Information security

Owning and operating a franchise food business provides the opportunity for both personal satisfaction and financial success. 

While many owners experience great benefits, the challenges to effective operations are making such benefits harder to obtain.

California Civil Code section 1798.82 requires that businesses notify residents if a breach involves a resident's name plus one or more of the following: Social Security number, driver's license or state ID card number, or financial account numbers.

Theft and fraud are a traditional risk to the financial success of any retail business.  However, this risk has reached epidemic proportions.  Recent studies indicate that the restaurant industry loses $15 to $25 billion annually due to employee theft and fraud.  Nevertheless, a different type of threat has emerged that has the potential for far greater financial losses, including the total disruption of business operations: computer systems attacks and security breaches.

The Federal Trade Commission is pursuing enforcement action against a national retailer after a security hole exposed thousands of credit card numbers to the Internet.

Computer systems are an integral part of daily operations for the retail food industry.  A variety of computerized systems are now employed to make basic functions more effective and efficient: employee scheduling, meal planning, inventory control, credit card processing, payroll processing, payables management and tax filing, to name a few.  Now imagine all of those functions disappearing in the blink of an eye because of a deliberate computer system attack, computer virus or mechanical failure.

Franchise food businesses are especially vulnerable to computer system attacks and unauthorized data access because of their tough-to-secure work environments, high levels of employee turnover, pervasive use of credit card transactions, and increasing use of wireless terminals.  Additionally, their computer systems typically store confidential employee information that includes Social Security numbers and bank account numbers used for direct deposit of payroll.  While the destruction of computer systems and operating data will significantly affect business operations, the loss of confidential credit card and employee information may trigger hefty financial penalties, regulatory enforcement action, and expensive litigation.

A growing collection of state laws, federal regulations and contractual rules now mandate computer security standards and practices.  What can you do to protect your company’s valuable information and computer assets, reduce the financial impact of security breaches and ensure compliance with applicable rules and regulations?

First, determine what information should be protected, by whom, using what tools and processes, and at what cost.  Develop policies and procedures that accurately reflect your company’s current operating environment; provide appropriate levels of protection based on the severity of anticipated threats; and facilitate compliance with applicable rules and regulations.

VISA® has stringent computer security rules for companies that store, process or transmit credit card information.  Failure to comply with these standards may permanently prohibit a merchant from participating in VISA card programs.

Make sure these critical areas are addressed:

  • Personnel policies including background checks, hiring practices, nondisclosure agreements, termination procedures and training.
  • Physical security, including protection from flood, wind, earthquake, fire, water leaks, theft, vandalism, communications outages and loss of power.
  • Email and Internet policies to define appropriate employee behavior.
  • Controls to regulate access to valuable computer data and audit trails to show who has accessed such data.
  • Hardware and software such as firewalls, antivirus programs, email monitors, and content filters to restrict outside access to your computers and protect against malicious programs (e.g., viruses, worms, Trojan horses) and offensive material.
  • Computer network intrusion detection and response procedures so that you can know if your computer system is hacked and what steps are required to determine the damage, resume operations, and comply with any rules and regulations that require you to notify others about the breach.
  • Data backup and disaster recovery procedures so that you can recover from an event that causes data, equipment, or network destruction.
  • Contract provisions to ensure that the confidential data your service providers receive are fully protected (for example, payroll and accounting services).

Next, implement your computer security policies and procedures and validate them through testing.  Repair any weaknesses that are discovered, update policies and procedures, and retest to validate the effectiveness of the changes.

Employee payroll information and customer credit card numbers are especially valuable to identity thieves.  Loss of such information can expose your company to expensive litigation.

Finally, implement an ongoing research and training program to keep your management team up to date with computer trends, the latest security threats, and future regulatory changes.

The goal of this process is to:

  1. Ensure the availability, integrity, and confidentiality of valuable company and customer information.
  2. Establish and maintain accountability for processes, policies and control.
  3. Assure that technical and operational security measures work as intended.
  4. Protect your hard-earned investment.

You may be fortunate to have knowledgeable employees who are capable of performing these tasks.  However, you and your staff may find these tasks daunting. If this is the case, you may find significant value in obtaining the assistance of a qualified computer-systems professional.

Remember, it’s treacherous out there and numerous threats abound. When it comes to computer systems security, being informed, cautious, vigilant and well prepared will generate direct benefits to your bottom-line.