Field/Customer FAQs. What is the SAFETY Act?



Similar documents
The Cybersecurity Framework and the SAFETY Act a Primer for Temple Business School

The SAFETY Act: Providing Critical Liability Protections for Cyber and Physical Security Efforts

Liability Management Evolving Cyber and Physical Security Standards and the SAFETY Act

Big Data As a Threat? An Alternative Approach to Cybersecurity

NC General Statutes - Chapter 99B 1

Defense of State Employees: LIABILITY AND LAWSUITS. UNCW Office of General Counsel January 2010

trial court and Court of Appeals found that the Plaintiff's case was barred by the statute of limitations.

Section What it Means to the United States Government

CYBERSECURITY RISK MANAGEMENT

PASSIVE SELLER IMMUNITY FROM PRODUCT LIABILITY ACTIONS. House Bill 4 significantly impacted most areas of Texas Tort Law. In the

CLARK COUNTY, NEVADA. ANSWER ) Defendant. ) )

National Union Fire Insurance Company of Pittsburgh, Pa. LAWYERS PROFESSIONAL LIABILITY RENEWAL APPLICATION

Second Annual Conference September 16, 2015 to September 18, 2015 Chicago, IL

LOUISIANA PERSONAL INJURY ACCIDENT BASICS

Regulating and Monitoring Private Military and Security Companies in United Nations Peacekeeping Operations. Stephen Mathias 1

Personal injury claim" does not include a claim for compensatory benefits pursuant to worker s compensation or veterans benefits.

STATE OF FLORIDA OFFICE OF FINANCIAL REGULATION

Products Liability: Putting a Product on the U.S. Market. Natalia R. Medley Crowell & Moring LLP 14 November 2012

2013 IL App (3d) U. Order filed September 23, 2013 IN THE APPELLATE COURT OF ILLINOIS THIRD DISTRICT A.D., 2013

GENERAL ASSEMBLY OF NORTH CAROLINA SESSION 2011 HOUSE DRH11149-TG-5 (12/01) Short Title: Tort Reform Act of (Public)

NOT ACTUAL PROTECTION: ACTUAL INNOCENCE STANDARD FOR CRIMINAL DEFENSE ATTORNEYS IN CALIFORNIA DOES NOT ELIMINATE ACTUAL LAWSUITS AND ACTUAL PAYMENTS

Defendant has a duty to act as a reasonable person would in like or similar circumstances to avoid causing unreasonable risk of harm to others.

VIRGINIA ACTS OF ASSEMBLY SESSION

NEGLIGENCE: ELEMENT I: DUTY CHAPTER 13

RUTGERS THE STATE UNIVERSITY OF NEW JERSEY

Unintentional Torts - Definitions

Federal Securities Law Disclosure Obligations Regarding Governmental Investigations

STATE OF OREGON TRANSPORTATION COMPENDIUM OF LAW

Negligence: Element III: Proximate Cause. Chapter 15

Cyber Insurance and Your Data Ted Claypoole, Partner, Womble Carlyle and Jack Freund, PhD, InfoSec Mgr, TIAA-CREF

EXECUTIVE ORDER (Language Services in the Courts)

Anti-Bribery and Books & Records Provisions of. The Foreign Corrupt Practices Act. Current through Pub. L (November 10, 1998)

Cyber-Insurance Metrics and Impact on Cyber-Security

Queensland WHISTLEBLOWERS PROTECTION ACT 1994

Discovery in Bad Faith Insurance Claims: State of the Law, Successful Strategies. Teleconference Program Wednesday, March 29, 2006

TABLE OF CONTENTS INSURANCE BAD FAITH CLAIMS IN COLORADO. Exhibit 1A Bad Faith Case Outcomes 2.1 INSURED S REMEDIES LIMITED UNDER CONTRACT LAW

IN THE UNITED STATES BANKRUPTCY COURT FOR THE DISTRICT OF ARIZONA

ASSEMBLY BILL No. 597

Bylaws of the Lawyer-Client Fee Dispute Resolution Committee of the Cleveland Metropolitan Bar Association. Enacted November 18, 2015

SAMPLE RETURN POLICY

Terms of Use The Human Face of Big Data Website

Amy S. Harris Shareholder

Paralegal Pitfalls Employment Practices

The New Role of Hospital Boards in the Face of Increased Compliance Risks NCHA Trustee Institute

Preparing a Federal Case

Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So?

Cyber-insurance: Understanding Your Risks

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW TECHNOLOGY AND TELECOM COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES

Policy Options: Limiting Employer Liability When Hiring Individuals Formerly Incarcerated

Minnesota Personal Injury Law: Car Accidents

MONTANA EIGHTH JUDICIAL DISTRICT COURT, CASCADE COUNTY. Appearing on behalf of the Named Plaintiff and the Class were attorneys Daniel P.

IN THE UNITED STATES COURT OF APPEALS FOR THE FIFTH CIRCUIT

Suzanne Kupsch. Dawson Chambers Room 5, 405 Little Bourke Street Melbourne Victoria T: List Y:

EX PARTE PETITION FOR ORDER TO RELEASE MEDICAL RECORDS

Chapter 7 Tort Law and Product Liability

Lawyer Liability for Assisting in Breach of Fiduciary Duty: Privilege or Peril?

Settling a False Claims Act Case: Practicalities and Pitfalls

Workplace Related Injuries

Professional Services Agreement

Torts Copyright July, 2006 State Bar of California

PROTECTING CRITICAL CONTROL AND SCADA SYSTEMS WITH A CYBER SECURITY MANAGEMENT SYSTEM

ASSEMBLY BILL No. 597

GUIDELINES FOR THE ADMINISTRATION OF INSURANCE AGENTS

INVESTIGATIONS GONE WILD: Potential Claims By Employees

Global Guide to Competition Litigation Japan

Transcription:

Field/Customer FAQs On April 22, 2015, FireEye, Inc. was issued Certification under the SAFETY Act for its Multi-Vector Virtual Execution (MVX) Engine and Cloud Platform by the Department of Homeland Security (DHS). Below, please find answers to the most frequently asked questions about this important award: What is the SAFETY Act? The SAFETY Act is a 2002 federal law that created a liability management program for providers of anti-terrorism technologies. The Act creates certain liability limitations for "claims arising out of, relating to, or resulting from an Act of Terrorism" where anti-terrorism products have been deployed. Under the SAFETY Act, certain security product and service providers may apply for liability protections in the form of a SAFETY Act award from the Department of Homeland Security (DHS). If awarded SAFETY Act protections, the provider is entitled to specific protections from third-party liability stemming from the use of that product or service in relation to an Act of Terrorism and those liability protections associated with this award flow down to the buyers of these technologies. View the DHS Safety Act website: www.safetyact.gov What is SAFETY Act Certification? SAFETY Act protections can only be earned after successfully completing a comprehensive and rigorous review process administered by DHS. There are two levels of awards available under the SAFETY Act: Designation and Certification. The awards correspond with different levels of liability protection. Certification is the highest level award available under the SAFETY Act. In order for a product or service to become SAFETY Act Certified, the provider must prove to DHS that the product is not only effective, but also that it performs as intended, conforms to set specifications, and is safe for use. What is the practical effect of this SAFETY Act award for FireEye and its customers?

There may be significant legal claims and potential liabilities arising from a cyberattack. Should a cyber-attack take place and tort claims be filed against FireEye (as the manufacturer of the product) or our customers (as the user of the product) relating to the use, performance, design etc. of the MVX Engine or Cloud Platform, SAFETY Act certification provides a strong defense up to and potentially including dismissal of such claims. The MVX Engine is a core component of FireEye s appliances and most of FireEye s appliances are designed to connect with its Cloud Platform. Both of these technologies are now SAFETY Act Certified, and FireEye will receive numerous benefits, including: The MVX Engine and Cloud Platform are on the DHS Approved Products List, which is an exclusive roster of highly effective security products and services. When the SAFETY Act is triggered by the DHS Secretary following a cyber-attack, FireEye is entitled to liability and procedural defenses, including: o Exclusive federal jurisdiction; and o A rebuttable presumption of immediate dismissal of all third-party claims based on the alleged failure of the MVX Engine or Cloud Platform that arise out of or relate to the cyber-attack in question. Indeed, the only way to defeat that presumption of dismissal is to show fraud or willful misconduct in the submission of the SAFETY Act application to DHS. And, even if for some reason fraud or willful misconduct is shown, FireEye still receives liability protections that include a maximum cap on damages, a bar on punitive damages and prejudgment interest, a bar on joint and several liability, and a reduction in any award to plaintiffs equal to amounts they receive from other parties (such as victim compensation funds, life insurance policies, etc.). o FireEye s customers, suppliers, vendors, and all others in its supply chain are immune from third-party claims related to any alleged 2

failure, or negligent design or implementation of the MVX Engine or Cloud Platform. In other words, FireEye s customers cannot be sued for buying such FireEye products or any alleged failure of these products in a cyber-terrorist attack. o FireEye receives an official seal that it may use on all its marketing material indicating that it has received the Certification award. That s too good to be true. What s the catch? There is no catch per se, but the SAFETY Act may only be invoked in certain circumstances: First, the DHS Secretary has to declare that the cyber-attack in question is an Act of Terrorism. However, under the law, Act of Terrorism is broadly defined. The attack only needs to be 1) unlawful, 2) cause harm, including economic harm in the United States, and 3) the attacker has to use a weapon or other items that are intended to cause such harm. There is no need to demonstrate terrorist motivations or connections to terrorist groups. As such, the SAFETY Act can apply to a broad range of attacks, including state-sponsored or criminal cyber-attacks. Second, the SAFETY Act protections only apply to the products running on the MVX Engine and Cloud technology. This means that if you, as the customer, so materially change FireEye s products that they are no longer the same product that DHS reviewed, the SAFETY Act award may no longer be applicable. It also means that claims unrelated to these certified products are not protected. Third, FireEye s award only protects those MVX Engine and Cloud Platform products purchased from July 1, 2008 and the act of terrorism/cyberattack must have occurred on or after April 22, 2015. Lastly, the SAFETY Act only provides for dismissal of third-party claims regulatory and other types of claims can still proceed. What if the DHS Secretary refuses to declare that the SAFETY Act applies after a cyber-attack? 3

No official or automatic protections would apply. However, customers will still be able to demonstrate that when the attack occurred, they were using a product that was thoroughly tested and reviewed by DHS, and found to be so useful and effective that it was Certified under the SAFETY Act. This may provide powerful evidence to rebut any claims that they were negligent in the selection of vendors or the design of their security program. Has the SAFETY Act been tested in court? No, the SAFETY Act has never been tested in court. Until recently, the vast majority of SAFETY Act awards were issued for physical security products (like x-ray machines), and we as a nation have fortunately not experienced an event to trigger the SAFETY Act for such products during past years. However, the SAFETY Act is premised on the government contractor defense, a well-established common law defense. The Supreme Court has reviewed and affirmed the government contractor defense, and the SAFETY Act simply represents a codification of these basic principles. Thus, if the SAFETY Act is tested, there is very high confidence that the SAFETY Act will be upheld in federal court. What if the attack originates from or occurs overseas? Could the SAFETY Act protections apply in those situations? Yes, the SAFETY Act can apply even when an attack originates from or actually occurs outside the United States. So long as the attack impacts the United States (either physically or economically) and the ensuing litigation is being decided under U.S. law, both U.S. and international customers may take advantage of the defenses of the SAFETY Act. As a FireEye customer, do I need to do anything to enjoy these SAFETY Act protections? That s the best part you don t! If you are using the MVX Engine or Cloud technologies, the SAFETY Act protections automatically flow down to you, the customer. Are any other cybersecurity products or services SAFETY Act Certified? 4

FireEye s MVX Engine and Cloud Platform are the first and only true cybersecurity technologies to be deemed so useful and effective by DHS that they are SAFETY Act Certified. Once again, FireEye has broken new ground with its products. Currently, the following product offerings run on the MVX Engine and Cloud Platform: Network Threat Prevention (NX Series) Email Threat Prevention (EX Series) Email Threat Prevention Cloud (ETP) Content Threat Prevention (FX Series) Malware Analysis Platform (AX Series) Mobile Threat Prevention (MTP) This award also applies to older products running the MVX engine, such as MPS. I have more questions! Who can I contact at FireEye? Alexa King, General Counsel: alexa.king@fireeye.com Reena Paraguya, Commercial Counsel: reena.paraguya@fireeye.com 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information