FireEye: Indemnification That's Basically Worthless

Reading time ~2 minutes

From FireEye’s CEO and the meaning of ‘basically’:

In an interview on CNBC’s “Mad Money” with Jim Cramer, FireEye CEO Dave DeWalt said a certification granted by the Department of Homeland Security under a law known as the SAFETY Act “allows companies who use our product to basically be indemnified against legal costs relative to being breached.”

Which, if you unpack this statement, turns out to be basically meaningless.

From the FAQ on the Safety Act maintained by the Department of Homeland Security, emphasis added:

[The] Act creates certain liability limitations for “claims arising out of, relating to, or resulting from an Act of Terrorism” where Qualified Anti-Terrorism Technologies have been deployed. The Act does not limit liability for harms caused by anti-terrorism technologies when no Act of Terrorism has occurred.

What is an Act of Terrorism? The FAQ about the SAFETY Act continues:

A: Pursuant to the SAFETY Act, an Act of Terrorism is: ACT OF TERRORISM- (A) The term “act of terrorism” means any act that the Secretary determines meets the requirements under subparagraph (b) of the Act, as such requirements are further defined and specified by the Secretary. REQUIREMENTS- (B) An act meets the requirements of this subparagraph if the act- (i) is unlawful; (ii) causes harm to a person, property, or entity, in the United States, or in the case of a domestic United States air carrier or a United States-flag vessel (or a vessel based principally in the United States on which the United States income tax is paid and whose insurance coverage is subject to regulation in the United States), in or outside the United States; and (iii) uses or attempts to use instrumentalities, weapons or other methods designed or intended to cause mass destruction, injury or other loss to citizens or institutions of the United States.

That’s actually a pretty broad definition of terrorism that I should probably explore in another forum. Sufficed to say, most breaches that affect most companies are not recognized “Acts of Terrorism” under the SAFETY Act. Which means there is likely no legal indemnification if and when a breach happens.

Even on the off chance legal indemnification applies, there are still plenty of other costs that won’t be covered by the SAFETY Act. I’m sure FireEye will happily sell you the consulting necessary to clean up from such a breach, and I’m pretty sure it won’t be for free, either.

Personally, I’d rather prevent the breach from happening rather than relying on promises of indemnification if and when they do. But that’s just me.

Disclaimer: My employer Check Point Software Technologies competes with FireEye in the market. These thoughts are my own.

How Long is Long Enough for a Password?

As much as we might want to see different authentication methods available, passwords aren't going anyway anytime soon. This means a sign...… Continue reading

Cloudflares with a Chance of Goatse

Published on February 24, 2017

Automation, Orchestration, and The Cloud

Published on January 04, 2017