Protecting Your Business: Restaurant & Bar Premises Liability

December 12, 2017

By Colorado Restaurant Insurance —

Winter Months are Approaching. How To Prevent Slips, Trips & Falls

It’s true! More than 3 million food service employees and over 1 million guests are injured annually as a result of restaurant slips and falls. Food, water, ice, snow, dirt, sand, and more, can prove to be recipes for disaster; not only for employees, but also for customers and vendors, alike. Many of these injuries are serious, including broken bones, head injuries, twisted ankles and knees, muscle strains and cuts. According to the National Floor Safety Institute, the hospitality industry spends over $2 billion on such injuries each year and these injuries are increasing at a rate of about 10% annually.

Not only can the potential injury from a slip, trip or fall result in pain and suffering for the injured customer, these accidents reflect adversely on your business. In addition, they also impact your insurance claims experience and insurability as a business owner. Your employees should have the knowledge and authority to take corrective action when unsafe conditions or unsafe acts are observed. The safety and well-being of your customers and employees should be front and center within your day-to-day operations. While not every accident is preventable, restaurants and bars should keep safety a top-priority by creating and maintaining a safe environment for their employees and guests by implementing customary industry standards and procedures.

 

Consider implementing recommended safe work practices within your restaurant, including:

  • Provide non-slip matting in areas that tend to be wet.
  • Alert workers/customers to step-ups and step-downs by using hazard tape or other warning signs.
  • Provide adequate lighting, especially in serving and preparation areas.
  • Use portable signage warning of “WET SURFACES” to alert customers of the slippery conditions.
  • Frequently check all critical flooring; aisles, waiting areas & restrooms during business hours to make sure they are dry, clean and free of hazards.
  • All staircases should have proper treads, a sturdy handrails on each side of the stairs and adequate lighting on every flight of stairs
  • Provide mirrors for blind corners.
  • Keep passageways and walkways free of clutter and crowding.

 

Do your safety part outside your restaurant, including:

  • Parking lots and sidewalks should be clean and level.
  • Provide adequate lighting for nighttime use.
  • Redirect any downspouts that empty water onto sidewalks and parking lots.
  • Remove snow and ice as soon as possible after each storm.
  • Have sand and ice melting chemicals available to spread on ice that might form as melting and re-freezing occur.
  • Exterior stairs should be well lit, handrails on each side, and snow and ice removal is extremely important.

Employers have a primary responsibility for protecting the safety and health of their workers and customers. However, employees are responsible for following the Safe Work Practices of their employers. In summary, successful control of the hazards associated with these exposures will result in a safer restaurant environment and reduce injury frequency and severity.

 

Consult Colorado Restaurant Insurance at coinsurance@corestaurant.org or call 303-880-2806 to learn more about how to manage your restaurant risks.

The Restaurant Industry’s Reckoning…

November 8, 2017

By Jason VanGotten, Colorado Restaurant Insurance —

In the wake of Josh Besh, a New Orleans chef who recently stepped down from his role amidst allegations of sexual harassment, the industry grapples with how to deal with the issue. According to an eight-month long investigation by the Times-Picayune, 25 current and former employees of the Besh Restaurant Group claimed to be victims of sexual harassment while on the job. Two have actually filed official claims in recent months with the EEOC. Up until last month the company, which employs approximately 1200 people, had no director of human resources and multiple women said that their complaints were ignored when they attempted to report them.

 

According to the EEOC, only seven percent of American women work in the restaurant industry, yet roughly 37 percent of the sexual harassment claims that the commission processes come from restaurant staff.

 

Even more alarming, approximately three out of four employees who experience workplace harassment never report this behavior due to fears of not being believed, being ignored, or experiencing social or professional retaliation.

 

4 Action Items Restaurant Owners Can Do to Keep Their Employees Safe…

 

  • Train your managers – Offer training courses that will enable managers to more readily identify potential problems and to determine what the appropriate actions might be to prevent harassment before it occurs.
  • Have a clear process – Have a written anti-harassment policy that guides employees on what types of behaviors are inappropriate for your employees, customers, and even third party vendors. The policy should be included in your employee handbook and signed by each employee indicating that they understand the policy guidelines. Consider establishing at least two employee advocates, if your restaurant does not have a HR department, where employees can approach with complaints without any type of retaliation.
  • Educate employees – Employers must also insure that these policies are followed, enforced, trained and discussed on an ongoing basis. In-person training is much more effective. Make sure your employees know what is appropriate and how to respond when harassed and remove the risk of retaliation, such as loss of their job, inconvenient shifts, or fewer tables.
  • Respond quickly to issues – Restaurant customers are not exempt from harassment. Have a reporting system in place when a customer is out of line. Make sure management is trained in handling a customer that crosses the line.

 

Anthony Bourdain was recently interviewed by Refinery29 and stated, “Despite some skepticism from industry insiders, the restaurant world is next up for a public reckoning.”

 

If you do get sued because of some kind of harassment case, it has the possibility of costing you more than a half a million dollars. To help pay those high costs you may want to consider Employment Practices Liability Insurance, also called EPLI.  This insurance can protect your business from any type of potential employee related lawsuits. Consult Colorado Restaurant Insurance at coinsurance@corestaurant.org or call 303-880-2806 and speak with Jason VanGotten to learn more about how to manage your restaurant risks.

Cyber Security 101

October 13, 2017

By Jason VanGotten, Colorado Restaurant Insurance —

As a restaurant owner, you’ve put your heart and soul into opening a business and running it successfully.  The responsibilities of ownership are sometimes overwhelming.  Every minute of the day is critical and typically consumed with a pressing set of high priority daily activities, such as: scheduling stock orders, coordinating schedules, closing out, and many more.  With so many tasks in a given day things like cyber security are often overlooked until it’s too late.  In a small period of time, all the hard work, money, and time you’ve invested in your business can be lost.  This is our new reality. The threats are increasingly more common whether a restaurant has multiple locations, or not.  Even large national restaurant chains (Sonic & Chipotle) have IT security holes that have allowed hackers to penetrate their networks and steal personal identifiable information.  It is a team effort between the restaurant management team (to create a process and work with employees internally), your IT provider, your point-of-sale (POS) provider, merchant services and your insurance agent to help you with these strategies.

 

Here are the facts: 

  • Malware can make its way into a POS system.
  • Credit card skimming is real.
  • There are 33 million malicious URLs on the internet today.
  • Security experts have identified 50% of the Android applications released this year could be traced to malicious data mining activities.
  • Phishing attempts are hard to spot: “read the attached pdf, word, or excel doc.”
  • It can happen by clicking the wrong item. Easy to do.
  • Additionally your friends can be hacked, and the hackers will size up your profile and pretend to be your friend communicating with you while they try to trick you into giving up a password to log into a phony site.  Maybe that is the same password you use for everything in your life?
  • Facebook, Instagram and YouTube hacking is also real.

 

The list of possible ways for your restaurant to be hacked is long.  Often the restaurant networks and the restaurant owner’s personal devices are not fully protected.  Additionally, there is currently no protection or policy in place for internal employees bringing their own devices to work.

 

What should I do?

Talk to the Colorado Restaurant Association (CRA) cyber security insurance experts.  They are partnering with security focused IT experts who can help you create an IT strategy.  The CRA also offers a cyber insurance program to help protect your business in the case of a data breach.  It is smart to be covered from all angles.

 

Attend our upcoming webinar series!

The CRA, in conjunction with their insurance company, Colorado Restaurant Insurance, will continue to highlight the subject of cyber security in an on-going series of upcoming webinars.  Come and learn more about how to protect your restaurant investment.

Cyber Liability – Are You Covered?

October 3, 2017

By Jason VanGotten, Colorado Restaurant Insurance —

 

Originally, I began writing about this back in 2015 when cyber-attacks were starting to become relevant in our world. Now, the world of cyber criminals have fully evolved and results show that 2017 recorded the highest number of cyber-attacks globally. This is evident in the vast amount of attention recently given to cyber-attacks with companies such as Equifax, Sonic, Chipotle, Time Warner, Anthem, Target, and more. Cyber liability is something all businesses need to consider, even the hospitality industry. Considering that your business likely has a website, uses social media, uses internet connected computers, has a point-of-sale system and most importantly an electronic payment processing system, you probably conduct more cyber business than you may be aware of. Yet, when was the last time you discussed this risk with your insurance agent? Cyber criminals have exploited all sizes of business and cyber liability can no longer be ignored.

 

The discussion around cyber exposure/risk is extensive and complicated. Exposures include computer fraud, hacking, ransomware, phishing, malware, adware, lost equipment and even simple mistakes. Some of the most common occurrences within a small business begin with:

 

  1. Online hacking and data theft of confidential information such as credit card numbers, personal identifiable information, social security numbers, date of birth, etc.;
  2. Accidental loss or sharing of proprietary information; and
  3. The inside threat, known as phishing, of employees stealing sensitive account information from employers and customers.

 

There are a lot of misconceptions regarding both your exposure and how to protect yourself. Unfortunately, many times the realization of insurance shortfall comes after something drastic happens. The common mistakes an operator can make regarding cyber liability are:

 

  1. Assuming, because you are a small business you are not a target;
  2. Assuming your general liability policy affords the proper coverage needed to protect against a cyber claim;
  3. Assuming cyber liability coverage is too expensive; and
  4. Assuming your point-of-sale, merchant service, and server (IT) companies afford you coverage/protection when a cyber-attack occurs.

 

The most common cyber liability a restaurant faces is a data breach. A data breach happens when an unauthorized individual gains access to electronic information (typically names, credit or debit card numbers and/or bank account numbers). This information is highly desirable to a criminal looking to sell their stolen information on the “Black Market” or to utilize the information themselves. The costs associated with resolving a potential data breach are significant. According to a 2016 Fortune report, a data breach for the Hospitality Industry can cost approximately $139 per record stolen. Consider that the average time to identify a breach is 201 days and that the average time to contain a breach is 70 days. Therefore, depending on the number of credit card transactions you process monthly and some of the potential efforts needed after a data breach (see below) the costs of a cyber-attack adds up quickly.

 

  1. Costs of notifying affected individuals;
  2. Costs of notifying regulatory authorities;
  3. Regulatory fines at home and abroad;
  4. Forensic costs to discover the cause;
  5. Business income loss;
  6. Cyber extortion payments (Ransomware);
  7. Lost customers and damaged reputation;
  8. Implementation of credit monitoring services;
  9. IT expert services; and
  10. Defense and settlement costs.

 

The lesson in recent stories making the cyber headlines is that security goes far beyond simply having the right technology. It also requires training your employees with the proper mindset, attention to detail, as well as a clear awareness of these possibilities. Remember, you cannot possibly think of everything that might happen. My advice to all restaurant owners is to strongly consider reducing some of your risk through securing your IT systems (update software regularly, train employees, monitor social networks, encrypt data, change passwords and confirm your vendor’s security). Even performing all these recommendations will not ensure full protection from a cyber-attack. Therefore, we also suggest transferring some of the risk by purchasing a cyber liability insurance policy to protect your restaurant from losses you would be forced to pay for if you are to ever experience a cyber-attack and your client data is successfully stolen.

 

For more information regarding cyber liability insurance for restaurants please contact Jason VanGotten at jvangotten@corestaurant.org

If it Can Happen to Equifax…it Can Happen to YOU! Protect Your Restaurant From a Data Breach

September 12, 2017

By Jason VanGotten, Colorado Restaurant Insurance —

Restaurants can learn critical lessons from Equifax’s massive data breach. When basic security precautions are not being taken with internet usage, losses are the real threat. There are two possible news headlines when a data breach occurs. One says, “Restaurant fails to follow basic security principles. Customer’s information compromised.” The other, “Despite best practices, hackers get in!”

 

It seems that people are getting breach-deaf. They hear the same warnings over and over and see the same headlines of cyber breaches. They seem to think, “It won’t happen to me! We are too small to be on the radar of a cyber-criminal.” This is why precautions are not being taken seriously. But, these are unlocked doors that allow opportunity for thieves. Cyber-criminals scan buildings and neighborhoods for Wi-Fi connections like “Linksys” and then run through a list of known “out-of-the-box” passwords to see if a network was left unlocked. The reality is that 9 out of 10 data breaches involve small businesses. 65 percent of all breaches are point-of-sale terminals or are web application attacks. 78% of small businesses do not have a cyberattack response plan.

 

Why would cyber criminals go after a small business? In most cases, the owners of small businesses have not been educated about cyber risk and many of them do not have the resources to stay ahead of the perpetrators. How can businesses protect themselves from these cyber-criminals?

 

  1. Educate and empower yourself and your employees to identify the potential issues.
  2. Know where all your sensitive structured data resides and never store cardholder data.
  3. Never transmit data that is not encrypted or over public Wi-Fi networks.
  4. Always outsource payment processing to combine point-to-point encryption and tokenization technologies.
  5. Use layered security such as multi-factor authentication which uses a combination of a password and another factor to verify identity.
  6. Install and regularly update spyware, anti-virus and malware software to help prevent and detect these from affecting your computing systems.
  7. Set social network profiles to private and check security settings. Also, be mindful of what information you post online.
  8. Protect the perimeter to prevent hackers from accessing sensitive data and your company’s computer network.

 

Cyber liability losses can strike with little to no warning, and that a vulnerability can leave you with a costly mess from data recovery to rebuilding your restaurant’s reputation. You lock your doors and turn on the alarm system at night for safety; why not take the same approach for cyber security?

 

If you have questions about cyber security, compliance, or what you can do to protect your business, contact Jason VanGotten at jvangotten@corestaurant.org

 

Sources:

Upwork Blog

Heartland Payments Systems

Trusted Choice – Colorado Insurance News

Understanding How to Become PCI Compliant

September 1, 2017

By Jason VanGotten, Colorado Restaurant Insurance —

 

Have you heard of the PCI DSS (Payment Card Industry Data Security Standard)? If not, they provide the standards for all merchants that store, process, or transmit cardholder data. If you are processing credit cards in your restaurants, you are responsible to comply with this standard. Click here for the details.

 

Nearly every restaurant owner has heard of it, but it remains a source of confusion as to what is required of small businesses. However, the good news is that PCI DSS compliance does not have to be confusing. Before we dive into what it takes to become PCI DSS compliant, let’s talk about the challenges restaurants face.

 

The big piece to the PCI DSS compliance pie is limiting employee access to data. Keep in mind the number of servers on a given shift who run credit card transactions, this means multiple machines and multiple staff members with access to physical credit cards. To help ensure you are in compliance, it is imperative that you use unique employee IDs and properly encrypted systems. An outdated point-of-sale (POS) system or credit card terminal typically will not encrypt the data that is processed through them. If your POS software or credit card terminals are outdated, you can contact your merchant processor to see what they offer as an upgrade to provide data encryption and if your systems require an upgrade.

 

The National Restaurant Association states that, typically, restaurants that run the highest risk of a data breach use unsecured Internet-accessible networks, like DSL, cable modem, or wireless technology. They may also be using non-compliant POS software that stores credit card data improperly.

 

There are six categories of PCI DSS compliance (refer to the link above for detailed information) requirements, which are:

 

  1. Maintaining a secure network
  2. Protecting cardholder data
  3. Protecting your systems against malware/spyware
  4. Putting strong access control measures in place
  5. Monitoring and testing your networks
  6. Creating an Information Security Policy

 

You may be thinking after looking at these six categories, “How can they expect small businesses to manage these six categories to stay compliant?” The keys to PCI DSS compliance include proper network security, careful handling of customer cardholder data and the use of only the PA-DSS-validated (Payment Application Data Security Standard) POS and payment processing systems. You can find a list of PA-DSS- validated POS providers HERE.

 

You are also required to complete a “self-assessment questionnaire” (SAQ) on an annual basis. The basic SAQ generally takes about 15 minutes to complete and provides the restauranteur with an opportunity to review their business policies and practices related to credit card transactions and data storage.

 

The bottom line is that PCI DSS compliance is required and this process helps your restaurant from data breaches and the fines and penalties that come with them. Card data theft is costly. Therefore, familiarizing yourself with the policies, and properly training your staff will end up saving you time and money while also protecting your customers and restaurant from a data breach.

 

For more information pertaining to PCI DSS compliance, please contact Jason VanGotten at jvangotten@corestaurant.org

 

Sources:
Clinard Insurance – Restaurant Blog 2016

Service Animals in Your Restaurant

June 20, 2017

Every year, as the weather gets warmer in Colorado, restaurants are confronted with the familiar issue of people bringing their pets with them into a restaurant. In Colorado, the food code doesn’t allow restaurants to permit animals inside of their restaurant unless the animal is a service animal. Because of that, it becomes the responsibility of the restaurant to determine if a dog is a service animal.

How can a restaurant determine if a dog is a service animal? Short answer, the animal must be a dog or a miniature horse. No other animal qualifies as a service animal under the American’s with Disabilities Act (ADA).

If it is not easy to identify that the animal is a service animal, the business is allowed to ask only two questions per the ADA:

  • 1.  Is the animal required because of a disability?

 

2.  What work or task has the animal been trained to perform?

 

If the customer responds in a way that even seems appropriate, the restaurant must and should allow the individual in with their service dog. The customer must maintain control of the animal at all times, and must not allow the animal to contaminate any foodservice surfaces. If the animal is running around the establishment, going to the bathroom on the floor, begging for food from other customers, or sitting on the table and the owner is not controlling the animal, the business has the right to ask the individual to leave. According to the health department, if they witness an animal acting like this in a restaurant and the business doesn’t control the situation or ask the customer to leave, that would be a violation of the health code, even if it was a service animal.

 

TIPS FOR SUCCESS!

  • DO NOT ask about the customer’s disability! Doing so could put your business in trouble.
  • Inquiring into the validity of a service animal should be done by an individual who is a supervisor or a manager. Getting this inquiry wrong could put the business in trouble.
  • If there is even a small chance that the animal is a service animal, act as if it is. If a business gets it wrong and doesn’t allow someone to enter with a service animal, the business will be in violation of the ADA.
  • Psychiatric Service Animals ARE service animals.
  • Emotional support animals ARE NOT service animals.
  • Therapy animals ARE NOT service animals.
  • Service animals DO NOT need to wear a vest or have “paperwork” to verify they are a service animal.
  • Service animals DO NOT need to be on a leash if the use of a leash will interfere with an individual’s disability. However, the individual must maintain control of the animal.

 

*This information is meant to be educational and not legal advice. If you have specific questions or need legal advice on this topic, please call 303-830-2972 and we will help get you the support you need.