Best Practices for Handling a Data Breach
3 Min Read By MRM Staff
A former employee filed a class-action lawsuit against Panera, following a data breach earlier this year. The suit claims that Panera is to blame for the breach, which exposed employees’ personal information, including Social Security numbers. Panera contacted affected employees and is providing a one-year membership in a program that provides credit monitoring, identity detection and resolution of identity theft.
What can restaurant operators learn from this experience? What makes restaurant chain breaches unique compared to other industries? Modern Restaurant Management (MRM) magazine reached out to Matt Green, partner and Deputy Chair of Obermayer’s Litigation Department, for insights on this topic. He concentrates his practice on commercial litigation and has experience in settlements in data breach cases.
Can you give a little breakdown on the case facts?
Numerous cases have been filed by former employees, mostly in Missouri federal court, all stemming from a data breach that Panera experienced on March 23rd. The former employees generally claim that Panera negligently failed to protect their personal information that Panera stored, and also failed to timely notify those affected by the breach. The complaints seek certification of a national class of persons affected by the breach.
How do restaurant chain breaches differ from other industries? Are there any similar cases?
The claims by former employees against restaurant chains don’t necessarily differ from other industries in substance –the employer maintained its employees’ personal information, and negligently failed to safeguard it. However, larger restaurant chains may differ somewhat from other industries based on the transience and number of employees who find their way into the systems of these restaurant chains, thus potentially making the chains a ripe target for class action lawsuits.
Other examples of claims similar to those Panera is facing are class actions filed against Arby’s and Golden Coral. Panda Express may also be sued for a data breach that chain experienced in March of this year. Restaurant chains are also subject to claims associated with customer information being stored in POS systems, which has also been the subject of class action claims (Chili’s restaurants is an example). As with employee data, restaurant chains are low hanging fruit for class action claims in this context given the number of customers that could be affected.
What are the possibilities for how this will play out in the courts and in future legislation?
So far, the evolution of these claims has been playing out in court over the issue of who has standing to bring such claims. The primary question is – does a person whose information got stolen have sufficient interest to assert a claim if they have not experienced actual out of pocket losses caused by the data breach? As these issues make their way up to through the courts, it seems that many districts (like the 3rd Circuit and 11th Circuit) find that the threat of misuse of personal information may be enough to assert a claim. If plaintiffs can get over that standing hurdle, the claims tend to settle, given the number of people involved and the costs of litigation. I am not aware of specific legislation related to the restaurant industry – all states have legislation focused on obligations to inform those affected by breaches, and I have seen legislation emerging over breaches in the healthcare industry.
What should restaurant operators take away from this in regard to how they should handle employee and customer data moving forward?
Restaurants should understand that they may have an obligation to safeguard this information, and that there are inherent risks in performing these functions in-house. Restaurants should consider vetting third-party vendors to performing these functions, and ensure those vendors are properly insured. Restaurants should also consider their own insurance coverage for cyber risks.
What are the best practices for brands to handle a breach?
The best practices for handling a breach are turning the issue over to subject matter experts as soon as possible. Delays in addressing issues could only create more issues, not alleviate them. This means notifying any broker of a breach, and teaming up with a law firm or breach coach as soon as possible to help try and minimize the exposure from a breach.