Restaurant Owners Beware: Data Breaches Hurt The Bottom Line

Article was originally published in Total Food Service News in March 2019

Everywhere you turn today, you hear about high-profile data breaches of restaurants including Panera Bread, Sonic, Arby’s, Dunkin Donuts and Chili’s. You may think that data breach is only a threat to the national chains, but if your restaurant accepts credit cards and has employees, you are at risk as well.

If your restaurant experiences a data breach, you are likely to have a business interruption, incur fees, fines and costs, suffer reputational damage, and be exposed to enforcement actions by government agencies and potential lawsuits. Because hackers target “low-hanging fruit,”or businesses with the weakest cyber security measures, any efforts that you make to improve your data privacy and cyber security situation may reduce your risk of breach and protect your business.

Restaurants Collect and Use More Customer Data Than Ever Before

Today, restaurants are increasing their revenues by collecting and using data to cater to their customers preferences, perform targeted marketing and operate more efficiently. TGI Fridays, for example, reportedly used data and artificial intelligence to perform targeted marketing which doubled its to-go business in 2018.

Vendors such as OpenTable, Seamless and GrubHub are one source of data for restaurants. Restaurants also collect data through their websites, loyalty programs, gift cards, social media and in exchange for free Wi-Fi. This data can include personally identifiable information such as names, addresses, email addresses, birthdays, demographic information, personal preferences and habits.

Why Data Privacy and Cyber Security Needs to Be a Priority Even if your restaurant isn’t utilizing data-driven marketing, it is likely accepting credit cards and paying employees, or collecting and storing some other personally identifiable data of customers like email addresses. Hackers and other bad actors continuously try to get their hands on this data, particularly credit card numbers, social security numbers, names and addresses.

There is a dizzying array of laws which may apply to your collection, use and storage of data, from state breach notification laws to the European General Data Protection Regulation (GDPR). Violating any of these laws may result in legal action by regulatory agencies, state attorneys general and/or individuals and expenses such as legal fees, fines and other monetary liability.

A breach would likely distract you from the day-to-day operation of your business and may cause a business interruption resulting in loss of revenue. Even if a breach was merely suspected, you would likely incur legal fees and forensic investigation costs that may start at $50,000. Also, if your restaurant experiences a breach involving credit card data, you will likely be subject to fines, penalties and charge backs from credit card companies and processors. You may even lose the right to accept credit card payments. A breach would also hurt your restaurant’s reputation. The brand that you worked so hard to build may drop as much as 30% in value according to the National Restaurant Association. You may need to take steps to mitigate the damage such as hiring a public relations firm. Because a data breach or similar incident may be devastating to your restaurant, it is essential that data security and privacy be made as high of a priority in your restaurant as quality control. Implementing a comprehensive data privacy and cyber security strategy for the first time will require an investment of time and resources. However, when you consider how valuable data is to your restaurant and the magnitude of risk that a breach presents, this investment can be put into perspective. The potential losses due to breach or violation of data privacy law, both in terms of money and reputation, are greater than the cost of preventative efforts.

What You Need to Do

Complying with data privacy and cyber security laws relevant to your business and associated contractual obligations involves far more than hiring a good IT provider. Effectively tackling data privacy and cyber security also requires steps such as implementing policies and training employees.

To start, I recommend that you have an IT specialist assess your current cyber security situation and make recommendations for technological improvements. While that process is in motion, the best practice would be to “map” or take an inventory of data in your restaurant’s possession, including:

  1. what data your restaurant collects;
  2. how the data is used;
  3. who has access to the data, including vendors processing payroll or performing marketing;
  4. where that data is stored;
  5. how long the data is retained, and how it is to be destroyed or deleted.

Generally, you will want to limit your collection and storage of data to only that which you truly need, and provide access exclusively to the employees who need it to perform their jobs.

Other aspects of a comprehensive privacy and data security program will include establishing internal policies and drafting a privacy policy for your website. It is critical that you comply with those policies once they are established and communicated to the individuals that you are collecting data from. Your program will not be effective or complete without employee education and training. Once in place, your program will need regular review and updating.

An experienced attorney can determine which data privacy and cyber security laws apply to your business, identify privacy-related provisions of your contracts, recommend a risk-based approach for complying with your legal and contractual obligations, and assist you with various aspects of implementing a comprehensive program, including purchasing appropriate cyber security insurance.

There is much that you can do on your own to protect your business. The National Restaurant Association offers a cyber security toolkit for restaurant operators. The Federal Trade Commission, U.S. Small Business Administration and other organizations offer data privacy and cyber security guides. There are also numerous software products on the market that can help you assess your existing situation, including mapping your data.


As with many other industries, the restaurant business has been radically transformed by technology and consumer data. Along with the potential increase in revenue that can be generated via the collection and use of data comes the risk of liability and substantial costs. I recommend that you make data privacy and cyber security a priority to protect your bottom line.

Prior Results Do Not Guarantee a Similar Outcome