I was notified by via email from my bank that “We’re sending you a new debit card” because my card was identified as ‘at risk’ from the Target data security breach. I was shocked, not because my account might have been compromised as I am a frequent Target shopper, but because I was learning about this from my bank and not Target.
4 restaurant cyber liability best practices your restaurant can learn from the Target data breach.
- Be PCI Compliant
Being PCI compliant does not specifically mean that your restaurant will be protected from security breaches but it does create a framework that you are running your business in a secure manner. If you’re not familiar with PCI this is the Payment Card Industry Data Security Standard (PCI DSS) which is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment and protect cardholder data.
To see if your restaurant is PCI compliant you can complete the PCI Self Assessment Questionnaire (SAQ) on an annual basis and engage an Approved Scanning Vendor (ASV) to perform quarterly security scans on your infrastructure.
If you are not PCI compliant your restaurant could face fines. Get compliant!
- Know what exposure you have within your payment services agreement.
You have a sense of false hope if you think that your payment services processor might be on the hook for losses if your restaurant has a data breach. Read your vendor contract and get assistance in understanding where your responsibility lies. Most contracts contain language that would limit the liability of the payment services processor.
The following language was taken from an Authorize.net Service Agreement “Customer acknowledges that Authorize.Net shall not be liable for any improperly processed or unauthorized Transactions or illegal or fraudulent access to Customer’s account, End-User or Transaction data. Authorize.Net’s liability for improperly processed or unauthorized Transactions solely attributable to the negligence of Authorize.Net is limited pursuant to Section 12.” Section 12 provides the “Limitations of Liability and Disclaimers.” Find someone who can help you understand what your liability is if your restaurant had a data security breach.
- Be prepared, a restaurant data breach will happen to you.
You know what to do when someone takes money from the safe but do you know what to do if your restaurant suffers a data breach? As stated in an earlier blog post Restaurant Cyber Liability – Are you protected? (Part 1 of 3) According to Advisen, a New York-based commercial insurance research and data analytics firm, “exposures such as operational disruptions caused by denial of service attacks, lost or stolen data, violation of privacy laws and intellectual property infringement have long been a concern of larger companies. But this year, smaller businesses began to increasingly realize that they were also at risk.” Bottom line, be prepared, your restaurant is most likely being targeted. Experian produced the Data Breach Response Guide that you should review and put in place for your restaurant.
- Restaurant cyber liability insurance, consider it.
A typical commercial insurance policy will not provide protection due to a data breach. Every restaurant that keeps electronic data and also uses the internet to conduct commerce or general business operations has a cyber liability exposure. The Ponemon Institute studies data breaches. In 2013 this annual study estimated an average post-breach cost of $188 per record. Although this includes $124 in lost business cost, the remaining $64 of actual remediation cost per record is tied to the associated public relations expenses to rebuild an organization’s reputation. Consider cyber liability insurance for your restaurant.
As cyber threats continue to target the restaurant industry it is important that you have the above best practices in place. The cost of a data security breach can overwhelm your restaurant, severely damage your reputation and in an extreme case could put you out of business.