There is a lot happening this week at the National Restaurant Association (NRA) Show 2016. From the World Culinary Showcase featuring celebrity chefs and their latest culinary masterpiece, to sessions with key industry experts covering the best ways to increase brand awareness and sales, to the latest technology and how restaurants are evolving along with it – NRA 2016 is jam-packed with opportunities that offer their 42,000 buyers the chance to see, taste, test and learn the latest and greatest the restaurant industry has to offer.
One common thread with all of the events surrounding the NRA show is the overall desire to understand the needs of the customer and to build relationships around those needs. As you walk the aisles of the show, the overall impression is that the customer is still the most important piece of building a successful business.
You can build a successful business by keeping your customers happy but if you are hit by a data breach, the aftermath can forever close the doors to your restaurant in a flash. Restaurants big and small have met their fate as victims of a data breach and the only certainty it brings is that it can destroy your business, your brand, and your customer’s loyalty.
The Aftermath of a Restaurant Breach
We have grown accustomed to hearing about data breaches, and eventually, after an investigation is run, how the breach occurred. But what happens after the breach is not always clear. Who is affected? What does the clean-up plan look like? What are the damages, and can the breached company recover?
But if we look at the data breaches that have occurred within the restaurant industry, we see another trend in the form of lawsuits – individuals suing on the basis of merchant negligence. Could the merchant have prevented the data breach from occurring in the first place and how are those affected going to be compensated? If there was concern about data breaches before, the threat of a class action lawsuit following a breach should have the restaurant industry downright fearful of a future without protected customer card data.
Wendy’s – Five Long Months
Just last week, a class action lawsuit was filed against Ohio-based Wendy’s, raising claims that the data breach that stretched over a five-month period could have been prevented if the company had adopted new point-of-sale (POS) technologies and acted faster once they were informed of the breach. The breach occurred from October 22, 2015 through March 10, 2016, as hackers used malware to steal millions of customer credit card numbers that had been used during that time period at various locations.
In the plaintiff’s view, Wendy’s used “outdated and easily hack-able computer and credit card systems” and refused to take the appropriate steps to protect their networks from being hacked.
“As a result of Wendy’s data breach, plaintiff and class members have been forced to cancel and reissue payment cards, change or close accounts, notify customers that their cards were compromised, investigate claims of fraudulent activity, refund fraudulent charges, increase fraudulent monitoring on potentially impacted accounts, and take other steps to protect themselves and their customers,” the lawsuit claims.
Even the Unaffected Can Sue for Being Affected
Other restaurants exposed to data breaches are also feeling the sting of aftermath lawsuits. Arizona-based P.F. Chang’s reported in June of 2014 that 33 of their stores had their computer system breached, with consumer credit and debit card data being stolen.
Just last month, a federal appeals court reinstated a punitive class action lawsuit filed by two customers of P.F. Chang’s China Bistro Inc., who say they were damaged by the restaurant chain’s 2014 data breach. One plaintiff, who paid with his debit card while dining at a P.F. Chang’s location, found four fraudulent transactions on his card. The other plaintiff, who dined at the same location during the same month, did not find fraudulent charges on his card but spent hours of time and effort monitoring his cards.
This case sets a new and important precedent for future data breach lawsuits, as courts ruled that the plaintiffs – even the individual who was not a victim of actual credit card fraud – were able to “meet the standard set in the U.S. Supreme Court’s 2013 ruling in Clapper v. Amnesty International USA in showing a “substantial risk of harm” from the 2013 data breach.”
“In the present case, several of the plaintiff’s alleged injuries fit within the categories we delineated” in the Neiman Marcus case, said the April 14 ruling. “They describe the same kind of future injuries as the (Neiman Marcus) plaintiffs did: the increased risk of fraudulent charge and identity theft they face because their data has already been stolen. These alleged injuries are concrete enough to support a lawsuit,” said the panel, in remanding the case for further proceedings.
The Future of Restaurant Payment Security
It’s clear that we will continue to see lawsuits resulting from data breaches, especially if plaintiffs start to win these cases.
But if we take a look at the cause of most data breaches – malware – there still seems to be confusion as to how the theft of card data can be prevented, and which security solutions can provide the best technology to stop this theft. Specifically, in the Wendy’s lawsuit, the plaintiffs claim that Wendy’s held on to credit card information longer than necessary and failed to meet the October 2015 deadline for EMV cards and terminals.
“Despite the growing threat of computer system intrusion, Wendy’s systematically failed to comply with industry standards and protect payment card and customer data,” the lawsuit states, noting that as a consequence, financial institutions have borne the brunt of the data breach.
However, if Wendy’s had EMV in place, it would’ve made no difference because EMV authenticates the card itself, curbing counterfeit card use, but doesn’t stop cyber thieves from breaking into a merchant’s network and stealing clear-text credit card data. The PCI Security Standards Council, the global forum and gold standard for security and data protection, states that the solution to stop malware and the data breaches they cause is PCI-validated Point-to-Point Encryption (P2PE).
Technologies such as P2PE and tokenization, which mask stored data, will serve a crucial role in restaurant payment security in the future – with organizations such as the NRA being staunch supporters.
“We believe that end-to-end encryption and tokenization are technologies that restaurant operators should consider to ensure payment card data is protected throughout the transaction chain. The NRA has joined with other food and retail groups to urge the adoption of an open and universal tokenization standard for U.S. commerce.”