Restaurants Beware: Hackers are Hungry!

???????????????????????????????Restaurants, pubs and diners all over the country serve hungry and thirsty people everyday. From white tablecloth establishments to the local taco joint, almost all restaurants take credit/debit cards for the vast majority of their payments. One swipe and customers go on their way, however, behind the scenes, restaurants nationwide are suffering at the hands of cyber thieves who target restaurants in an effort to steal their treasure trove of daily credit card information.

A recent VISA report indicates that restaurants now account for close to 73% of the data breaches in United States. Why restaurants? Low effort—high yield. The smaller the better! Cyber thieves know that the smaller the establishment, the more likely they are to have weak security in place and will be the most vulnerable to an attack. With a single hack, a thief can reap a whole day’s worth of stored credit card data, while a continual harvest can produce months and even years of data. How is this possible? Thieves break through weak firewalls, take advantage of the all to common use of default passwords, hack into one web device (such as security cameras, payment processors, computers, DVR, WiFi) and then can access all the other systems when they are not-segmented systems (meaning all web based systems can talk to each other if not segmented). Once in, thieves can steal current data or install Malicious Software (“malware”) on the establishment’s system. This malware allows thieves to routinely access the credit card information that is collected each day. Failure by the establishment to detect and remedy this intrusion can lead to legal liability from customers alleging failure to adequately protect their credit card information.

Companies that have been breached often do not learn of the breach until they are notified by customers who have had their credit cards compromised, or even worse, when Visa/Master Card detects a pattern of compromised cards from one point of sale and contacts the establishment for reimbursement. Following a breach of customer credit card information, establishments will be required to notify affected customers of the breach. Notification is complicated, costly and must be done in a timely manner. Often, the after-effects of a breach include significant IT costs to remedy the breach, determine what information was compromised, and to repair the system. Lawsuits by customers and a significant drop in business revenue is also common, so there’s significant exposure to both first and third party loss.

Why are these types of breaches on the rise? Because hackers and thieves can earn quick cash. The going rate on the black market for credit card information is about $20 per card. Not bad for a day’s work! (or not having to do a day’s work…)

Restaurant owners should take heed and take the security of their clients’ information very seriously. Establishments that process credit card information should review their security systems, update virus software routinely, train employees on security and best practices in addition to considering a risk management plan which would include a network security and privacy policy (“Cyber Insurance”).

As restaurants are a growing target for cyber crime, if you have restaurant clients (or other clients that take credit card data) you should consult with them about their risks and liabilities. Based on their risk tolerance, consider whether the risk of being a victim of cyber theft is a risk they want to self-insure, or whether they would prefer to outsource this exposure via a Cyber/Network Security policy. In today’s high tech world, a well thought out risk management plan is invaluable and should work in conjunction with Cyber/Network Security insurance, as no computer system- regardless of size or sophistication—is 100% hack-proof.

A well tailored cyber policy can provide a restaurant that experiences a breach with a forensic expert who will examine their systems to find out how and when the breach occurred, determine what information was compromised, and assist in notifying the affected individuals in accordance with applicable state breach notification laws. Depending on size and revenues, cyber policies can be as cheap as $1,000 and provide $1M in coverage.

If your clients don’t want to shoulder this risk alone, having a Network Security/Cyber policy is prudent.

Hackers are just like the rest of us: they like to eat! Take precautions so your restaurant clients are not the ones that feed them. In the event that hackers get hungry at one of your client’s establishments, strong security controls and vigilance, combined with a well drafted cyber policy can prevent what otherwise could be a devastating blow to a small eatery, franchise restaurant or family diner.

This article was authored by:
Laura Zaroski, Esq., VP of Management and Professional Liability at Socius Insurance Services, a wholesale broker, located in the Chicago office. Laura can be reached at 312.382.5373 or


Effect of the New Medical Marijuana Law on Employers in Illinois

WR11123medicalmarijuana_ALast year, Illinois passed a “medical marijuana” law that became effective January 1, 2014, known as the Compassionate Use of Medical Cannabis Pilot Program Act, 410 ILCS 130/1, et seq. The Act allows doctors to recommend and certify the use of medical marijuana by patients who are under the doctors’ care for certain qualifying medical conditions, which are listed in the Act. The patient must then register with the Department of Public Health (“DPH”) for status as a medical marijuana patient under the Act. The earliest patients will able to register with the DPH is April 2014, the current deadline by which several Illinois governmental agencies must institute regulations regarding patients obtaining registration cards and regarding licensure for dispensaries and cultivators. However, the exact contours of the regulations surrounding this new law remain to be seen and the details of that law have left some employers in a haze.

Certain rights of employers are affected by the Act, but in other ways, it will be business as usual for employers. Most notably, employers cannot discriminate against a registered patient on the basis of his or her registration (in most cases). This mandate may require employers to reconfigure their drug policies and/or certain provisions in their employee handbooks in order to ensure compliance with the Act. Also, it will require management training to educate managers and supervisors of the new obligations. Contrary to what you might first think, the Act still permits employers to operate a Drug Free Workplace. Employers are allowed to prohibit possession or consumption of marijuana on their property. Further, the Act specifically allows employers to enforce work rules, give drug tests, and discipline employees exhibiting signs of impairment while at work. Employees beware! The Act is not a license to possess or be “high” at work.

Based upon the rights that employers still retain, it appears inevitable that sticky issues will arise as the Act is implemented and employers struggle with compliance as well as enforcing their own policies. For example, while the Act expressly allows employers to conduct drug testing, what if an employee’s drug test registers marijuana use, but the test cannot differentiate whether that use was hours, days or months ago? Would refusing to hire that individual be okay as enforcement of a Drug Free Workplace or would that decision be discriminating against an individual for his or her “status” as a registered medical marijuana patient? Moreover, the law allows employers to maintain a Drug Free Workplace “provided the policy is applied in a non-discriminatory manner.” It is unclear whether patients will be able to assert disparate impact claims arguing that employers’ facially neutral workplace policies have a statistical impact on their “protected class.” Additionally, the law requires that an employee disciplined for exhibiting signs of impairment must be given an opportunity to contest the basis for the determination, but the law does not provide any guidance as to what type of procedural protection the employee must receive. Finally, it is unclear what, if any, interplay this Illinois law will have with the federal Americans With Disabilities Act.

Unfortunately, we believe that many of the gray areas surrounding the Act will likely be resolved through future litigation. In order to make sure your clients are prepared to deal with the mandates of the new Act, we suggest that you have a lawyer review your policies and procedures and to provide training to your management personnel. Also, ensure that your clients have a robust Employment Practices Liability policy in place that will respond and defend the employers in case they are faced with a discrimination suit in relation to violation of the Act.

This article was authored by:

Laura Zaroski, Esq., VP of Management and Professional Liability at Socius Insurance Services, a wholesale broker, located in the Chicago office. Laura can be reached at 312.382.5373 or

Joseph Gagliardo, Esq., Managing Partner of Laner, Muchin, Ltd., Chicago, Illinois, a law firm specializing in employment practices, assisted by Sara Yager. Joe can be reached at 312.467.9800 or


Socius Turns 17!

CaptureToday officially marks the 17th anniversary of the formation of ECM Insurance Services, LLC, what is now known as Socius Insurance Services, Inc.

From our original home base at Howard St. in San Francisco, we have now established regional offices in Los Angeles, Sacramento, Elgin, IL, and Tampa & Miami, Florida. Here at Socius – a derivative of the Latin word meaning “partner,” we have no plans of slowing down in the near future. Our mission is to work in partnership to find solutions for your clients’ insurance needs. We pride ourselves on a collegial atmosphere, competitive benefits, offsite company volunteer activities and an employee wellness program.

Thank you to everyone who has contributed to our success and landed us where we are today, after an unforgettable 17 years.

Congratulations team and cheers to 17 more!


Is Your Business Located in a “Risky” State for Employee Lawsuits?

CaptureNot all states are created equal, especially when it comes to employee lawsuits. A new study of employment practices litigation (EPL) data by Hiscox, found that some areas are at a higher risk than others. “The study analyzed recent employment discrimination charge receipts by state at the federal and state commission levels focusing on establishments with more than 10 employees in each state.”

According to the results, “a US-based business with at least 10 employees has a 12.5% chance of having an employment liability charge filed against them.” The study also found that the location of the business can increase or decrease your chance of employee lawsuits. The top five riskiest areas of the US include: California, Illinois, Alabama, Mississippi and the District of Columbia.

To read the full article, please visit