Full-court tort press

Next month, Lockheed Martin Corp. will apply to the federal government for protection for its nuclear, biological and radiological attack detection technologies.IBM Corp. will ask for protection for security assessment services and hardware, and for hardware and software used in mission-critical, anti-terrorism applications. They are but two of the scores of information technology firms that are gearing up to apply for liability protection under the Homeland Security Act of 2002. The Support Anti-terrorism by Fostering Effective Technologies Act of 2002, or Safety Act, part of the Homeland Security Act, provides limited liability protection to companies supplying "qualified anti-terrorism technologies" to federal, state and local governments, as well as commercial enterprises, in the event that a terrorist act overcomes the operation of those technologies. IT firms lobbied for the Safety Act because they said they could not get enough insurance to cover their potential losses from lawsuits resulting from such technology failure. Without liability protection, they said they would be unlikely to offer homeland security solutions to the government."We expect to submit a number of packages for solution qualification as soon as the department will accept applications," said Kent Blossom, director of safety and security services for Armonk, N.Y.-based IBM.The Department of Homeland Security will begin accepting applications for protection under the act Sept. 1, the same day that forms will be available on the department Web site, according to spokeswoman Michelle Petrovich. The Institute for Defense Analyses, a federally funded research and development center in Alexandria, Va., will review applications. Homeland Security will manage the process, Petrovich said. The department also will hold programs about the Safety Act next month in cities across the country, starting in Washington, she said.The Safety Act "has been really key to whether we would be able to make those technologies available to the full set of possible users at the federal, state and local levels," said Gerald Musarra, vice president for trade and regulatory affairs at Bethesda, Md.-based Lockheed Martin. The danger of providing these technologies to the government without liability protection is very real, industry experts said. They said large, financially stable companies could be sued for millions or even billions without the protection. Raymond Biagini, a partner with the Washington law firm McKenna Long & Aldridge LLP, gave this example: A series of simultaneous terrorist attacks occurs at airports, disrupting the technology that allows inter-airport communication. As a result of damage to IT, a terrorist infiltrates an airport and detonates a dirty bomb. The IT contractors could be sued for unknown amounts. "It's really unbounded," Biagini said. "New York City has experienced more than $16 billion in losses [because of the Sept. 11, 2001 attacks] even after federal emergency money and insurance has come to the rescue. That's why the Safety Act is so important. Some contractors are very antsy about continuing to deploy without this protection."Some contractors are beginning to assemble applications for protection under the Safety Act based on information in the legislation and in a proposed rule published July 11 in the Federal Register. The limits on contractor liability for eligible technologies include:Contractors that have not begun to assess their technologies for anti-terrorism applications and possible coverage under the Safety Act should do so now, industry experts said July 30 at a program put on by the Professional Services Council, an Arlington, Va., trade group representing companies that provide services to the government."You have to look at your broad scope of products and services" to determine which should be covered by the Safety Act, said Paul Haseman, a senior counsel of Lexington, Mass., defense firm Raytheon Co. Technologies that are deployed, existing but not deployed, and planned are potentially eligible for protection, he said. In addition, technologies not used for anti-terrorism could have applications in that area, and companies should consider applying for protection for them, Haseman said. For example, ground radar used for drug enforcement purposes could be used for intrusion detection in other areas. The benefits of the Safety Act go beyond limiting financial losses. Companies with "qualified anti-terrorism technologies" might more easily secure funding for additional development of the technology, Haseman said. The designation also may give the firms a competitive advantage over firms selling technologies that have not received the designation, said John Clerici, an associate with McKenna Long & Aldridge. The proposed rule, published July 11, establishes a good framework for implementing the Safety Act, but it needs to be fleshed out in several areas, industry executives said.First, more detail is needed on how the department will protect proprietary information submitted with applications for protection, said Alan Chvotkin, PSC's senior vice president and counsel."Companies are going to be asked to disclose how they would stop a terrorist attack. The need for Homeland Security to protect that information is on par with protecting the strategic analysis coming from the FBI or CIA," he said.Chvotkin also said the regulation should make clear that Safety Act protection applies to both products and services. Some criteria for qualification are difficult to apply to services, such as compliance with safety standards and evaluation of scientific studies that assess the ability of the technology to reduce terrorism risk, he said. "We want to make sure the regulations are neutral as to the technology being applied," whether it is a product or service, Chvotkin said.The timeframe for qualification is also a concern, executives said. The process could take close to a year, according to schedules laid out by the department. Musarra said Lockheed Martin officials think the process could be expedited for technologies already in use."When you're dealing with existing technology with a track record, there is a lot of interest among entities with homeland security responsibility. They know what they want," he said. Some company executives may question who should apply for protection under the act, which says only the seller may be sued. But procurements may include prime contractors, subcontractors and IT resellers, calling into question who is the seller. Guidance is needed on this point, executives said.Comments on the proposed rule, jointly filed by PSC, the Information Technology Association of America, the Aerospace Industries Association and the National Association of Manufacturers, recommended that "the regulations should be sufficiently flexible so that, in such circumstances, Homeland Security could designate and certify the entire system for which the prime contractor would be considered the seller, or ... issue multiple designations and certifications to multiple sellers of the components of that system."It's a good idea for subcontractors to have their products and services qualified for protection, Chvotkin said. "If it is my technology, I'd want to be in control," he said.Indeed, applying for protection "is a matter of corporate responsibility," Biagini said. "If they don't get aggressive, get the protection and they get sued and cannot invoke the Safety Act, imagine what their shareholders will think." Staff Writer Gail Repsher Emery can be reached at gemery@postnewsweektech.com.