Dealing with the risk of data breach in the hospitality industry
While financial institutions have the most breaches (36%), hotels and restaurants are the next category on the list.
By Darren Dunn, Commercial Lines Account Executive
When you think of data breaches, do you think of banks first? Or maybe, you think of retailers, like the Target breach that occurred during the crucial holiday shopping season in 2013. Yet if you're in the restaurant industry, you should think of your own business first.
While financial institutions have the most breaches (36%), hotels and restaurants are the next category on the list. Thirteen percent of all data breaches affect the hospitality industry. Retail is seventh highest, with six percent of breaches. Here's the link to the data if you want to know more.
In my experience, many owners of small to medium size businesses think about insurance in terms of property (like fire or storm damage) and liability (like someone falling down at their restaurant and getting hurt). There's often a need for the insurance agent to explain the need for some type of data breach coverage.
So who actually needs coverage for a data compromise type of loss? The answer is - any business that possesses personal data on clients, employees, or others that can be stolen, electric electronically hacked, or lost through an accident or inadvertent release of critical information.
The restaurant business is based on a certain type of trust - not only that the food you serve will taste good, but that it's high quality and safe to eat. They trust your judgement and management practices … and that includes how you handle their personal data when you pay for your meal.
The restaurant chain Noodles and Company was in the news recently for a data breach that affected multiple locations in Iowa. You can read about it here. Whether you're a franchisee or owner of an independent restaurant, the unfortunate news is, this could happen to you. It's happened to Landry's, including the popular McCormick & Schmick's chain, and it's happened to Wendy's. Each of these incidents helps us learn steps to take to reduce the risk of a breach. We also learn what it takes to communicate with affected customers and begin to recover.
If you've thought about how a data breach might affect your business, did you also think about your legal obligations if a theft occurs? You may have specific obligations for notifying customers or providing services for customers to monitor their credit. The overall cost of a breach could be much more than the cost of lost customers.
So when you're thinking about your risk of a data breach, here are some things to consider:
First, how much would it cost you to respond? Forty seven states have laws requiring that you notify individuals whose personal information is lost or stolen. Even if your business is located in a state without a notification law (South Dakota, New Mexico and Alabama), you're still responsible for notifying customers that live in other states that do have a notification law. In the case of Noodles and Company, they notified that customers were at risk for a period of six months. That's a lot of customers to notify and could get very expensive.
Next, how bad is the breach? Hiring legal and forensic consultants to review and determine the nature and extent of the breach is likely not in your budget. Neither is providing services to your affected customers that may mean the difference between them returning to your restaurant in the future. These are things like credit reports and monitoring, identity restoration and help hotlines.
I wish this were the end of my list of considerations … but you still have to think about the fact that one of the affected customers could take legal action against you. You're going to need coverage not only for your potential liability … but also to pay for your defense no matter the outcome.
And finally, what about you? Your personal information may have been compromised too. You may need your own identity recovery services!
As insurance professionals, it's our job to think about this stuff a lot, so you can hopefully think about it less. If you're wondering what to do next … call your insurance agent. The most important thing is having the right person to work with you on what exactly your restaurant would need and exactly what insurance coverage and risk management practices will help make sure you're ready.
My company has some more information on this topic here, and you can also visit http://www.idtheftcenter.org/ for more.
State Auto Insurance makes no representations or guarantee as to the correctness or sufficiency of any information contained herein, nor guarantees results based upon use of this information. State Auto does not warrant that reliance upon this document will prevent accident and losses or satisfy federal, state and local codes, ordinances and regulations. The reader assumes entire risk as to use of this information.