An independent restaurant owner gets a call: someone has been stealing credit card numbers from her customers, charging more than $100,000 in the last three months. Her processor bank says she must submit to an expensive forensic audit, and she faces thousands of dollars in fines from the card companies.

The CEO of a quick-service restaurant company learns that hackers have grabbed his customers’ information, including their names, addresses, contact information, social media handles and buying history from the vendor handling the company’s loyalty program. Now he’ll have to hire a law firm that specializes in these breaches, and notify customers about the breach, based on individual state breach-notification laws.

A casual dining chain’s marketing manager clicks an email asking his company to participate in “Restaurant Week,” unwittingly launching a cyberattack on the company. An on-screen message says that all proprietary information has been seized and will only be released after the company pays a bitcoin ransom.

Whenever data is handled — card payments, payroll and human resources records, inventory control, or loyalty programs — online criminals and hackers are lurking, waiting to attack where restaurants are most vulnerable.

The digital age is transforming the way restaurants do business. Tech innovations streamline and automate restaurant operations and most of those innovations are fueled by data.

And whenever data is handled—card payments, payroll and human resources records, inventory control, or loyalty programs—online criminals and hackers are lurking, waiting to attack where restaurants are most vulnerable.

Think about your own operation. You have more than just card data at stake. Through mobile apps, loyalty programs and social media, you could be collecting guest data such as age, address, preferences, and visit frequency.

Back of house, you track your food, beverage and labor costs, as well as your suppliers’ pricing. Your systems hold intellectual property such as new or proprietary recipes and business plans. You store employee and payroll information, data on customer interactions, maybe even data on your competitors.

Even during the coronavirus pandemic, hackers never sleep. If anything, your business is more fragile and vulnerable now than ever before, and in fact, some types of digital attacks are on the increase, according to the Center for Internet Security.

Phishing, ransomware, “denial of service” attacks and malware are only a few of the ways cyber thieves attempt to steal valuable data.

The good news is you can take steps to protect your operation and your customers so you’re less susceptible to data breaches and other cybercriminal activity.

Preventive measures can make a huge difference.

Why it matters

Costs associated with a data breach can be overwhelming. Payment-card breaches, for example, can easily add up to $100,000 or more in losses, fines and forensic audits.

Here are five ways a data breach could cost your restaurant business:

  • Investigations, fines and remediation. If a breach involves payment-card data, you’ll face substantial fines from the card brands. Why? Because all card acceptance agreements require you to remain compliant with the Payment Card Industry Data Security Standards. Breaches cost the average small business between $36,000 and $50,000. Fines alone for major breaches can far exceed $500,000.
  • State breach-notification laws. Each state has its own law governing how you must notify customers of a data breach. All the laws are slightly different, which can make compliance difficult for multi-state operators. The Association has lobbied Congress to enact a single federal statute, but Congress has yet to act.
  • Class-action lawsuits. Breach notification typically triggers class action suits, and customers may be able to sue simply based on the risk they face following a breach. Even a suspected breach can trigger legal actions and negative press. Costs can add up quickly.
  • Brand damage. Damage to your reputation and the loss of customer loyalty can severely impact your bottom line after a breach.
  • Potential congressional action. Despite the Association’s advocacy, banks and financial institutions allege that merchants are irresponsible data custodians and need more direct government regulation.

What you can do

The National Institute for Standards and Technology developed the Cybersecurity Framework for Critical Infrastructure. The Association has adapted the NIST framework for the restaurant industry. At its core are five functions: Identify, Protect, Detect, Respond and Recover.

Using these five functions as a foundation, you can build a cybersecurity plan for your operation that will go a long way toward protecting your business.

Think of the NIST framework like a HACCP plan for digital safety. While it’s not a cure-all, by carefully building a plan that fits your unique situation you’ll be better positioned to avoid cybersecurity threats to your restaurant.

Each of the next five parts of this resource will focus on one of the NIST framework functions and give you an overview of how you can easily begin to develop your own cybersecurity plan.

Get the Free Guide—Digital Security 101: The Basics for Protecting Your Restaurant’s Data

The National Restaurant Association has adapted keystone data safety precautions—developed by the National Institute for Standards and Technology—specifically for the restaurant industry. Fill out the form below to download your free copy!