The National Restaurant Association recently released a new guide for restaurant operators looking for more information on how to increase their cybersecurity efforts.

In 2015, the National Restaurant Association released its first manual for restaurant owners called “Cybersecurity 101: A Toolkit for Restaurant Operators” [PDF] which outlined best practices on five core areas of cybersecurity planning. This past month, the National Restaurant Association built on this manual with the release of “Cybersecurity 201: The Next Step,” [PDF]  which provides restaurant-specific type guidance. The National Restaurant Association utilized the expertise of technology personnel from top multi-unit restaurant companies. The guide is a must-read for any franchise system in the food service space.

The guide takes the cybersecurity framework prepared by the National Institute of Standards and Technology (NIST) and adapts it for use in the restaurant hospitality industry. Restaurant franchise systems can learn how to apply the NIST standards by reviewing the real world hypotheticals.

18538865 – thief steals credit card and money. illustration in cartoon style

For example, there is “Sam” whose restaurant experiences a data compromise of customer credit cards. After a forensic team descends on his business, Sam quickly realizes how little he understands about who has access to his computer software, which vendors service his POS Systems and how often he upgrades hardware. The result? Sam lost loyal customers and was slapped with a hefty fine from his credit card processors.

In addition to three other nicely detailed case studies, the guide shows how almost 100 different NIST categories can be applied in a restaurant setting, grades cybersecurity action items from most to least urgent and provides a glossary of cybersecurity terms.  Even the most cyber savvy restaurant systems should find the guide full of useful information.

This week, the Federal Trade Commission (FTC) updated its guidance for businesses on complying with the Children’s Online Privacy Protection Rule (COPPA) .   If a website operator or operator of online services collects personal information from kids under 13, then the business must comply with COPPA.   The definition of “personal information” is broad and includes a child’s name, voice, address, photo, email address or telephone number.   COPPA encompasses a wide range of activities, including mobile apps and toys or other products connected to the internet.  This means that businesses, including franchised businesses, geared towards selling products or providing services to children are covered by COPPA and must strictly comply with the Rule.

Copyright: jgaunion / 123RF Stock Photo

The FTC now provides new and updated guidance in three main areas:

  1. New Business Models.  The FTC broadens the scope of covered businesses to account for new ways that companies collect data.
  2. New Products.  If your franchise offers and sells a product that connects to internet and collects personal information, including voice recordings or geolocation data, then COPPA applies to your business.
  3. Parent Consent Collection Methods.  One of the main features of COPPA is its requirement that businesses obtain parental consent BEFORE collecting a child’s personal information.  The new guidance discuses two newly-approved methods for getting parental consent: asking knowledge-based authentication questions and using facial recognition to get a match with a verified photo ID.

With technology constantly evolving and the nearly universal collection of personal data by websites and apps (particularly the now frequently common collection of geolocation data), a franchise system providing products or services to children must keep up to date on the FTC’s latest COPPA guidance.  The FTC also provides answers to frequently asked questions about COPPA here or you can email the FTC at coppahotline@ftc.gov.

Copyright: wattanaphob / 123RF Stock Photo
Copyright: wattanaphob / 123RF Stock Photo

The Radio Shack bankruptcy case raised a fundamental question regarding the sale of personally identifiable customer information: Can it be done? The answer is “Probably”. (You expected anything else?)

When Radio Shack filed for bankruptcy protection, it had collected personally identifiable customer information respecting 117 million individual customers. Radio Shack had promised customers in its privacy policy that it would not “rent or sell” their personally identifiable information to any third party. In the bankruptcy proceedings, the customer information was identified as an asset. Radio Shack proposed to sell this asset for the benefit of creditors. The FTC, many state attorneys general, Verizon and AT&T objected to the proposed sale. A privacy ombudsman, permitted by the Bankruptcy Code, was also appointed by the Court.

The Bankruptcy Court ordered all parties to mediate the dispute. In mediation, a deal was reached permitting customer information to be sold. However, a number of conditions were attached to the sale. First, the buyer had to agree to be bound by Radio Shack’s privacy policy. Second, customers had to be given notice of the sale and an opportunity to “opt-out” either via email or mail, depending upon whether Radio Shack had a valid email address for the customer. Third, opt-out information had to be “prominently” posted on the Radio Shack website. Finally, the buyer was prohibited from the use of “sensitive” information, including debit/credit card information, date of birth and government IDs such as Social Security numbers.

The Radio Shack settlement provides a number of takeaways respecting the sale of personally identifiable customer information, in and out of bankruptcy:

  • Even government actors such as the FTC and state AGs appear to recognize that privacy rights are not absolute and need to be balanced against the interest driving a sale.
  • A bedrock principle is the need to honor the promises made by the company that collected the information.
  • Government regulators require an “opt-out” process.
  • Company privacy policies and disclosures should make it explicitly clear that information collected from customers may be sold and/or provided to a successor or buyer company, including if such information is sold in the context of bankruptcy.
  • Don’t ignore HIPPA, which will always apply to medical information.

 

A few months ago we wrote about the FTC’s decision to launch a Consumer Privacy Bill of Rights. One of the more interesting things about the Bill of Rights was that the FTC seemed to be setting up a regime where a company’s voluntary decision to "opt-in" to the regime could become the basis for FTC enforcement, if the voluntary policy was breached. In fact, Commissioner J. Thomas Rosch dissented from that portion of the FTC’s privacy report and recommendations.

So it was interesting to me to note that Commissioner Rosch voted with a unanimous majority of FTC Commissioners to authorize a complaint against a large, international hotel group where the violation is based upon the group’s own privacy policy. Specifically, the FTC complaint alleges that the hotel group’s "privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers’ personal information." The agency charges that the security practices were unfair and deceptive and violated the FTC Act.

What particularly seems to have upset the FTC in this case is the fact that one breach allegedly facilitated other breaches. The hotel group learned in 2008 of a data breach to its system through one property. The FTC claims the security flaws exploited in that breach were not corrected, allowing two other breaches to occur. In those two subsequent breaches, the FTC says that approximately 120,000 consumer payment card records were stolen. Those records were supposedly used by crime syndicates–including some in Russia–to make fraudulent purchases.

This enforcement action by the FTC again highlights the importance of developing best practices for the protection private consumer data and maintenance of privacy policies. Perhaps more importantly, it also demonstrates that, despite some public misgivings from at least one Commissioner, the FTC seems intent upon using its enforcement powers to require companies to fully comply with their stated privacy policies. This development will bear watching, and, at the same time, it suggests a careful review of privacy policy and practice is in order so as to ensure both are in alignment.