From FireEyeâs CEO and the meaning of âbasicallyâ:
In an interview on CNBCâs âMad Moneyâ with Jim Cramer, FireEye CEO Dave DeWalt said a certification granted by the Department of Homeland Security under a law known as the SAFETY Act âallows companies who use our product to basically be indemnified against legal costs relative to being breached.â
Which, if you unpack this statement, turns out to be basically meaningless.
From the FAQ on the Safety Act maintained by the Department of Homeland Security, emphasis added:
[The] Act creates certain liability limitations for âclaims arising out of, relating to, or resulting from an Act of Terrorismâ where Qualified Anti-Terrorism Technologies have been deployed. The Act does not limit liability for harms caused by anti-terrorism technologies when no Act of Terrorism has occurred.
What is an Act of Terrorism? The FAQ about the SAFETY Act continues:
A: Pursuant to the SAFETY Act, an Act of Terrorism is: ACT OF TERRORISM- (A) The term âact of terrorismâ means any act that the Secretary determines meets the requirements under subparagraph (b) of the Act, as such requirements are further defined and specified by the Secretary. REQUIREMENTS- (B) An act meets the requirements of this subparagraph if the act- (i) is unlawful; (ii) causes harm to a person, property, or entity, in the United States, or in the case of a domestic United States air carrier or a United States-flag vessel (or a vessel based principally in the United States on which the United States income tax is paid and whose insurance coverage is subject to regulation in the United States), in or outside the United States; and (iii) uses or attempts to use instrumentalities, weapons or other methods designed or intended to cause mass destruction, injury or other loss to citizens or institutions of the United States.
Thatâs actually a pretty broad definition of terrorism that I should probably explore in another forum. Sufficed to say, most breaches that affect most companies are not recognized âActs of Terrorismâ under the SAFETY Act. Which means there is likely no legal indemnification if and when a breach happens.
Even on the off chance legal indemnification applies, there are still plenty of other costs that wonât be covered by the SAFETY Act. Iâm sure FireEye will happily sell you the consulting necessary to clean up from such a breach, and Iâm pretty sure it wonât be for free, either.
Personally, Iâd rather prevent the breach from happening rather than relying on promises of indemnification if and when they do. But thatâs just me.
Disclaimer: My employer Check Point Software Technologies competes with FireEye in the market. These thoughts are my own.