Restaurant Data Breaches
When diners go out to eat, they expect to be able to use credit and debit cards, as it is the most convenient way for many people to pay. This type of payment requires a digital exchange of information – very sensitive information that your customers trust you to keep secure. A security breach in your system can cause real damage to affected customers, including lowering their credit scores, hurting their job prospects, and harming their chances of being approved for loans that could impact their quality of life. We looked into how you can help prevent a data breach, as well as how to respond should one occur at your restaurant.
Recent Restaurant Breaches
Data breaches in restaurants aren’t rare. In fact, a 2014 report by Visa estimated that as many as 73 percent of America’s data breaches happen in restaurants. Foodservice makes a soft target for hackers, as restaurants generally do not invest in heightened security, but often swipe hundreds or thousands of payment cards each day. While small restaurants are often targeted for this reason, even large chains are not immune to attacks, as these recent incidents show.
- Landry’s Incorporated, which owns more than 500 restaurants, experienced a breach from May of 2014 to December of 2015. While the company never confirmed how many customers were affected, more than 40 locations were implicated.
- Wendy’s experienced a breach in early 2016 that impacted more than 300 restaurants and led to a class-action lawsuit.
- Noodles & Company confirmed in June of this year that a data security breach occurred between Jan. 31 and June 2 of 2016, which has also resulted in a class action lawsuit.
- A data breach occurred at Zaxby’s in 2012, affecting more than 100 of the company’s locations.
- More than 130 locations of Cicis were affected by a data breach earlier this year.
Unfortunately, that list is far from extensive, and many smaller chains and independent restaurants have dealt with similar problems without being large enough to make headlines.
While there are a few federal data security laws that business owners should be aware of, data security laws are, for the most part, determined by states. However, if your business accepts American Express, Discover, JCB International, MasterCard, or Visa, you will have to comply with the Payment Card Industry Data Security Standard, also known as PCI DSS.
PCI DSS was created when the largest payment brands got together to standardize the security protocols they would require their merchants to use. The objectives of the standards require merchants to:
- Maintain a secure network, including a firewall. Software and hardware passwords should always be changed from the vendor defaults to help prevent third-party access. This step can also deter hackers who may have knowledge of default passwords.
- Defend cardholder data, especially when it’s stored on your company’s computers, and encrypt the data before it’s transmitted across a public network.
- Institute a program to limit vulnerabilities. Such a program should include installing anti-virus software on any machine that records or transmits customer data to prevent the malware that can collect cardholder data.
- Control access to cardholder data, both physically and digitally. Every person with computer access should have a unique ID, and physical access to computers should be restricted.
- Monitor networks regularly, tracking who accesses the network and when. Implement procedures to regularly test security systems.
- Implement and maintain an information security policy. Every employee that may have access to cardholder information should be well-trained in these procedures.
In addition to carefully following PCI standards, restaurants can also protect themselves by investing in breach insurance. This type of insurance can cover a variety of needs related to cyber security, including legal costs, consumer notification, business interruption, and even hiring a public relations firm to rebuild consumer confidence after a data breach.
In the Aftermath
If the worst should happen and your business experiences a data breach, how you handle the aftermath can easily determine if your restaurant will survive the blow. A breach can greatly affect consumer trust – according to a 2015 survey, 64 percent of consumers say they are unlikely to continue doing business with a company from which financial information was stolen. Possibly worse, 49 percent said they would consider taking legal action against any party involved in a breach of personal information.
The Federal Trade Commission offers data breach response guidelines that include the following steps:
- Plug the Leak: Figure out where the problem is, and stop the flow of information. Get rid of malware and secure physical access to all computers that store and transmit sensitive information. You will also need to inspect all card readers for skimmers, which are small pieces of hardware that can collect data from cards’ magnetic strips. This isn’t something an amateur can do; you will need to invest in the help of experts, including a data forensics team, information security contractors, and legal counsel. Be very careful to avoid destroying any evidence.
- Find the Weak Spots: Consider changing service providers’ access privileges, ensure any network segmentation protocols you were using worked, and work with the data and tech experts you hired to identify where access should be further restricted.
- Communicate: Law enforcement should be contacted immediately; first local police, then possibly the local FBI office, depending on how experienced your local police are at handling data breaches. Customers and other affected businesses should be contacted as soon as possible, but collaborate with law enforcement to ensure that these notifications do not affect the investigation.
Industry professionals seem to agree that when it comes to retaining customer loyalty, that last step is the most important. While federal and state laws will determine what you are required to notify customers of following a data breach, increased transparency is what customers are looking for after an incident. Potential data theft victims want details and reassurance that the business is doing what is needed to improve security and help any affected customers recover.
This level of communication requires a plan before a breach ever happens. Creating an action plan detailing how your company will communicate internally, as well as with customers, long before a breach ever happens will enable you to distribute information effectively and in a manner and tone that conveys the concern and honesty that customers need to hear. This plan is the first step in rebuilding customer trust, and the biggest step in your restaurant surviving a security breach.