Data breaches can happen to anyone, from large multi-location restaurants to mom-and-pop spots, so protect yourself with these tips
By Ellen Hartman
The idea that cyber-thieves would target a Dairy Queen probably seemed laughable once. But that’s just what happened in 2014 when a malware called Backoff infected 395 Dairy Queen stores nationwide, along with more than 1,000 other businesses, including P.F. Chang’s and Jimmy John’s locations. Hackers exploited a weakness in point-of-sale remote access tools to steal customer credit cardholder data.
When a breach like the ones attributed to Backoff happen, the ramifications go beyond the immediate financial impact to profits. Affected restaurants also face the risk of losing customer trust. Stores in Georgia, for example, are required by law to immediately inform consumers about breaches, defined as “the unauthorized acquisition of electronic data that compromises the security, confidentiality or integrity of personal information.”
Chick-fil-A recently faced such a situation. In December 2014, reports that the Georgia-based chain might be the common connection for a data breach impacting almost 9,000 debit and credit users surfaced. Chick-fil-A issued a statement in response promising that guests would not be liable for any fraudulent charges and that Chick-fil-A would provide for free identity protection services, including credit services, to affected customers. In the end, however, Chick-fil-A’s investigation revealed no evidence it was compromised, and the chain issued another statement saying it had “no reason to believe that any customer’s payment information was stolen or at risk of being stolen from Chick-fil-A.”
Incidents like those are why the issue of how to protect consumer data has become an area of great interest to lawmakers and lobbyists on the state and national level. And with good reason. Credit card fraud cost U.S. consumers and businesses more than $6 billion in 2014.
“We are seeing several bills on the hill intended to direct merchants on how to prevent and handle credit card breaches,” says Laura Knapp Chadwick, director of commerce and entrepreneurship at the National Restaurant Association (NRA). “As an industry, we want to have a voice and show that we’re doing what we need to do to protect our customers’ data.”
To that end, the NRA is developing a set of new foodservice-specific resources. Those will debut in October of this year. In the meantime, we talked to Chadwick about the ways restaurateurs can prevent and respond to breaches.
- Become PCI compliant. The first line of defense against would-be hackers is making sure your payment operations are Payment Card Industry Data Security Standard (PCI DSS) compliant. There are 12 requirements, ranging from installing and maintaining a firewall to restricting physical access to customer credit card data.
“The process can be time- and capital-intensive, but the likelihood that you’re going to be breached decreases significantly,” Chadwick says. “And if you aren’t compliant and there is a breach, the credit companies could fine you out of existence.”
- Invest in enterprise security. PCI compliance covers the processing of payments. But restaurants store data for up to 90 days in case of customer disputes. Hackers know this.
The good news is that such attacks are now preventable.
“The widely published ‘best practices’ are effective,” Chadwick says. “And the good news is there are experts who can help.”
Enterprise security best practices include:
- Application Whitelisting. Create a list of applications authorized to run to protect your computers and networks from harmful software.
- Application/Operation Systems Patching. Track, download and apply security updates to your computers on a regular basis.
- Restrict Administrative Privileges. Limit administrative rights to only those who need them, then ask them to limit high-risk activities such as browsing or e-mailing from third-party accounts.
Implementing and optimizing these practices protects your hardware and network from infection by preventing malware from exploiting weaknesses. Think of it in terms of your home. Whitelisting is an invitation to enter. Patches are the locks that keep unwanted intruders out and administrators hold the keys.
A Strong Response
Industry best practices for handling a breach are also effective, Chadwick says. She suggests restaurateurs familiarize themselves with resources like the Weil’s “Security Breach Notification Laws Data Privacy Survey 2014,” which outlines a plan of action should a breach occur.
Weil suggests the following:
- Secure Your System. Prevent further data loss by working with cyber-security experts to isolate any malware and fix any breaches.
- Analyze the Breach. Work to understand what type of information was comprised, the risk to consumers, who needs to be notified and who is responsible for related costs.
- Implement a Communications Plan. Prepare to relay information to the public and regulatory bodies in a consistent and strategic manner.
- Understand Your Liability and Rights. Speak with legal counsel to determine if civil suits are a possibility.
Chadwick urges operators to be as vigilant about prevention and advocacy as they are with food safety in their stores. “It’s about continuous education and monitoring,” she says. “You wouldn’t check the temperature on your refrigerator once then forget about it. Same thing with your network.”
Ellen Hartman, APR, Fellow PRSA, is the CEO of Hartman Public Relations, a full-service public relations agency specializing in the foodservice Industry. Hartman has experience working for Coca-Cola, Concessions International, Chili’s, Huddle House, Frist Watch, Fresh To Order, Billy Sims BBQ and Uncle Maddio’s and many QSR brands including Popeyes, Church’s and Arby’s. An industry leader for more than 25 years, Hartman is active in the Women’s Foodservice Forum and Les Dames d ’Escoffier International and has served on the board of the Georgia State University School of Hospitality. She earned her APR accreditation from the Public Relations Society of America and is a member of PRSA’s Fellow program for senior accomplished professionals.