"It depends on what you mean by the customer not implementing the product properly. If the award includes training and implementation services, then the customer still won't face any liability. However if the award does not address those services and they are solely the responsibility of the customer, then they may very well face liability," Finch said.
"With respect to configuration errors, again that is fact specific. Typically an application will go over in detail how a product is installed and integrated, so DHS has confidence that the 'configuration' process will go smoothly. With that, typically there will not be liability for configuration errors."
Ultimately, Finch stressed, the question of configuration or changes to the product are fact specific and will be up to the court to decide.
"It's more about striking a balance — the customer and the vendor can work together on customizing a device, but the customer cannot so radically alter the device and then claim immunity," Finch added.
"It's kind of like turning a pickup truck into a monster truck like "Bigfoot" — you can't expect the manufacturer's warranty to apply to the brakes when you have tires 7 feet tall on the truck at that point!"
Bottom line, if a customer alters a product to the point that it is no longer the same as what DHS reviewed when certifying under the SAFETY Act, then liability protections may well be nullified.
But again, that would mean that a customer faces a lawsuit over a breach that centers on product failure. Still, Finch said, it's fair to say customers get very broad protection with FireEye's SAFETY Act award, but no one should think those protections are absolute or all encompassing.
This clarification somewhat diminishes FireEye's stated promise to customers of "unmatched liability protections in the unfortunate event of litigation" because those protections are dependent on a number of factors, and in reality places organizations on the same playing field as those who are not FireEye customers.
In a way, the cracks in the liability protection look similar to the ones organizations face under PCI. Or rather, just because an organization is PCI certified and compliant doesn't mean they're actually secure — all they've done is check a box.
Mark Kikta, a penetration tester working for a Fortune 300 company in the financial services sector, shared some additional thoughts when asked his opinion:
"From the counsel's comments, it seems that regardless of what the corporation does elsewhere, as long as they have a FireEye deployment configured and administered by FE, they are relieved from liability.
"This is a dangerous step backwards in realm of security. It takes the concept of a turnkey security solution, which any security expert will tell you doesn't exist, to the next level; turning what is ostensibly a mediocre threat detection product into breach insurance.
Sign up for CIO Asia eNewsletters.