Data Secured: Secure your customer and employee data from cyber threats
Of all the things that we have to think about as pizzeria operators, cybersecurity probably falls somewhere near the bottom of the list of priorities. Yet, the threat of a cyber attack from a hacker or other bad actor can still keep us up at night thinking about the liability a business can face. While I’m not an IT specialist, there are basic steps that you can take as a business owner to secure your customer and employee data to ensure you don’t face the legal ramifications for lax or nonexistent data security policies.
There are many scenarios that a business can face when it comes to cyber attacks, but for us in the pizzeria and restaurant industry, the most valuable data that we possess to a hacker is our customer data, both in their contact information and credit card payment details. Even more sensitive information resides in our payroll systems that have critical data like social security numbers.
Data breaches can tarnish your reputation with both your customers and employees, as well as expose you to legal liability if you did not take proper security measures prior to the breach. Generally, laws that place liability on a company for breach of private information use the reasonable person standard for liability. This means that you can only be held liable if you did not take steps that a “reasonable person” would take in your same position to safeguard the stolen data. Thus, you don’t necessarily need to institute Fort Knox levels of security for your sensitive data, but you do need to take reasonable measures that are readily accessible for the business community to help lessen your culpability in the event of a major breach.
For data that is used and accessed in your physical locations, one of the most important steps that any device that is connected to Wi-Fi is connected via a hidden network. Using a hidden network means that any potential hacker would have to know the name of the network in addition to a password to access it and access the data running through that network.
Another step that is typically required by all credit card processors is that your business is PCI compliant. PCI, or payment card industry data security standard, is a set of operational standards that are put in place by an association of credit card processors. The standards include the use of firewalls, properly updating all software, document access standards, and other protocols. Certifying PCI compliance will help protect you in the event of a major data breach involving customer payment data. The compliance is an annual certification, so these policies should be looked at every 12 months and updated accordingly.
Reaching out to your credit card processor and/or point of sale provider for tips on how to maintain PCI compliance as well as tips for other safeguards that you can take as a business to protect customer information is best practice to demonstrate that steps have been taken to protect data from bad actors.
Employee data is also critical to maintain as securely as possible. Using methods like two factor authentication for all payroll and human resources systems, creating strong passwords, and restricting employee access to systems will help protect this critical data.
Additionally, training employees how to spot “phishing” attempts, where a bad actor sends an e-mail or text from an e-mail address that appears to be from someone within the company, will help prevent any data breaches as well.
Another important step to take is to create a privacy policy for your website. A privacy policy generally includes information about how you collect, use and protect personal data, as well as contact information and how website users can exercise their privacy rights. This policy should describe the types of personal information collected such as names, e-mail addresses, payment information, and IP and physical addresses, how this information is collected and used by the business, how it is protected, how long it is retained, and what rights the consumer has for the destruction of such data in any company databases.
A privacy policy is especially important for those who operate in California or near California, as California has very strict data privacy laws, primarily the California Consumer Privacy Act (CCPA) that applies not just to those who operate a physical business in California, but also to those who may collect personal information from California residents. For example, if a pizzeria operated in Oregon near the California border, the business would need to comply with the CCPA because it is presumably collecting a significant amount of data from California residents.
The ramifications for data breaches can be quite steep, both financially and from a consumer trust perspective. There are few things that are more embarrassing as a business owner than sending a mass notice to all customers that their data may have been accessed because of a result of lax security protocols. It can take years for business to regain trust from their communities after a security incident.
Additionally, fines for noncompliance can range from $2,500-$10,000 or more per incident from various state and federal privacy laws. Of course, the hackers themselves may try to hold the data ransom and extract money out of the victim business as well – those ransom payments can sometime be in the six figures!
One additional precaution to take is to ensure that your business insurance includes adequate cyber attack liability coverage. This is an easy coverage to overlook but is critically important, especially as cyber attacks continue to rise. Your insurance agent and company may have additional protocols and resources as well to ensure that your business is protected.
Overall, data and cybersecurity is a critical compliance component of a small business that many simply overlook until the unthinkable happens. Preparing yourself now to avoid the massive headache and liability that can come later on will pay dividends as you operate and grow your business.
Thomas Reinhard is a Seattle-based business attorney and a co-owner of Cascadia Pizza Co.