FireEye: Indemnification That's Basically Worthless

Reading time ~2 minutes

From FireEye’s CEO and the meaning of ‘basically’:

In an interview on CNBC’s “Mad Money” with Jim Cramer, FireEye CEO Dave DeWalt said a certification granted by the Department of Homeland Security under a law known as the SAFETY Act “allows companies who use our product to basically be indemnified against legal costs relative to being breached.”

Which, if you unpack this statement, turns out to be basically meaningless.

From the FAQ on the Safety Act maintained by the Department of Homeland Security, emphasis added:

[The] Act creates certain liability limitations for “claims arising out of, relating to, or resulting from an Act of Terrorism” where Qualified Anti-Terrorism Technologies have been deployed. The Act does not limit liability for harms caused by anti-terrorism technologies when no Act of Terrorism has occurred.

What is an Act of Terrorism? The FAQ about the SAFETY Act continues:

A: Pursuant to the SAFETY Act, an Act of Terrorism is: ACT OF TERRORISM- (A) The term “act of terrorism” means any act that the Secretary determines meets the requirements under subparagraph (b) of the Act, as such requirements are further defined and specified by the Secretary. REQUIREMENTS- (B) An act meets the requirements of this subparagraph if the act- (i) is unlawful; (ii) causes harm to a person, property, or entity, in the United States, or in the case of a domestic United States air carrier or a United States-flag vessel (or a vessel based principally in the United States on which the United States income tax is paid and whose insurance coverage is subject to regulation in the United States), in or outside the United States; and (iii) uses or attempts to use instrumentalities, weapons or other methods designed or intended to cause mass destruction, injury or other loss to citizens or institutions of the United States.

That’s actually a pretty broad definition of terrorism that I should probably explore in another forum. Sufficed to say, most breaches that affect most companies are not recognized “Acts of Terrorism” under the SAFETY Act. Which means there is likely no legal indemnification if and when a breach happens.

Even on the off chance legal indemnification applies, there are still plenty of other costs that won’t be covered by the SAFETY Act. I’m sure FireEye will happily sell you the consulting necessary to clean up from such a breach, and I’m pretty sure it won’t be for free, either.

Personally, I’d rather prevent the breach from happening rather than relying on promises of indemnification if and when they do. But that’s just me.

Disclaimer: My employer Check Point Software Technologies competes with FireEye in the market. These thoughts are my own.

A Couple Decades (And Change) of Working From Home

When the Covid-19 pandemic was declared in March of 2020 and most everyhigh-tech business became "all remote all the time" literally over...… Continue reading

Some Things Never Change at Palo Alto Networks

Published on October 20, 2020

My Two Check Point Decades

Published on February 01, 2019