This content is part of the Essential Guide: Essential guide to data breaches, the dark web and the hidden data economy
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Is a data breach warranty worth the investment?

A data breach warranty may seem like a tempting way to survive a costly attack, but it may not be all it's hyped up to be. Expert Mike Chapple examines.

A company recently came out with a payment card breach warranty that covers the company's end-to-end encrypted devices in the case of a failure; if it fails, the company will cover merchant compliance fines and assessments as well as costs for a related PCI audit for a year. Are there any real advantages of such a warranty, and how is this different from cybersecurity insurance?

While this data breach warranty certainly made a splash in the IT news media, I believe it is more hype than substance. In January 2015, Heartland Payment Systems announced its E3 End-to-End Encryption Warranty that promises to reimburse breach-related fines to merchants using the E3 point-to-point encryption devices.

You might remember Heartland Payment Systems as the victim of a high-profile security breach back in 2008 that affected the personal information of up to 100 million individuals. Heartland has lived in the shadow of that breach for the past seven years and this new warranty program is likely a public relations gambit designed to boost its image among security-conscious merchants.

The bottom line is that the breach warranty Heartland offers probably isn't going to pay out many claims because it requires using point-to-point encryption systems. Properly implemented, this technology encrypts credit card information from the time of the swipe until it reaches the payment processor. Sensitive information is never in the merchant's hands -- at least electronically -- minimizing the chances of a security breach.

There's also a catch surrounding this warranty. It's free for the first year, but then has a monthly fee of $8.33 per device. If you're using 100 devices, it will run you a cool $10,000 per year. If I were planning to invest $10,000 in a risk transference plan, I wouldn't purchase this warranty. I'd go after a full-fledged cybersecurity insurance program that provides broader data breach protection and is backed by a traditional insurance company. You'll get more comprehensive data breach protection with the reputation of a major insurer on the line.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Learn about the new barriers required for data breach protection

MIT Sloan's research shows how to handle a data breach 

This was last published in July 2015

Dig Deeper on Data security breaches