Watch out, Florida restaurants! The Florida State Legislature has tightened controls over businesses for data security breaches. Signed into law on June 20, 2014, and effective July 1, 2014, the new Florida Information Protection Act (FIPA) will impact your restaurant business and how you handle data breaches. In recent years, data breaches have become commonplace, and have unquestionably affected the full-service restaurant industry. A recent example is the security breach that impacted P.F. Chang’s. In June 2014, P.F. Chang’s announced that the security of its credit card processing systems had been compromised, affecting 33 P.F. Chang’s branded stores spanning 18 states in the continental United States. A class action suit stemming from the data breach incident is currently pending against P.F. Chang’s. The evidence is clear; hackers are targeting restaurants.
What You Need to Know About FIPA: Compliance and Consequences
Expansive Scope. The Act requires each covered entity and third-party agent to take reasonable measures to protect and secure data in electronic form containing personal information. The term covered entity includes various forms of commercial entities that acquire, maintain, store or use personal information. The definition of personal information includes the type of information that is commonly used by any full-service restaurant, i.e., credit card and debit card numbers, as well as email addresses used with loyalty programs.
Stricter Notice Requirements. The new law delineates three key areas of notice. Notice is required to the department of legal affairs for any breach of security involving 500 or more individuals in Florida. The covered entity must provide notice as expeditiously as practicable, but not later than 30 days after determination of the breach or reason to believe a breach occurred. Notice is also required to each individual in Florida whose personal information was accessed, or is reasonably believed to have been accessed, as a result of the breach. The timing of the notice cannot be later than 30 days after determination of a breach or reasonable belief thereof unless there is a determination by a law enforcement agency that the notice would interfere with a criminal investigation or if there is a reasonable determination, after appropriate consultation with a law enforcement agency, that the breach has not and will not likely result in theft or financial harm to individuals. Notice is additionally required to consumer reporting agencies in the event of a breach involving more than 1,000 individuals at a single time. Third-party agents who contract to maintain, store or process personal information should be mindful of the new notice provisions requiring them to notify the covered entity no later than 10 days following determination of a breach of security.
Disposal of Records. The new law requires reasonable measures to dispose or arrange for disposal of customer records containing personal information when the records are no longer to be retained. Customer records include any material, regardless of physical form, on which personal information is preserved or recorded by any means, and provided by an individual in this state to a covered entity for the purpose of purchasing or leasing a product or obtaining a service.
Consequences. A violation of the new law is treated as an unfair or deceptive trade practice under Florida Statute section 501.207 in any action brought by the department; however, the Act does not establish a private cause of action. A covered entity that violates the Act can be liable for an amount of $1,000 for each day up to the first 30 days, and thereafter, $50,000 for each subsequent 30 day period or portion thereof for up to 180 days. The penalty cannot exceed $250,000.
Data Security: Are You Making These Mistakes?
Restaurants can be attractive targets for cyber criminals because they tend not to have robust security systems. Point-of-sale (POS) systems, a critical component of the full-service restaurant industry, have in fact become frequently targeted by cyber criminals. Below are key areas of security that you should review, assess, and address.
Keep antivirus software and hardware updated. Updated antivirus software provides a basic level of protection. In some cases, upgraded software protection may be required in order for a business to be in compliance with Payment Card Industry Data Security Standard (PCI DSS). Hardware upgrades are just as essential to maintaining security as updated software. Older machines can be easier to bypass then newer machines, and oftentimes, outdated hardware may not always support the newest software or technology.
Stronger and unique passwords! A unique user ID and password is another basic level of protection that can add a layer of security for your computer systems. Many businesses make the mistake of using a common user ID and password, permitting several employees to use the same credentials. This creates unnecessary exposure, and allows your system to be readily hacked. It also makes it difficult to track and investigate the source of a breach, particularly in cases in which numerous employees share the same login credentials. Another common mistake is the use of simple passwords. Be sure to require the use of at least one character or symbol, a capital letter, and a number.
Third-party vendors and remote access. A strong level of control should be exercised over your third-party vendors, especially when the vendor has a reason to obtain remote access to your systems. Security terms should be communicated with absolute clarity with the vendor. More importantly, before such remote access occurs, it may be wise to evaluate whether such access is critical to restaurant operations.
Do not use POS devices for web browsing. Web browsing opens the gateway to accidental downloads of malware and viruses. A good practice is to use the POS device for that function only, and to use other devices for work-related functions, including web browsing.
The new law will force businesses to review and revise their internal controls and procedures for data security. It forces stricter incident response times and stricter notice requirements, compliance with which can be a drain on restaurant cash-flow and operations. An equally critical repercussion of a data breach, particularly for the full-service restaurant industry, is the potential loss of customer trust and confidence. Having in place quick incident response protocols—that compliance professionals help to implement—is a prudent move for any full-service restaurant.
The opinions of contributors are their own. Publication of their writing does not imply endorsement by FSR magazine or Journalistic Inc.