pipelines to mitigate and reduce liability risks from cyber and physical threats. The first is to purchase goods and services involving physical and cybersecurity from vendors that have obtained SAFETY Act coverage for their products. That way, a pipeline can avail itself of the liability protections that attach to the use of those products.

The second avenue, which would allow for more comprehensive risk mitigation, is for a pipeline to seek SAFETY Act Designation or Certification for its internal cyber and physical security programs and processes. OSAI has approved SAFETY Act Certification for technologies that consist of security procedures and training provided by third parties,[4] umbrella security policies adopted by trade groups,[5] and physical security policies and procedures adopted by certain sports teams.[6] This is the type of SAFETY Act coverage for which some electric utilities are applying. This type of coverage is equally applicable to oil and natural gas pipelines.

How to Obtain SAFETY Act Coverage

Obtaining SAFETY Act coverage for a pipeline’s physical and/or cybersecurity program involves making a showing to OSAI that all aspects of the company’s program satisfy the criteria for Designation and Certification. If an entity obtains SAFETY Act Designation or Certification, it is able to enjoy at least two levels of liability protection. First, as long as a cyberattack is ruled by the Secretary of Homeland Security to be an Act of Terrorism, the specific protections specified in the SAFETY Act apply.

Second, even if an Act of Terrorism is not declared, the fact that a company’s cyber or physical security program has been approved for SAFETY Act Designation or Certification – and been designated as an “Approved Product for Homeland Security” by DHS – provides an official stamp of approval of the company’s internal programs which can serve as strong evidence that it acted in accordance with applicable standards, and therefore can mitigate liability risks.

In addition to these benefits, SAFETY Act Designation or Certification can have a salutary impact on a covered company’s insurance costs.  Cyber insurance is still a developing area, but because SAFETY Act coverage can limit an entity’s potential liabilities, we believe it also will have the effect of mitigating, and perhaps even reducing, an entity’s insurance costs, while potentially allowing it to gain more expansive coverage. This is because SAFETY Act coverage provides an independent demonstration to underwriters that a utility has less risk and therefore should qualify for better coverage at a more advantageous price.

Conclusion

The regulatory landscape for cybersecurity is constantly evolving and the SAFETY Act offers a rare opportunity for an oil or natural gas pipeline to acquire a valuable benefit – liability limitations – for improving its cyber and physical security programs. This coverage allows a pipeline to better manage and minimize its liability risks associated with a physical or cyberattack. Equally as importantly, it could allow pipelines to obtain more robust cyber insurance coverage for a lower cost than most cyber insurance policies on the market.

Authors: Hunton partner Paul Tiao co-chairs the firm’s multi-disciplinary Cyber and Physical Security Task Force and its Energy Sector Security Team. He advises companies on risk management, preparedness, cyber incident response, compliance, litigation, policy and legislation.

Hunton senior attorney Brian Zimmet focuses on federal and state energy regulation, particularly FERC regulation, and cybersecurity regulation, as it relates to critical infrastructure.

[1] See Pipelines:  Security the Veins of the American Economy, Paul W. Parfomak, before the Committee on Homeland Security, Subcommittee on Transportation Security, U.S. House of Representatives, April 19, 2016, at pgs. 1-2.

[2] Id. at pgs. 2-3.

[3] See An Unprecedented Look at Stuxnet, the World’s First Digital Weapon, Kim Zeiter, Wired Magazine, Nov. 3, 2014;  Department of Homeland Security, Industrial Control Systems Cyber Emergency Response Team, Alert-14-281-01E, Ongoing Sophisticated Malware Campaign Compromising ICS (Update E), Dec. 9, 2016;  New Havex malware variants target industrial control system and SCADA users, Lucian Constantin, PC World, June 24, 2014.

[4] See, e.g., OSAI Grant of Designation to Boeing Company for the Tier 3 Customs-Trade Partnership Against Terrorism Services, December 10, 2014.  The technology is described by OSAI as “the implementation of policies, procedures, training, and a risk management framework to secure the goods of the supply chain being imported into the United States.”  https://www.safetyact.gov/jsp/award/samsApprovedAwards.do

[5] See, e.g., OSAI Grant of Designation to the American Chemistry Council for the Responsible Care Security Code, January 29, 2014.  The technology is described by OSAI as consisting of a “security management system encompassing 13 management practices” designed to help any American Chemistry Council member or partner “deter, detect, delay, defeat or respond to a physical or cyber attack against any form of chemical operation, whether at a fixed facility or during transportation.”  https://www.safetyact.gov/jsp/award/samsApprovedAwards.do

[6] See, e.g., OSAI Grant of Designation and Certification to the New York Yankees for the New York Yankees Security Program, June 13, 2012.  The technology is described by OSAI as a “comprehensive integrated security system which is comprised of physical and electronic security measures, tools, and procedures designed to detect, deter, prevent, respond to, and mitigate Acts of Terrorism at Yankee Stadium during Game Day, Non-Game Day (In-Season), Non-Season, and Special Events.”  https://www.safetyact.gov/jsp/award/samsApprovedAwards.do