Beefed-up protection from lawsuits should spur companies to take on homeland security work.
From its inception, hordes of companies have tried to sell their products to the Homeland Security Department. Now DHS is hawking something to those vendors: protection from liability.
Department officials say they will begin to use a three-year-old law called the SAFETY Act in a more targeted way, offering its protection from lawsuits to companies producing technology DHS covets. If the department is looking for new weapon detectors for ports, for example, it could approach manufacturers of that kind of technology directly and offer an expedited review for coverage under the SAFETY Act. "The idea is to incentivize people to step forward and start making" the products, says a DHS official. "It's a tool that we can use much more dramatically than we have in the past."
It may not sound sexy, but to those in the homeland security industry, such protection is a valuable commodity. "If you put something out there in the anti-terrorism realm, you're playing bet-your-company because if something goes wrong . . . everyone can sue you," says Tom Conway, managing partner for homeland security at Reston, Va.-based Unisys Corp. "It is something I have to consider in every solution and every deal. And then you make a business decision based on how much risk you want to absorb."
It was enough of a concern that Congress included a section called the Support Anti-Terrorism by Fostering Effective Technologies Act in the 2002 Homeland Security Act, the legislation that created the Homeland Security Department. That section, known as the SAFETY Act, empowered DHS to limit the liability of the firms producing certain homeland security technologies and services should a terrorist attack set off a round of lawsuits.
The final rule DHS issued earlier this summer to implement the SAFETY Act has drawn a chorus of cheers from industry circles. It's not the first time. When the act first emerged, private sector representatives initially greeted it with roses. But the reaction morphed into concerns and outright criticisms once DHS began putting the statute into effect. This time around, the department and most industry representatives say, DHS is getting it right. "We're quite pleased," says Alan Chvotkin, senior vice president of the Professional Services Council, an Arlington, Va., trade group representing federal contractors in the technology and service arenas. "In fact, it addresses, even if not completely, virtually every comment and question we had about the interim rule."
The SAFETY Act was designed to encourage firms to bring homeland security products to market by eliminating the "bet-your-company" risk that might turn some of them away.
Insurance companies and the federal government paid more than 90 percent of the $38.1 billion awarded to victims of the Sept. 11 terrorist attacks, according to a 2004 study by the nonprofit RAND Corp. Because of concerns about an avalanche of claims, Congress capped liability for airlines, airports, ports and cities and established the Sept. 11 Victim Compensation Fund of 2001. To use it, recipients had to waive their right to sue. Still, about 70 families eventually filed wrongful death suits against airlines. Plaintiffs also sued the former Riggs Bank-alleging that lax oversight facilitated the financing of two hijackers-and 12 families of firefighters sued Motorola Inc. and New York City over faulty hand-held radios. That suit later was thrown out of court.
The United States has not suffered a terrorist attack, or resulting lawsuits, since the fall of 2001, so the protections of the SAFETY Act haven't come into play. But those in the homeland security industry uniformly say concern about liability is no less real. Large contractors bolstering the blast-resistance of bridges, ports and other hard targets; system integrators designing buildings and technological systems; manufacturers of infrared cameras and motion detectors on the border; and biotech firms supplying vaccines all could face lawsuits after a terrorist attack, according to industry attorneys.
"The potential liability to Raytheon or Boeing or any of us in a case where there is a terrorist act and someone or some class of persons might claim they're injured because of the failure of some technology or service you provide is enormous, off the charts, catastrophic, whatever you want to call it," says an attorney with Raytheon Co. in Waltham, Mass.
The SAFETY Act was supposed to allay these fears. The law allows DHS to give products and services two different kinds of protection: a "designation," which caps the firm's liability at the amount of its insurance-required to be as much as is "reasonably available"-or the more protective "certification," which completely immunizes vendors from certain liability claims. But industry concerns persisted after DHS in July and October of 2003 issued guidelines for implementing the law. Many say the process was too onerous and slow.
Between October 2003 and February 2005, DHS approved six technologies for SAFETY Act designation. Applying took an average of 1,000 hours, according to a 2003 survey by the Information Technology Association of America in Arlington, Va. (DHS estimated the time at 36 to 180 hours.) "Like a mini-FDA" was the phrase one company used to describe DHS' behavior.
Penrose "Parney" Albright was the DHS assistant secretary for science and technology overseeing SAFETY Act implementation for most of that period. He absorbed the majority of criticism of the program from industry and Capitol Hill, but says the department had a responsibility to ensure the approved technologies and services deserved the protection they were receiving. "We didn't play ball with this idea that we were going to rubber-stamp everything that came along," says Albright, now a managing director at the consulting firm Civitas Group LLC in Washington.
The flow of approvals coming out of Homeland Security's Office of SAFETY Act Implementation has since picked up-68 designations and certifications since March 2005, according to DHS. Still, industry attorneys say, ambiguities and other problems continue to prevent the program from producing its intended effect: encouraging the production of anti-terrorism technology and services. "A lot of companies are very nervous about doing [homeland security] work," says Brian E. Finch, an attorney who drafted some of the first successful SAFETY Act applications and now heads the homeland security practice at Dickstein Shapiro LLP in New York. "There's been a lack of good answers about providing liability certainty."
Finch and others are hoping firms will feel less nervous now that DHS has issued final regulations. The rule, released June 8, includes a host of changes that industry representatives say address most of the problems raised with the interim rule.
Many are small but important changes or clarifications. Can DHS force a firm to self-insure? Answer: no. Does the SAFETY Act apply in the case of a terrorist act that occurs in another country, such as a cyberattack? Answer: yes, if it causes harm in the United States. Can a firm suddenly lose its liability protection if it makes small changes to its technology? Answer: no, although it still must alert DHS if making significant or nonroutine modifications.
Perhaps the most prominent change is to put in writing an approach the department has begun using more recently: tying SAFETY Act approval more closely with procurements. That way, firms bidding on or winning homeland security contracts know in plenty of time whether or not they have SAFETY Act protections for those projects.
"We sometimes refer to it as two trains running in parallel," says David Z. Bodenheimer, a partner at Crowell & Moring in Washington and vice chairman of the Homeland Security Committee of the American Bar Association's Science & Technology Law Section.
"If they both arrive at the station at the same time, you're good to go. What happens if the contract award train arrives first and you're still waiting for SAFETY Act approval? Do you say 'No, I can't perform' and then get defaulted? Do you make your bid contingent on SAFETY Act approval and then you're disqualified from competition? Or do you just hope during the next six months, eight months, a year, you don't have a terrorist attack?"
The new rule also reduces the processing time for each application for liability protection from about 150 days to fewer than 120 days. But, Albright, says the procurement tie-in was always more important than the speed because the lack of coordination meant companies were submitting contract bids contingent on SAFETY Act approval. "That was crazy because a procurement official would get that and couldn't possibly approve a contract" with a conditional provision, he says. "It didn't matter if the SAFETY Act Office took 10 seconds or 10 years."
The new regulation contains few details about how the department will link the procurement and SAFETY Act offices, although DHS officials say they have developed internal processes for that purpose. Outsiders say they'll believe it when they see it.
The new rule also creates liability protections for products in the development and testing stages. According to a DHS official, this change was motivated by the real-life case of a firm whose product could be tested only by deploying it. The firm's leaders worried that if an attack occurred and their system didn't work properly, then the company could be sued, even though it was only in the testing phase.
And the final regulation also creates "block" approvals, meaning DHS will announce broad categories of approved products. So if, for example, a firm builds a radiation detector in accordance with the specifications the department has laid out, the company will receive an expedited SAFETY Act review without further analysis of the technology.
It is difficult to find anyone to argue against the scope of the law's protections. Some Democrats in Congress originally objected to the SAFETY Act, but that protest seems to have dissipated after the act became law. A section of the American Bar Association expressed misgivings about some aspects of the law. And that is about it.
"It's not on the radar, because it's such a specialized area, and it should be," says Mary Schiavo, a litigation attorney who represents about 50 clients suing the airlines over the Sept. 11 attacks. "It's not something plaintiff lawyers' meetings are discussing."
Schiavo, formerly the outspoken inspector general of the Transportation Department and now at the Motley Rice LLC law firm in Mount Pleasant, S.C., says there already were laws in place to protect companies in high-risk fields from incurring unlimited liability.
Those laws allowed a reasonable examination for blatant negligence, the basis of the majority of suits in these cases, she says. The new rules effectively will mean that payments to victims of an attack will not be nearly enough after being divided among many plaintiffs and their attorneys, she adds.
"It dramatically reduces the incentive for industry and people to be responsible," she says. "If you are negligent and you put technology out there and they harm people, you really won't be held accountable."
"It's a very clever drafting and a very dramatic change to the law," she adds. "Who could be opposed to something called the SAFETY Act?"
DHS and industry officials, meanwhile, contend the changes return the program to its intended purpose rather than broaden it. Albright notes one change that was not included: granting SAFETY Act protection based on approval by state and local governments. "That would have been horrible," he says. "That would have allowed any police chief [anywhere in the country] to set a national standard."
Albright says the new regulations appear to be identical to what he submitted a year and a half ago. Many in industry and at DHS largely credit the changes to the arrival in early 2005 of Deputy Secretary Michael Jackson, who spent time in the private sector before joining DHS from the Transportation Department, and Secretary Michael Chertoff, a former U.S. attorney and federal judge who specifically mentioned the SAFETY Act in a July 2005 speech announcing changes he planned for the department. "There is more opportunity, much more opportunity, to take advantage of this important law, and we are going to do that," Chertoff said.
Department officials have met with minority staff on the House Homeland Security Committee to discuss the program; a committee hearing on the subject originally scheduled for June was moved to July.
A massive DHS procurement for border security technology, SBInet, does not give automatic SAFETY Act approval to bidders, though the winner will be considered a "good candidate" for the liability protection, and will receive an expedited review. Still, the DHS official says, the department will begin to use the law more proactively to spur technology development in certain areas. "We need to utilize the SAFETY Act in a way that produces a result," the official says. "It's not just an outlet for people to apply when they want to. It's a tool for us to materially improve our terrorism defense."
As for the past, no one is certain what effect the alleged shortcomings of the law have had. A National Defense Industrial Association study, Bodenheimer says, reported that 25 percent of companies surveyed had opted not to bid on a homeland security procurement because they were not sure they could earn SAFETY Act approval. Fearful of being sued if a pathogen slipped by, Northrop Grumman Corp. refused to sell its biohazard sensors to the U.S. Postal Service until the agency agreed to pay for the firm's liability insurance.
But there are few other known examples of firms quashing product development over liability concerns. DHS officials don't know how many applications they have received, but say there are relatively few rejections because of a pre-application process that lets firms know before applying whether or not they have a decent chance.
"Who didn't come to the office we'll never know," says Chvotkin. "One of the goals we had in advocacy was to encourage more companies to come in to take advantage of the SAFETY Act and our hope is that more companies will."