Cybersecurity Advice for Restaurateurs

How to Ensure Your Restaurant Survives and Thrives in the Era of Widespread Cybercrime and Strict Data Security Regulations.

Restaurants currently face a double barreled challenge in the form of increasing cyberattacks targeting businesses of all sizes across the United States and newly enacted state data security statutes that can create significant legal exposure for restaurants that service hundreds or thousands of customers on a daily basis. 

Numerous United States restaurant and fast food chains, including Applebee’s, Wendy’s, Chili’s, Huddle House, and Cheddar’s Scratch Kitchen have suffered cyberattacks in recent years and months.  Non-chain restaurants also face significant risks given that 43 percent of United States cyberattacks target small businesses and a single cyberattack costs victimized businesses of all sizes an average of $200,000, according to Accenture.  Even more troubling is the fact that 60 percent of small businesses that suffer a cyberattack close within six months according to the National Cybersecurity Alliance.  Given that restaurants, even small non-chain restaurants, possess the credit card information of thousands of customers, the restaurant sector may be one of the most appealing to cybercriminals looking to quickly accumulate credit card account information from thousands of accounts in order to engage in large-scale identity theft. 

The restaurant sector may be one of the most appealing to cybercriminals looking to quickly accumulate credit card account information from thousands of accounts in order to engage in large-scale identity theft. 

Moreover, restaurants must also contend with the rapidly evolving patchwork of state data privacy and security statutes governing the collection, use, disclosure, processing, and protection of customers’ personally identifying information including credit card and financial account information.  Numerous states including New York, Illinois, Massachusetts, California, and Texas have enacted statutes requiring entities that own or license the personally identifying information of state residents to implement and maintain reasonable security procedures appropriate to the nature of the information and the size and operations of each entity.  There is also currently proposed legislation pending in both the United States Congress that would impose similar requirements on businesses. 

While most such statutes are enforceable by State Attorneys General or administrative agencies, others such as Illinois’ data security statute and the California Consumer Privacy Act (CCPA), which applies to any entity that “does business in California” and A) has annual gross revenues over $25 M; B) alone in combination buys, receives, sells, or shares the personal information of 50,000 or more consumers, households or devices; or C) derives 50 percent or more of its annual revenues from selling consumers’ personal information, give affected residents the right to file lawsuits seeking monetary damages against businesses for violations. 

Some state data security and privacy statutes such as CCPA and the New York SHIELD Act can apply extraterritorially to out-of-state entities that collect or possess state residents’ personal information.  Therefore, a restaurant in Phoenix with no locations or operations outside of Arizona that serves customers from New York and California who pay by credit card could potentially be subject to the NY SHIELD Act and CCPA with regard to such customers’ personally identifying information. 

Moreover, since the European Union (EU) General Data Protection Regulation (GDPR) entities that processes the personal data of EU residents in connection with offering goods or services to EU residents even if they do not have locations or operations in the EU itself, restaurants in large cities and other high profile locations likely to attract tourists or business travelers residing in the EU could be subject to GDPR with regard to EU customers’ personally identifying information, especially if they advertise online or in print or other media with EU circulation.  In addition to its stringent data privacy requirements, GDPR requires covered entities to implement appropriate technical and organizational measures to protect the security of the personal data they possess and process.  Violations of GDPR are subject to both a private right of action and administrative fines totaling up to four percent of an entity’s annual revenue. 

Despite these seemingly daunting legal and practical challenges, restaurants of all sizes can reduce their vulnerability to cybersecurity incidents, ensure compliance with state and international data security laws, and reduce their legal exposure in the event they suffer cybersecurity incidents by consulting with an interdisciplinary team headed by a law firm in order to identify and assess their vulnerabilities and the data security laws to which they could realistically be subject.  An interdisciplinary team headed by a law firm is the ideal partner for small, non-chain restaurants seeking to protect themselves from cybersecurity incidents and ensure compliance with data security laws since it allows for a reduction in overall costs by sharing the expertise of an established team of experts, cloaks the process in attorney-client privilege that can limit discovery in the event of a lawsuit, and allow for one-stop shopping that reduces compliance costs.   

Such an interdisciplinary team, which should include technological subject matter experts and professionals, can evaluate existing hardware and systems such as computers and POS systems, which have been the attack vectors for numerous cyberattacks targeting United States restaurants, as well as software, cloud computing accounts, and Internet of Things (IoT) connected equipment in order to determine how to most effectively safeguard such technologies against malware and other types of cybersecurity incidents without drastically increasing a restaurant’s overhead costs.  An interdisciplinary team headed by a law firm can also assist a restaurant in determining what if any state and international data security statutes it could potentially be subject to given its locations, advertising activities, and customer base and develop effective and cost-efficient compliance practices for the laws that are likely to be applicable while ensuring valuable time and resources are not wasted on complying with laws unlikely to apply to a given restaurant. 

Restaurants can also work with such an interdisciplinary team in order to develop and implement information technology access policies and enforcement mechanisms including monitoring and content blocking for employees’ use of restaurant-owned computer systems and Internet networks and evaluate the employment and labor law implications of such measures.  Such policies and procedures are especially important given that employee negligence, such as accessing websites or downloading files likely to contain malware, is often the cause or a contributing factor to cybersecurity incidents affecting businesses.

By retaining such an interdisciplinary team and proactively addressing cyber and data security risks, restaurants can overcome the challenges posed by increasing cybercrime and data security laws and continue to thrive in the Internet economy.