Seven. That’s the number of c-level operators who declined to comment for this article. I was asking a pretty straightforward question: What kind of response should restaurant execs have to a data breach, and how has that changed? I wanted to get some perspective on the danger today, and how helpless or potent c-suiters are in the face of the threat.
No one wanted to touch the topic with a 10-foot pole. Obviously, it’s both really scary and really prevalent.
Dan Schulman, CEO of PayPal, spent much of his keynote presentation at the FSTEC conference—a meeting of the techie minds in the restaurant industry in September, hosted by RB’s parent Winsight—on the topic of cybersecurity. “There are two types of companies: those that have been hacked and those that don’t know they’ve been hacked,” he said. “Chances are, hackers are trying to crack your system right now. And odds are that they’ll succeed.”
He was clearly right. Days after we returned from the conference, word of some new cyberattacks hit. A breach at Sonic Drive-In may have impacted millions of credit and debit cards. Some of Whole Foods’ taprooms and full-service restaurants were compromised, not long after it was acquired by Amazon. Customers who placed an order via Pizza Hut’s website or mobile app might have had their information exposed.
This led to a discussion in our office. In just a few years, the perception of a breach has shifted from a huge faux pas that can potentially tank a brand to a bad-but-almost-understandable occurrence. Have we just accepted that data breaches are more common now? According to my officemates, yes. Well, kind of. We as consumers are more aware of them, if nothing else. After all, the average American is hit more than 10,000 times a day, according to Schulman. He rattled off some more eye-opening stats: A consumer identity is stolen every two seconds. And 39% of Americans have been a victim of a cybercrime in the last two years.
But it’s the response from execs that can make or break the public perception of the breach. A quick poll of the office made one thing clear: Silence is the worst possible response. Consumers want as much transparency as legally possible (we aren’t unreasonable—we know there’s always an ongoing investigation). We want to know, as soon as possible, that there was an attack and personal information was compromised. We want to know the brand is taking action to figure out where there was a lapse in security. And, above all else, we want to know that the brand is sorry and plans to take action. Maybe, if those things are said, a cybersecurity issue won’t be as awful for an operation, after the fact.
Don’t get me wrong—a hack will still suck for business. Heck, retail giant Target agreed just this May to pay $18.5 million in a multistate settlement for its 2013 data breach. But so much of what may coax customers to come back to a brand is in the reaction of the top dogs at the most critical moment.