If a compromise involves payment card data, your card brand will have specific guidelines for you to follow.

Using the NIST Cybersecurity Framework, you’ve learned to identify digital risks to your business, protect your computer systems, networks and data, and detect intrusions. Now you need to plan how to Respond in a worst-case scenario.

Preparing yourself to act will save you time, money and stress, and mitigate further damage to your restaurant business.

To respond to a data breach, you’ll need to work with IT professionals—in-house team member or external consultant—to round up answers to the following questions, among others:

  • What data was compromised or stolen?
  • How did you find out about the breach?
  • How did the breach occur?
  • When and where did it happen?
  • If the breach is still happening, how can it be stopped? If it’s over, how long did it go on?
  • Who was affected by the breach, guests, employees, suppliers?
  • What are the legal requirements?
  • Do your current contracts set any additional legal obligations in the event of a breach?
  • Are you required to inform guests about the breach? The media? Both? What will you say? Are you prepared to issue a press release?
  • Do you have lawyers you can consult who know about cybercrime? Who else should you call? Do you have their phone numbers?

Your answers to these questions will set the stage for your next steps. As noted earlier, most states have data breach notification laws which you’ll have to follow. Familiarize yourself with your state’s notification requirements. Federal laws and regulations may also be relevant, including the Federal Trade Commission’s enforcement authority.

Watch for Digital Security Part 5: Recover quickly and get back to business

Other response requirements may be spelled out in contracts or agreements with third parties. If the compromise involves payment card data, your card brand will have specific guidelines for you to follow. For example, you may be asked not to turn off, access or alter the compromised systems.

You should preserve all logs, document all actions you take and alert appropriate incident-response personnel, including your merchant bank and law enforcement.

Find out how third-party suppliers like the loyalty card company you use protect your guests’ personal information and be sure to review their processes throughout the life of your contracts with them.

Be sure to ask them about their security and privacy policies and talk through what happens if there’s a breach. You also may be able to negotiate indemnification for liability and costs in your contracts.

Simply having the cell phone numbers and emails of key people to contact in the event of a breach can save precious time.

Your first call after detecting an attack or breach should be to a lawyer who is well versed in cyber-crime. After that, all activity should be run through the attorney.

Your communications with your attorney or law firm will be protected by attorney-client privilege, and these experts will be able to work with you to mitigate the impact of potential lawsuits.

Get the Free Guide—Digital Security 101: The Basics for Protecting Your Restaurant’s Data

The National Restaurant Association has adapted keystone data safety precautions—developed by the National Institute for Standards and Technology—specifically for the restaurant industry. Fill out the form below to download your free copy!