Get the DealBook newsletter to make sense of major business and policy headlines — and the power-brokers who shape them.
MGM Resorts International, in a shocking legal maneuver to protect the conglomerate from liability for a mass shooting last year, has sued the victims.
It’s an audacious pre-emptive move that hinges on an interpretation of novel legal issues under an obscure federal law that has never been tested in the courts. Depending on how the cases play out, it will have far-reaching implications for both victims and companies targeted by terrorists and cybercriminals.
MGM has filed nine lawsuits so far against 2,500 victims in federal courts across the country, including in Nevada, California and New York. MGM owns the Mandalay Bay hotel, where Stephen Paddock, from his 32nd floor suite, shot and killed 58 people and wounded hundreds more who were attending a music festival next door. It stands as the deadliest shooting in our nation’s history.
MGM now wants a federal judge to rule that it has no liability “of any kind.”
The optics of the lawsuits are unsavory, to say the least. Critics are already calling MGM’s legal tactic “utterly reprehensible” and worse. And there’s sure to be more outrage by the victims and their families who likely don’t want to relive this tragedy.
Yet the lawsuits aren’t about the victims or monetary damages. MGM has filed declaratory judgment actions — a legal move that asks for a ruling on the company’s rights — under a 15-year-old federal law that prohibits or limits lawsuits by victims affected by acts of terrorism.
At the center of these lawsuits is the Support Antiterrorism by Fostering Effective Technologies Act of 2002, or the Safety Act. The act provides sweeping liability protections for companies that develop innovative security products and services when the litigation arises from an “act of terrorism.”
The law was passed after the terrorist attacks of Sept. 11, 2001, when lawsuits were filed against United and American Airlines, airport security companies, Boeing, and other deep-pocketed firms for security lapses. Most of the lawsuits have been settled or resolved, although the process has been protracted, lasting more than a decade in some cases. Congress wanted to avoid this mess in the future and encourage the companies to develop antiterrorism technologies — including cybersecurity programs — without fear of excessive liability and entanglement in litigation.
The liability protections provided by the Safety Act include a cap on the amount of damages victims can recover and permit only a single lawsuit or “federal cause of action” when there’s an “act of terrorism” and a Safety Act qualified product or service is involved.
The crux of MGM’s legal argument is that it hired a security firm with Safety Act protection to safeguard the concertgoers. By doing so, it contends, it receives the law’s benefits and is off the hook for any damages sought by the victims or their families. The Safety Act’s protections, MGM argues, extend to it as a buyer of the security firm’s services even though it never undertook the rigorous process mandated by the Department of Homeland Security to receive the law’s benefits.
If MGM is right, the security firm will be on the hook for damages, which will most likely be limited to a confidential liability cap established by the Department of Homeland Security.
Because this is the first legal test of the Safety Act, it will have consequences for every company that has received the law’s protections. In the 15 years since it became law, more than 1,000 companies have qualified their products and services for its protection. Those range from composite materials designed to protect bridge infrastructure from terrorist attacks to comprehensive data security plans and policies to mitigate exposure to a cyberattack.
These companies relied upon the law. Without its protections, companies argue, they would never have devoted the resources or taken the legal risk to develop cutting-edge security products and services.
The stakes are also high for victims of terrorist attacks. Does the Safety Act cover companies, such as MGM, that have not been awarded the law’s protections? Will victims who sue companies protected by the Safety Act be left with damages that amount to pennies on the dollar, or will there be other sources of recovery?
It is far from clear how MGM will fare in its lawsuits. There are plenty of challenges and novel legal issues ahead, including whether the security firm’s legal protection will insulate MGM from liability as a company that used its federally certified services. Another hurdle will be the fact that the law requires that the secretary of homeland security declare an act terrorism before its protections are triggered. The department has not done so in the Las Vegas shooting.
Safety Act protection is a heavy lift and requires companies to analyze and submit reams of information to the Department of Homeland Security to demonstrate that their security products or services are effective and safe. They must also undergo an extensive validation process by the department and a panel of outside experts. The certification lasts only between one and five years so companies must regularly ensure that their security programs are up to the agency’s standards.
While MGM’s tactics are controversial, these lawsuits will help clarify the scope of protections under the Safety Act, one of the most important and comprehensive laws in an age of increasing terrorist events and cyberattacks.
Craig A. Newman is a partner with Patterson Belknap Webb & Tyler and chair of its privacy practice. Mr. Newman has represented companies that have obtained protection under the Safety Act but is not involved in the MGM cases.