On May 21, the CEO of one of the hottest companies in the booming cybersecurity sector appeared on CNBC and highlighted a new credential that would help to separate his company from its hard-charging rivals.
In an interview on CNBC's "Mad Money" with Jim Cramer, FireEye CEO Dave DeWalt said a certification granted by the Department of Homeland Security under a law known as the SAFETY Act "allows companies who use our product to basically be indemnified against legal costs relative to being breached."
That was an important development, DeWalt said, "So if you use FireEye's product you basically are prevented from being sued in the criminal justice system of America, which can save a lot of money."
A casual viewer might come away from that comment thinking that the Department of Homeland Security was offering FireEye's customers legal indemnification if they suffer a data breach.
But a spokesman for Homeland Security said that's not the case.
In particular, the spokesman said, the certification in question only provides "some liability protections" in the event of a cyberbreach that qualifies as an "act of terrorism" as designated by the secretary of Homeland Security.
And that's never happened before. The spokesman said no cyberattack has ever been designated an act of terrorism. In fact, the secretary of Homeland Security has never designated an act of terrorism of any kind under the SAFETY Act, which was passed in 2002.
"SAFETY Act protections only apply if the secretary of Homeland Security determines that there has been an act of terrorism as set forth in the SAFETY Act statute," said Homeland Security spokesman S.Y. Lee in a statement to CNBC. "In the instance of a cyberbreach where the secretary has not made this determination, then the SAFETY Act is not triggered and provides no coverage for the technology's seller or the users of the technology."
CNBC asked FireEye about this apparent discrepancy, and a spokesman responded that DeWalt's comments on the program were accurate.
Basically, FireEye says the accuracy of the statement depends on what the meaning of "basically" is.
"Dave uses the term 'basically,' so the statement is broad enough in that context to be accurate," said FireEye spokesman Vitor De Souza in an email to CNBC. "With the limited time on TV, multiple follow-up questions couldn't be addressed."
"Dave did NOT say that the SAFETY Act covered ALL legal costs or ALL breache(s), just said it generally applies to those costs," wrote De Souza.
The CNBC appearance was not the only time DeWalt has used the term "basically" when describing the Homeland Security certification.
In May, DeWalt spoke at an investor conference organized by JPMorgan, and he explained the importance of the certification.
"And what it is is the Department of Homeland Security awarded a certification to FireEye for our products that basically exonerates any company using FireEye from litigation and legal expense related to being sued," DeWalt said, according to a transcript of the event.
The certification is "pretty amazing," DeWalt said. "Now the government putting a kind of a underwriter lab seal of approval on you to say, hey, use this company and it will help you from being breached. And if you do get breached by using this product, you're exonerated from legal expenses."
FireEye's spokesman said DeWalt's last phrase in that statement—"you're exonerated from legal expenses"—should have been expanded. "By the technical definition, yes, that last phrase is incorrect," De Souza said. "The rest of the statement is pretty true."
De Souza said the company does not tell its customers the law provides 100 percent indemnification. He also pointed to a frequently asked questions section of FireEye's website that explains the liability protections of the law apply to acts of terrorism. On the website, FireEye says that the SAFETY Act offers liability and procedural defenses in the case of a lawsuit.
De Souza added that FireEye considers a number of events—including recent hacks into Sony and the Sands Las Vegas casino—to be acts of terrorism, although they have not been designated as such by the Department of Homeland Security. "The definition of cyberterrorism is really not well defined yet," De Souza said. "It's a new world. We're proud to be the test case."
The Department of Homeland Security said that the SAFETY Act does offer some liability protections in the case of a terror attack. "In the event the secretary of Homeland Security determines that there has been an act of terrorism, thereby triggering the SAFETY Act's protections, users have some liability protections when they use SAFETY Act approved technologies," Lee said. "They may be able to have claims dismissed against them in court that allege a failure of the approved technology."
But Homeland Security also said that the certification does not remove all liability from companies, even in the event of a terrorist attack. "They may remain responsible, however, for claims that allege negligence such as if they did not take proper actions following a malware alert provided by the cybersecurity technology," Lee said.
Basically, that is.