Terrorists will target critical infrastructure
Study after study makes one thing clear – the West remains ill-prepared to defend against a terrorist attack to critical infrastructure. That makes it obviously vulnerable, but it also exposes government agencies and the private sector (who own or manage upwards of 80% of critical infrastructure in some areas), among others, to potential risks and liability in the event of a terrorist attack. With respect to cyber-related infrastructure, in the U.S., the Department of Homeland Security reported a 383% increase in attempted or successful cyber attacks against critical infrastructure.
Terrorists are interested in targeting critical infrastructure, namely the systems and assets, whether physical or virtual, that are so vital that the incapacity or destruction of them would have a debilitating impact on national security, national economic security, national health or safety, or any combination of them.
Energy infrastructure interests them most apparently (electric power network, nuclear plants, oil pipelines, alternative energy systems), transportation infrastructure (ports, bridges, airports, train stations, tunnels) and more recently in the context of cyberterrorism, the financial system (banks, stock exchanges, credit card companies) because the inter-dependency of these forms of critical infrastructure on others and between governments, means that targeting these assets will create the most disruption to the most amount of people and significant economic damage.
Potential liability for terrorist attacks for private enterprise
Inevitably, terrorist attacks will lead to lawsuits. The difficulty for plaintiffs, however, is that the primary responsible parties (terrorists) are often out of the relevant jurisdiction and as a result, plaintiffs seek out numerous other defendants for recovery, normally those entities that designed, built, financed or invested in the targeted critical infrastructure project, and that currently manage, control, own or maintain it.
When such a lawsuit is commenced, the primary theory of potential liability for a terrorist attack is negligence. A defendant may be subject to liability under this theory if he owes a duty to the plaintiff and acts negligently in such a way as to cause the plaintiff an objectively foreseeable injury. The standard is an objective one and the courts apply the test of what a reasonable man would have done in the defendant’s position. What is reasonable under the circumstances depends.
Terrorist attacks to critical infrastructure are not just foreseeable, they are expected
But what is obvious and different, legally speaking, is that from 9/11 onwards, terrorist attacks are not just foreseeable, they are expected. Governments issue terrorist alerts frequently and terrorist organizations sometimes provide advance warnings of their intention to undertake critical infrastructure damage. The fact that terrorist attacks to critical infrastructure are expected places an enhanced obligation to protect the infrastructure assets.
The second theory of liability may be products liability. Typically, liability is imposed for design defects if the risk of a product as it is currently manufactured outweighs its utility when considered in light of any alternative designs. If we know terrorists will attack critical infrastructure, prudent entities involved in the project would assess whether they are designing, building and maintaining that infrastructure piece with a view to resilience and mitigation of harm from an attack, and whether there are alternative designs that could be used.
The scope of potential defendants arising out of a terrorist attack litigation is wide. They include, in respect of critical infrastructure, government agencies that regulate or oversee the infrastructure, asset managers, manufacturers, designers, owners, architects, construction companies, insurance companies, downstream service providers and lessors.
Government immunity not necessarily available
As the 1993 World Trade Centre garage bomb litigation in New York City demonstrated, government agencies may not necessarily be legally immune in respect of terrorist attacks. In that case, citizens and businesses sued the government agency that owned and operated the World Trade Centre facility to recover for injuries and losses incurred from the explosion. The government raised an immunity defence which the plaintiffs successfully rebutted by arguing that negligence arose out of government’s proprietary function. It’s duty in respect of security of the premises was part of its proprietary function as a commercial landlord because the ownership and care of the parking facility and the provision of these basic security measures for the commercial tenants, business invitees, and the public, were activities traditionally carried on through private enterprise, specifically by commercial landlords, and thus constituted proprietary functions when performed by a government agency.
The jury assigned fault for the destruction of the infrastructure to (a) the terrorists; and (b) the government for its failure to adopt more rigorous security measures recommended to it by its own security experts.
Governments agencies therefore should be careful of the roles they assume in P3 infrastructure projects and should not undertake any roles that, as a matter of common law, may later serve to erode government immunity.
Mitigating legal risks for critical infrastructure
There are a number of ways organizations involved in the delivery and maintenance of critical infrastructure can mitigate legal risks in the face of potential terrorist attacks.
A. Focus on risk allocation in contracts
Determining risk allocation is key.
An airport infrastructure guru based in Toronto once told me that risk allocation in P3 infrastructure is allocated to the party best equipped or suited to cope with, or manage, a risk coming to fruition. But no, if that were the case, risks would always be allocated to the party with the deepest pockets. Rather, risk allocation is always a product of negotiation and governments should not, as P3 partners, agree to risks (and liabilities) that should be part of the private sector’s responsibility.
Allocation of risks through careful risk allocation provisions (“RAP“) in contracts for the development and maintenance of critical infrastructure is vital, particularly post-closing RAPs. In this context, more complex RAPs do not equate to better RAPs – a Harvard study on lawyers who drafted complex M&A deals found that inexperienced or unqualified lawyers produce lengthy overly complex RAPs that are ineffective compared with experienced lawyers who produced short but effective RAPs. Quality, not length is key.
With respect to RAPs, parties should consider provisions that address indemnities, both as against loss or damage, and against liability, limitations of actions and of liability, and waiver of subrogation and insurance clauses.
Disaster-outs are also important but they should be reviewed carefully – too many disaster out clauses are imprecise or ill-conceived in respect of the allowed “outs” and provide for too many provisos. The more provisos required means the less likely a party will be able to exit a project that becomes economically non-viable as a result of a terrorist attack. The same applies to market outs, material change outs, and rating change outs.
Security risk management, like all risk management decisions, have financial consequences which should factor into the RAPs.
B. Disclosure of risks
In respect of investors to critical infrastructure projects, the disclosure of risks associated with terrorist attacks to critical infrastructure must be articulated in conjunction with the disclosure of other risks (i.e., in respect of financings, registration statements, prospectuses, OMs, AIFs). Securities legislation provides for criminal and civil penalties for failing to disclose material facts or making untrue statements of material facts. While under securities law, there is no obligation to disclose risks that could apply to any issuer or any offering, the risks to critical infrastructure from terrorism do not qualify as a generic risk applicable across the board and therefore disclosure is required. Providing disclosure of material risks of loss limits the liklihood that a corporation will be liable to investors if a loss occurs. In terms of terrorism-related risks, the disclosure required is in respect of the risk and consequences of an attack, insurance related thereto and the likelihood of being a potential defendant in the event of such an attack. Risks for cyber as well as physical terrorist attacks should be included as each carries its own set of risks and consequences.
C. Undertake risk assessments & implement controls
The parties that manage, control and own critical infrastructure can mitigate legal risks in connection with potential terrorist attacks by identifying the risks and effectively managing both foreseeable risks and identified threats to achieve security.
There are two types of terrorist attacks to be concerned with – physical and cyber attacks – and continuity of operations, through an intelligence and information-led risk informed approach is an important factor. Avoiding single source dependencies is one way to achieve continuity of operations.
Risk informed approaches involve the integration of threat, vulnerability, and consequence information. The subsequent risk management involves deciding which protective measures to take based on an agreed upon risk reduction strategy. Models and methodologies are developed by assessing which threats, vulnerabilities, and risks are integrated and using that data to allocate resources to reduce the risks. The risk landscape is constantly evolving and therefore, safety and security standards, concepts and measures should be dynamic. Risk assessments and implementation of reasonable controls will help mitigate liability.
Because the real burden for critical infrastructure protection may ultimately rest mainly on the shoulders of the private financing sector, public-private interaction based on clearly legally defined roles and responsibilities for disaster preparation, mitigation and management is also necessary.
The ultimate goal of security of infrastructure is to take prevention, mitigation and responsive measures across the supply chain to ensure asset integrity, reliability of supply and protection of people and the environment.
D. Take advantage of legal privilege for security assessments
On a more micro level, the practice of having legal counsel manage and engage external parties for security reviews and assessments of critical infrastructure is advisable. Such a practice imbues the engagement with privilege and confidentiality arising from the lawyer – client relationship, potentially protecting the end product from disclosure in the event of litigation. This is often done in the context of environmental and tax advice. The World Trade case referred to above wherein the government agency and private financing parties were liable for damages arising from a terrorist attack, is a case in point. In that case, the parties had commissioned a security assessment and failed to comply with the recommendations of the assessment. The security assessment was not obtained through an outside counsel engagement.
The unfortunate reality of a terrorist attack is that if and when it happens, it will inevitably result in chaos and disruption to the organizations targeted. In addition to loss of corporate assets, there may be deaths and injuries to deal with at the same time as infrastructure continuity service issues.
When the dust settles, the insurers, financiers, corporate entities and government agencies connected with that critical infrastructure will be subject to decades of legal claims and lawsuits – some they must start and some they must defend.