This post is part of our cyberSAFE series focusing on SMB financial and reputational risks. You can learn more about the financial and reputational risks SMBs face during every phase of business growth by registering for our upcoming webinar on June 10th at 12 PM CT.
This cyberSAFE guest blog post comes to you from Eva Velasquez, the President/CEO at the Identity Theft Resource Center, a non-profit organization which serves victims of identity theft. Ms. Velasquez previously served as the Vice President of Operations for the San Diego Better Business Bureau and spent 21 years at the San Diego District Attorney’s Office.
The number of data breach incidents occurring in the U.S. is continuing to rise. In 2013, the Identity Theft Resource Center (ITRC) recorded 30% more breaches than the number tracked in 2012. Data breaches can affect any entity or business in any industry sector – including restaurants. In fact, according to Visa, from 2009 to 2011 there was a large increase in the percentage of breaches in the restaurant industry, from a reported 29% in 2009 to 73% in 2011. Additionally, the 2013 Verizon Data Breach Incident Report indicated that retail environments and restaurants represented 24% of the 621 breaches included in that report. Restaurants are vulnerable for multiple reasons: employees have the ability to use skimmers to collect the personal information of customers; a high level of risk for POS intrusions (Point of Sale), which makes them a target for cyber criminals; and, large volumes of transaction records, which cyber criminals view as valuable. The fallout from a breach at your small business can be widespread and devastating. The trust factor of restaurant patrons can be negatively impacted when a restaurant is breached. In late 2013, when a large restaurant chain was breached in Boston, local restaurant goers spoke with news stations stating they would be switching to cash in order to protect themselves. However, this is not as convenient as being able to use credit cards and patrons may choose to go to a different restaurant if your business has had a reported breach.
The cost factor involved in a data breach incident can also prove to be very expensive. Associated expenses can include the cost of notifying individuals who have had their information breached or potentially compromised, credit monitoring for those affected, investigation efforts to determine the cause, and implementation of information security measures to minimize future risk. In addition, restaurants may have to engage in public relations to mitigate the backlash from a breach. Finally, there may be fines or civil actions for lack of safeguards, which could have prevented the breach.
However, the picture is not completely bleak for restaurant owners. There are a few ways these small businesses can be proactive against a breach. First, they can begin accepting ‘Chip and Pin’ cards. Chip and Pin cards have proven to be much more fraud resistant than either chip and signature cards, or those which hold the user’s information on the magnetic strip. While this technology is widely used in Europe, it has not become commonplace in the U.S. Restaurants should also make sure they are PCI-DSS compliant. Vendors can receive help from the PCI Security Standards Council to ensure they are compliant.
Second, restaurant owners should work with their payment system provider to make sure they are following best practices for security, and that any third-party service provider has sufficient data security protocols and security measurements in place. Small actions such as changing default credentials on payment system software or stronger password management can have a big effect on minimizing an organization’s risk of being breached.
And lastly, restaurant owners should train all employees on how to protect customers’ data and inform them as to why this is important. If a restaurant values its customers, it should also value their personal information and keep it safe. So, if there is a breach, how should a small business react to protect its customers and itself? All restaurants should have a written data breach incident response plan. This plan, with established protocols, will help establishments be prepared to effectively address the situation whenever it occurs. A breached restaurant should be honest with the public and communicate quickly and truthfully with those who may have been affected. They should also work actively with law enforcement to investigate the incident and obtain as much information about the breach as possible. This way, small restaurant owners can inform their customers and know how to stay protected in the future. They should also provide credit monitoring to their affected patrons and work with the ITRC to assist their customers who may need help or have questions.