Mistakes Restaurant Owners Make Related to Cyber Liability

October 25, 2017

By Jason VanGotten, Colorado Restaurant Insurance

Even with all the recent news headlines related to data breaches and cyber attacks, the likes of which have never been seen before, cyber liability is a relatively new area of risk that restaurant owners now face. As customer data continues to be obtained and stored by restaurants, the risk of a data breach inside or outside the restaurant continues to increase year over year. Malicious hackers typically steal credit card data from restaurants that accept cards by hacking into point-of-sale systems remotely and seeding those systems with malicious software that can copy account data stored on a card’s magnetic strip. Thieves then use that data to clone the cards and use the counterfeits to purchase high-priced merchandise, or put them up for sale in a so-called theft bazaar such as Joker’s Stash prior to the card-issuing banks cancelling them.

 

In the midst of this are some very dangerous misconceptions held by restaurant owners. These misconceptions keep them from taking necessary steps to better understand their cyber risk and coverage related to such vulnerabilities.

 

Consider these 4 Common Mistakes a Restaurant Owner Can Make in this area of risk management.

 

My general liability insurance protects me in the event of a data breach or cyberattack. Most restaurant owners purchase a general liability or businessowners policy believing their insurance agent has placed this as an optional coverage on the policy. But for now that is very rare. Even if it that were the case, the policy will only provide defense coverage for the insured, typically up to $25,000 to $50,000. Your general liability coverage lacks the breadth needed to properly protect the restaurant owner from the cyber liability losses. A stand-alone cyber policy provides the broadest coverage a restaurant owner needs for third party costs, data breach response, PCI fines levied from card services, notification resources, legal fee’s and forensic costs. Not investigating this closely is akin to leaving your restaurant door open when you leave at night, not a great strategy for ensuring the safety of your restaurant.

 

A stand-alone cyber policy will be unaffordable. Depending on your restaurant size and gross revenues, a typical restaurant owner can expect to pay between $900 to $3,000 annually for a stand-alone cyber policy. However, the risks of loss may be too great to ignore this protection, in particular your brand image after a data breach or cyberattack.

 

My IT company and firewalls installed will protect me. These entities have a service level agreement (SLA) with your restaurant. When was the last time you reveiwed your SLA? Many times these agreements do not protect you, the restaurant owner, instead it protects them from any involvment related to a data breach or cyberattack. Make sure you check your SLA and have a conversation with your IT company to see what they will do for you in the event of a data breach or cyberattack. Many times your employees pose huge risks to the safety of your cyber data, from opening suspicous emails, downloading malware or even losing smartphones with connections or memorized passwords. Remember that a data breach can also occur with employee records that are not well protected or disposed of properly.

 

My merchant services are protection enough. Again, there is a service level agreement between you and your merchant servicing company. While this may give a restaurant owner hope, chances are that you will ultimately be responsible for protecting your customer’s data as it passes through your IT systems. Therefore, you should consider the costs to your restaurant if your merchant services vendor does not agree, or points the finger in your direction for who is responsible.

 

A cyber criminal can strike with little to no warning, leaving the restaurant owner with tremendous clean up cost; from data recovery to rebuilding your restaurant’s brand reputation. An owner or manager can only do so much. The people that deal in the day-to-day operations of the restaurant also need to be aware of what to do and why to do it. As a restaurant owner you owe it to yourself and your employees to investigate this protection and risk before you decide not to worry about it. A restaurant owner must be deliberate and careful in purchasing cyber coverage. Specific risks must be understood and the appropriate coverage identified.

For more information pertaining to cyber liability coverage, please contact Jason VanGotten at jvangotten@corestaurant.org

If it Can Happen to Equifax…it Can Happen to YOU! Protect Your Restaurant From a Data Breach

September 12, 2017

By Jason VanGotten, Colorado Restaurant Insurance —

Restaurants can learn critical lessons from Equifax’s massive data breach. When basic security precautions are not being taken with internet usage, losses are the real threat. There are two possible news headlines when a data breach occurs. One says, “Restaurant fails to follow basic security principles. Customer’s information compromised.” The other, “Despite best practices, hackers get in!”

 

It seems that people are getting breach-deaf. They hear the same warnings over and over and see the same headlines of cyber breaches. They seem to think, “It won’t happen to me! We are too small to be on the radar of a cyber-criminal.” This is why precautions are not being taken seriously. But, these are unlocked doors that allow opportunity for thieves. Cyber-criminals scan buildings and neighborhoods for Wi-Fi connections like “Linksys” and then run through a list of known “out-of-the-box” passwords to see if a network was left unlocked. The reality is that 9 out of 10 data breaches involve small businesses. 65 percent of all breaches are point-of-sale terminals or are web application attacks. 78% of small businesses do not have a cyberattack response plan.

 

Why would cyber criminals go after a small business? In most cases, the owners of small businesses have not been educated about cyber risk and many of them do not have the resources to stay ahead of the perpetrators. How can businesses protect themselves from these cyber-criminals?

 

  1. Educate and empower yourself and your employees to identify the potential issues.
  2. Know where all your sensitive structured data resides and never store cardholder data.
  3. Never transmit data that is not encrypted or over public Wi-Fi networks.
  4. Always outsource payment processing to combine point-to-point encryption and tokenization technologies.
  5. Use layered security such as multi-factor authentication which uses a combination of a password and another factor to verify identity.
  6. Install and regularly update spyware, anti-virus and malware software to help prevent and detect these from affecting your computing systems.
  7. Set social network profiles to private and check security settings. Also, be mindful of what information you post online.
  8. Protect the perimeter to prevent hackers from accessing sensitive data and your company’s computer network.

 

Cyber liability losses can strike with little to no warning, and that a vulnerability can leave you with a costly mess from data recovery to rebuilding your restaurant’s reputation. You lock your doors and turn on the alarm system at night for safety; why not take the same approach for cyber security?

 

If you have questions about cyber security, compliance, or what you can do to protect your business, contact Jason VanGotten at jvangotten@corestaurant.org

 

Sources:

Upwork Blog

Heartland Payments Systems

Trusted Choice – Colorado Insurance News