Cost Reduction

Security—Protecting Your Customer’s Data

It seems that every week another security breach hits the news that has the potential of affecting thousands to millions of individuals. Unfortunately, restaurants are not immune. Sonic Drive-In was recently the victim of one of the largest data breaches in history when the credit card numbers of potentially millions of customers were hacked. Their response was to offer free fraud detection and identity theft protection through Experian’s IdentityWorks program to customers that used their debit or credit cards at Sonic Drive-In in 2017.

This followed closely on the heals of Arby’s massive credit card theft that affected more than 350,000 customers. Hackers effectively obtained Arby’s customer’s credit card data by installing malware at their cash registers. Eight lawsuits against the chain have followed.

And that’s just the tip of the iceburg. From 2015 to 2017, restaurants such as Wendy’s, Rainforest Café, Chipotle, and Morton’s were all victims of a data breach.


Protecting Yourself, Your Business, and Your Customers

You, as a restaurateur, may be wondering how to protect your customers and yourself from these increasing thefts. Fortunately, the National Restaurant Association (NRA) has recently created a new guide to help restaurants protect their guests and their businesses. They have expanded upon their first Toolkit for Restaurant Operators: Cybersecurity 101 by creating Cybersecurty 201: The Next Step. This information packet has been specifically adapted for the restaurant industry, and it is designed to help your organization implement needed changes that will protect against cyber crime. The five areas they cover are identify, protect, detect, respond and recover.


The Basics

So, just what are the basic protocols for making sure your customer’s private information is safe and secure? Let’s take a look at what the NRA determines “urgent” when developing a cyber-security protocol.

  • Involve your managers when setting up your security goals—this is an ever-changing process that requires a devoted team to accomplish a successful cyber-security plan.
  • Determine your vulnerability and establish a risk-assessment process. Find someone with up-to-date IT experience who can create a diagram of how information flows through your establishment. This includes software, hardware and personnel.
  • Put safeguards in place to protect these areas such as managing remote access and access permissions, and protect the integrity of your network through the use of firewalls. Encrypt sensitive stored information.
  • Have a system in place that will detect a breach such as threat from a malicious code through the use of malware tools.
  • Have a response plan in place in order to limit damage.
  • Develop a recovery protocol in order to manage public relations.

A Step in the Right Direction

A few important steps to take in order to secure your restaurant’s and customer’s data includes investing in up-to-date software and hardware that are designed to fight off cyber threats. Older point of sale systems are often not equipped to accomplish this task while the modern POS systems encrypt credit card information during the initial transaction. Choosing a cloud-based secure data storage system adds another layer of protection by storing private data off-site.

If you’re new to cyber-security, the NRA’s Cybersecurity 101 may be a good starting point for you. It starts with the basics and explains the National Institute of Standards and Technology (NIST). By 2020, Gartner, a technology research firm, has predicted that half of all businesses in America will use the NIST Framework in order to set up their cyber-security.


A quote in QSR Magazine from Collin Hite, leader of Hirschler Fleischer’s Insurance Recovery Group, may help spur you into action: “If you don’t properly handle a response in the first 72 hours, the cost of responding is at least three times higher.”

Putting a proficient cybercrime stopgap in place can seem overwhelming; however, as the National Restaurant Association so succinctly states, “Doing something is better than doing nothing.” While the challenges following a data breach may include the cost of a forensic audit, fees and penalties, and inevitable lawsuits, one of the most harmful and hard to restore aftereffects is the damage that your brand sustains.

The truth is that you cannot protect yourself, your business and your patrons with a 100 percent guarantee that no one will be able to hack into the security systems that you have in place. Cyber thieves are ever-evolving and determining new and often successful strategies for obtaining a restaurant’s guest’s credit and debit card information. You can, however, know that you have done due diligence. In many instances, that may require working with a security provider who can implement a protection plan and develop a process that detects breaches.



Cost Reduction
  • Subscribe to our latest insights


Are you capital raise ready?