You’ve likely placed an on-line food order in the past six months; many of us do it on a regular basis. We all took notice as restaurants all over the world were thrust into a shift towards a delivery- or pickup-only business model in order to survive during the pandemic, mostly with consumers placing on-online orders and making digital payments. Though this pivot allowed businesses to survive dire times, criminals are now taking full advantage of the online commerce swell: March 2020 saw a 600% increase in email phishing scams. Restaurant owners are now well aware they have a duty to protect customers with trusted cybersecurity. But complicating things further, 74% of Customers Want free WiFi to be part of their dining experience, opening the door for even more customer vulnerability. Jacey Kaps is an attorney at RumbergerKirk, and he joined me to discuss the legal ramifications regarding restaurants and how they protect themselves from cybersecurity risks and data breaches.
Restaurant giants like McDonald’s are not immune to troubling cybersecurity risks. Just this year, McDonald’s said attackers stole customer emails, phone numbers and addresses for delivery customers in South Korea and Taiwan. According to SecurityMagazine.com, In Taiwan, hackers also stole employee information including names and contact information. With even the largest of companies at risk, Hilary Kennedy asked Attorney Pooja S. Nair, to share what restaurants should do to prepare for the worst cybersecurity risks.
“The restaurant industry is uniquely vulnerable to mobile security incidents from physical tampering and point of service hacks such as clerk skims, POS swaps and malware attacks that can result in mobile security incidents that expose sensitive customer information. The problem is, it’s expensive to put security in place, but disclosing a data breach is required by law and it’s going to get noticed by customers.” – Jacey Kaps
“What responsibility do restaurants have to protect against cybersecurity attacks and data breaches? Well, this has been an extremely hot topic, particularly with some recent high profile instances of restaurant chains and hospitality chains being attacked in cybersecurity data breaches. For example, Dickey’s Barbecue recently settled a case in August of 2021 in which they were dealing with a data breach that had exposed consumer credit card information. And the allegations in the lawsuit were that they did not securely maintain customer data and it violated California’s Consumer Privacy Act, the CFPA. As more restaurants offer things like Wi-Fi services, it’s important for them to be aware of the consequences of a potential breach, and of what they can do to build up their infrastructure and what resources they can tap into to limit liability. So, in some cases, that could be getting some form of cyber insurance to protect against the consequences of data breach or a hack. In many cases, it’s important to analyze how exactly because customer data is being collected and stored and ensuring that the servers that are being used to store that data are secure and that you have a plan, a business continuity plan in case consumer data is breached. Being able to notify consumers quickly if sensitive data is breached and ensuring that customers who are using your Wi-Fi systems sign something on the Sign On page that indicates their awareness of this being a public Wi-Fi access point.” – Pooja Nair