The chemical industry’s Responsible Care Security Code has qualified for five years of continued protection under the SAFETY Act, run by the Department of Homeland Security (“DHS”). Responsible Care was first recognized by DHS in 2009 as a Qualified Anti-Terrorism Technology under the Support Anti-Terrorism by Fostering Effective Technologies (“SAFETY”) Act of 2002 and was approved for another five years of protection (until 2019) on January 29.
The SAFETY Act provides legal liability protection for providers (sellers) of qualified anti-terrorism products or technologies. While the legal liability protections apply only to claims arising out of or resulting from an act of terrorism, many see the SAFETY Act as creating an incentive to encourage companies to develop and use anti-terrorism technologies. One of the main benefits of receiving protection under the SAFETY Act is that the Act immunizes all “downstream” parties, such as customers, clients, subcontractors, and vendors that use the seller’s anti-terrorism technology product or support the seller’s deployment of the anti-terrorism technology product from liability.
The American Chemistry Council requires its member companies to implement Responsible Care. Responsible Care is a global voluntary initiative that was created in the wake of 9/11 for the chemical industry. Responsible Care has a number of goals, including the improvement of health, safety, and environmental performance, that are achieved through a model of self-regulation characterized by the safe and responsible supervision of products throughout their lifecycle.
The Responsible Care system is based on thirteen management practices that include security management technology that enhances the ability to deter, detect, delay, defeat, or respond to a physical or cyberattack against any form of chemical operation, either at a physical facility site or during transportation. Pursuant to Responsible Care, companies must conduct comprehensive security vulnerability assessment, implement security enhancements according to a strict timeline, and obtain independent verification to prove they have implemented the security measures. In addition to the measures that must be taken at physical sites, companies are required to address cybersecurity threats by assessing cybersecurity vulnerabilities, implementing security measures to address them, and providing training and guidance to employees on current and emerging threats.
** Thanks to our intern, Emily Deans, for her assistance on this post.