Article contributed by Jennifer D. Silverman, Ellenoff Grossman & Schole LLP
Everywhere you turn today, you hear about high-profile data breaches of restaurants including Panera Bread, Sonic, Arby’s, Dunkin Donuts and Chili’s. You may think that data breach is only a threat to the national chains, but if your restaurant accepts credit cards and has employees, you are at risk as well.
If your restaurant experiences a data breach, you are likely to have a business interruption, incur fees, fines and costs, suffer reputational damage, and be exposed to enforcement actions by government agencies and potential lawsuits. Because hackers target “low-hanging fruit,” or businesses with the weakest cybersecurity measures, any efforts that you make to improve your data privacy and cybersecurity situation may reduce your risk of data breaches and protect your business.
Restaurants Collect and Use More Customer Data Than Ever Before
Today, restaurants are increasing their revenues by collecting and using data to cater to their customers’ preferences, perform targeted marketing and operate more efficiently. TGI Fridays, for example, reportedly used data and artificial intelligence to perform targeted marketing which doubled its to-go business in 2018.
Vendors such as OpenTable, Seamless and GrubHub are one source of data for restaurants. Restaurants also collect data through their websites, loyalty programs, gift cards, social media and in exchange for free Wi-Fi. This data can include personally identifiable information such as names, addresses, email addresses, birthdays, demographic information, personal preferences and habits.
Why Data Privacy and Cyber Security Needs to Be a Priority
Even if your restaurant isn’t utilizing data-driven marketing, it is likely accepting credit cards and paying employees, or collecting and storing some other personally- identifiable data of customers like email addresses. Hackers and other bad actors continuously try to get their hands on this data, particularly credit card numbers, social security numbers, names and addresses.
There is a dizzying array of laws which may apply to your collection, use and storage of data, from state breach notification laws to the European General Data Protection Regulation (GDPR). Violating any of these laws may result in legal action by regulatory agencies, state attorneys general and/or individuals and expenses such as legal fees, fines and other monetary liability.
A breach would likely distract you from the day-to-day operation of your business and may cause a business interruption resulting in loss of revenue. Even if a breach was merely suspected, you would likely incur legal fees and forensic investigation costs that may start at $50,000.
Also, if your restaurant experiences a breach involving credit card data, you will likely be subject to fines, penalties and chargebacks from credit card companies and processors. You may even lose the right to accept credit card payments.
A breach would also hurt your restaurant’s reputation. The brand that you worked so hard to build may drop as much as 30% in value according to the National Restaurant Association. You may need to take steps to mitigate the damage such as hiring a public relations firm.
Because a data breach or similar incident may be devastating to your restaurant, it is essential that data security and privacy be made as high of a priority in your restaurant as quality control. Implementing a comprehensive data privacy and cyber security strategy for the first time will require an investment of time and resources. However, when you consider how valuable data is to your restaurant and the magnitude of risk that a breach presents, this investment can be put into perspective. The potential losses due to breach or violation of data privacy law, both in terms of money and reputation, are greater than the cost of preventative efforts.
What You Need to Do
Complying with data privacy and cybersecurity laws relevant to your business and associated contractual obligations involves far more than hiring a good IT provider. Effectively tackling data privacy and cybersecurity also requires steps such as implementing policies and training employees.
To start, I recommend that you have an IT specialist assess your current cybersecurity situation and make recommendations for technological improvements. While that process is in motion, the best practice would be to “map” or take an inventory of data in your restaurant’s possession, including:
- What data your restaurant collects
- How the data is used
- Who has access to the data, including vendors processing payroll or performing marketing
- Where that data is stored
- How long the data is retained, and how it is to be destroyed or deleted
Generally, you will want to limit your collection and storage of data to only that which you truly need, and provide access exclusively to the employees who need it to perform their jobs.
An experienced attorney can determine which data privacy and cybersecurity laws apply to your business, identify privacy-related provisions of your contracts, recommend a risk-based approach for complying with your legal and contractual obligations, and assist you with various aspects of implementing a comprehensive program, including purchasing appropriate cybersecurity insurance.
There is much that you can do on your own to protect your business. The National Restaurant Association offers a cybersecurity toolkit for restaurant operators. The Federal Trade Commission, U.S. Small Business Administration and other organizations offer data privacy and cybersecurity guides. There are also numerous software products on the market that can help you assess your existing situation, including mapping your data.
As with many other industries, the restaurant business has been radically transformed by technology and consumer data. Along with the potential increase in revenue that can be generated via the collection and use of data comes the risk of liability and substantial costs. I recommend that you make data privacy and cyber security a priority to protect your bottom line.
Jennifer D. Silverman is an IP partner in NYC who handles legal matters related to brand names, e-commerce, licensing, software, data privacy and cybersecurity. She regularly works with clients in the hospitality, consumer products, insurance, education, real estate and advertising industries. She holds a Certified Information Privacy Professional/United States (CIPP/US) designation from the International Association for Privacy Professionals (IAPP). She can be reached by phone at 212-370-1300 or by email at firstname.lastname@example.org