The April 2024 issue of IEEE Spectrum is here!

Close bar

Guarding Against Terrorism--And Liability

Developers of antiterrorism tools have little to worry about, thanks to a provision of the U.S. Homeland Security Act

6 min read

Remember the Good Housekeeping seal of approval? If a product that bears the seal proves defective within two years of purchase, Good Housekeeping magazine replaces it or refunds the purchase price.

Now there is similar approval (but one that chiefly benefits the seller, instead of the consumer) of products and services developed to protect against terrorist acts--it's the "Approved Product for Homeland Security" list to be posted by the U.S. Department of Homeland Security (DHS) on its Web site. If an approved product doesn't work as well as promised and, as a result, people are maimed or killed by an "act of terrorism," no vendor can be held liable for damages--not the company that sold it, those who distributed it, or the subcontractors that helped design and build it.

Thanks to provisions buried deep within the hundreds of pages of the Homeland Security Act of 2002 and spelled out under the title "Support Anti-Terrorism by Fostering Effective Technologies Act of 2002" (or the so-called SAFETY Act), this seemingly magical protection shields a company whose product has both been designated a "Qualified Anti-Terrorism Technology,"

Alex Wong/Getty Images

or QATT (pronounced quat ), and been certified for the approved product list. Here's a breakdown of how the SAFETY Act shields your company against liability, along with a step-by-step guide to applying for the Act's protections.

Designation as a QATT confers an array of protections, and though it allows terrorist victims to sue, they can sue only the seller of the product (not its suppliers, distributors, or the deployer of the product). And there is also a provision that puts a cap on recoverable damages set by the DHS.

Certification, which is granted only to a QATT, entitles the seller of the approved product to a protection called the "government contractor defense," which formerly protected only sellers to the federal government. For instance, a soldier's family could not recover damages from Boeing if the company designed and built a helicopter with a defective tail rotor that caused the soldier to be maimed or killed. Now, under the SAFETY Act, that defense protects the seller to both federal and nonfederal customers.

If you are the seller of an approved product, unless you misinformed DHS in your application, you gain immunity from any product liability related to an act of terrorism. Thus, a family that loses a daughter exposed to a plume of toxic chemicals released as a result of a terrorist attack on a chemical company's computers cannot recover damages from the company that made the software to guard against terrorist hackers if that software is an approved product.

This QATT and approved product "seal" is issued by DHS after it reviews the product to determine, among other things, if it performs as intended, conforms with the seller's specifications, and is safe for its intended use. The QATT and approved product seal are valid initially for five to eight years (and thereafter can be renewed), as decided by DHS.

As of this writing, in mid-December, DHS had been accepting applications for only a few weeks; it has yet to issue its first QATT designation and product seal. DHS has, however, issued regulations that clarify many of the terms and conditions, and even relaxed some of the SAFETY Act's more burdensome requirements.

Obtaining the QATT and the product seal works like this: Suppose NanoPloy Inc. developed a computer security product, one of whose purposes is to guard against cyberattacks by terrorists. NanoPloy registers at DHS's secure Web site, and completes separate applications for the two designations. The applications instructions require, among other things, descriptions of possible scenarios of terrorist attacks, the security that will be gained by deploying the technology, and the results of performance and safety tests.

If, after reviewing NanoPloy's application, DHS finds that NanoPloy's technology meets the criteria set forth in the Act and the implementing regulations, DHS approves the technology for QATT designation. If it also passes the scrutiny for approved product certification, DHS then lists the technology on its Web site and sends the company a "certificate of conformance," which the company can submit to a court if it is later sued.

In turn, NanoPloy must make a good-faith effort to get agreements from its suppliers and customers not to sue one another and must, within 30 days of receiving QATT designation, buy the kind and amount of liability insurance specified by DHS or face losing the designation.

If sued by victims of a terrorist attack, NanoPloy need only present a federal district court with its approved product certificate of conformance to prove entitlement to the government contractor defense. If sustained by the court, that entitlement would warrant dismissal of all claims against NanoPloy, quite possibly before trial.

In fact, the only way a plaintiff could overcome NanoPloy's entitlement to the government contractor defense would be to prove that NanoPloy engaged in fraud or some other willful misconduct in providing information to DHS in its QATT or approved product applications.

Let's consider a company trying to protect itself against terrorists. A chemical giant called HippoChem, located near a large city, stores and uses toxic and combustible chemicals. It prudently conducts a terrorist vulnerability assessment and identifies weak points in plant security. To reduce its vulnerabilities, it buys and deploys NanoPloy's cybersecurity product listed as an approved product for Homeland Security. It also buys a perimeter security product from PentaG Inc. for which PentaG did not seek the approved product certification, nor even QATT designation.

Months pass until one cool autumn day, with a stiff breeze blowing in the direction of the city, the terrorists strike­first, with a cyberattack that seizes control of HippoChem's batch chemical processing computers, and next, with a car bomb detonated next to a warehouse for organic chemicals. Finally, as smoke, flames, and noxious vapors disorient, disable, or panic HippoChem's employees, the terrorists seize control remotely of HippoChem's abandoned computers, cause processing malfunctions, explosions of combustible polymers, and additional releases of chemical-laden clouds.

A toxic plume stretches downwind toward the city. Thankfully, the security products are at least half effective; otherwise, the density of the released plume would be far greater. The products, however, are not as good as represented. Had they performed as promised, the terrorists would not have penetrated HippoChem's computers or its plant's premises and no toxic plume would have been released.

But now more than 100 000 residents in the nearby city are exposed to the chemicals. Only a few die that day, but over the next two years, thousands die of ailments attributable to or exacerbated by the exposure. Many others are disabled or find their ability to work severely diminished by respiratory and immunological problems.

Survivors and families of the deceased, overwhelmed by medical expenses, file lawsuits in state courts against HippoChem alleging negligence, lax security, inadequate training, and deficient maintenance. They also sue NanoPloy and PentaG alleging defects in the design and manufacture of their products. The plaintiffs seek monetary awards--for their physical injuries, emotional injuries, loss of earnings, pain and suffering, loss of spousal companionship, and so on, as well as punitive damages.

Total awards sought dwarf the net worth of each company, but their fate in court could be very different. PentaG learns that its litigation costs will soar and that it has little chance of averting liability.

In contrast, the state court must dismiss the suits against NanoPloy, and if plaintiffs then sue NanoPloy in federal court, the company can raise the government contractor defense even though HippoChem is a nonfederal customer. This makes it highly likely that all suits against NanoPloy will be dismissed before trial. However, a trial might be necessary to determine whether NanoPloy acted in accordance with the SAFETY Act and its associated regulations when it obtained DHS certification.

In other words, a plaintiff may persuade a federal court that it has sufficient evidence of NanoPloy misconduct to deny it the government contractor defense or to warrant a trial to decide that issue.

In either event, the only evidence the plaintiff is permitted to introduce is of fraud or willful misconduct by Nano-Ploy in its submission of information to DHS. Ironically, if NanoPloy acted properly and reported no defects to DHS, but later discovered defects in its technology, the regulations do not currently require NanoPloy to warn its customers or DHS of those defects.

Even if the federal court determines that NanoPloy is not entitled to the government contractor defense, NanoPloy retains formidable protections conferred by DHS's QATT:

No product liability suits can be filed against NanoPloy in state courts; they must all be brought in federal district courts.

Claims against NanoPloy for punitive damages should be dismissed.

Claims against NanoPloy for prejudgment interest should be dismissed. This is interest on the final damage award that is given to compensate victims for the long wait to obtain an enforceable judgment, often for an injury suffered years earlier.

Claims for noneconomic damages, such as emotional pain and suffering. are barred unless the person has been physically injured, and even then the recoverable damages are limited to an amount directly proportional to the percentage of NanoPloy's responsibility.

Damages awarded cannot exceed the amount of the insurance that DHS required NanoPloy to obtain.

Claims against Hippo- Chem, to the extent they relate to NanoPloy's product, should be dismissed, because suits under the Act can be brought against only the seller.

Although HippoChem cannot be sued for harm attributable to NanoPloy's QATT and approved product, it remains to be seen if it could be sued for harm attributable to PentaG's technology, because PentaG did not seek the Act's protections. That is one good reason why customers may prefer to buy an approved product­it protects them (as well as the seller) from lawsuits because of an act of terrorism.

The SAFETY Act applies equally to U.S. and non-U.S. companies. Most overseas companies, and even many U.S. companies, are unaware of the Act, its protections, or its expansive scope, which includes services, software, and other forms of intellectual property, though they, too, could qualify for the Act's unique protections.

A few prudent steps will help a company qualify its products:

Carefully test and analyze your technology's capabilities, address defects forthrightly, and do not underestimate how broadly DHS will interpret what qualifies as an "antiterrorist technolog y."

Regularly check DHS's Web site (, where DHS may issue and revise safety and effectiveness standards for antiterrorism technologies.

Consult with your lawyer to avert avoidable errors in filing the applications and to comply with the regulations' requirements for retaining QATT designation and its protections.

Before filing an application, ask DHS for a nonbinding, advisory opinion as to whether your technology's chances of qualifying for the Act's protections are "promising," "uncertain," or "doubtful."

This article is for IEEE members only. Join IEEE to access our full archive.

Join the world’s largest professional organization devoted to engineering and applied sciences and get access to all of Spectrum’s articles, podcasts, and special reports. Learn more →

If you're already an IEEE member, please sign in to continue reading.

Membership includes:

  • Get unlimited access to IEEE Spectrum content
  • Follow your favorite topics to create a personalized feed of IEEE Spectrum content
  • Save Spectrum articles to read later
  • Network with other technology professionals
  • Establish a professional profile
  • Create a group to share and collaborate on projects
  • Discover IEEE events and activities
  • Join and participate in discussions