Restaurant businesses deal with a large amount of personal data.

The National Restaurant Association released a must-read guide for restaurant operators on how to increase their cybersecurity efforts.

Franchising, Licensing & Distribution partner Eleanor Vaida Gerhards explains on the Franchise Law Update blog how the guide takes the cybersecurity framework prepared by the National Institute of Standards and Technology and adapts it for use in the restaurant hospitality industry.

Because restaurants have to handle the personal information of their customers, they’re constantly at risk for data compromises that carry heavy fines.

Even the most cyber savvy restaurant systems should find the guide full of useful information. Access the guide and read Eleanor’s full post here.

When it comes to cybercrime, not even your favorite app store is safe.

The International Business Times reports that fake mobile applications carried by the most popular app stores often pose phishing and malware threats. Hackers create the apps to control parts of users’ mobile phones, flood devices with spam ads and steal personal information.

They’re not always easy to spot. The more sophisticated counterfeits are designed to resemble legitimate games, e-commerce portals and social media apps. A fake version of WhatsApp, named “Update WhatsApp Messenger” had more than one million downloads before it was flagged and removed from one provider’s app store.

For information how to recognize fake apps and tips for users who have already made the mistake of downloading one, click here to read the full story.

A new study notes that despite record spending on cybersecurity, overconfidence may be hurting companies’ ability to protect against data breaches.

Tech publication Information Week reports that the survey of IT professionals, by security firm Gemalto, showed that while 94 percent of respondents said their perimeter security was effective, nearly a third reported breaches within the last 12 months. Surprisingly, 14 percent said they would not trust their own organization to safeguard their personal data.

Why the disconnect? Experts interviewed by Information Week chalked it up to a lack of understanding of cybercrooks’ motivations, and a general lack of knowledge about cybersecurity in corporate C-suites. Click here to read the full story.

With tax season in full swing, a different season is impacting businesses across all industries: “phishing season.”

Phishing scams
Copyright: fberti / 123RF Stock Photo

“Phishing” or “spear phishing” refers to cyberattack scams that target certain individuals within an organization with the hope of gaining access to valuable information.

These scams take advantage of the busy tax season, the desire to promptly respond to purported upper management and social engineering employees in order to target and trick only employees with immediate access to sensitive employee data. These scams have spread to a variety of for-profit sectors and even nonprofits and school districts.

Spear phishing attacks are virtual traps set up by criminals who, in this case, send emails to employees that appear to come from actual upper management. Typically, they are well-written and look authentic. Usually, there is some explanation or pressing reason offered for why personal information is required. The targets have increasingly become payroll and human resources personnel with the goal of stealing employees’ W-2 information during tax season.

Roughly 100 businesses with more than 125,000 employees were victims of phishing scams last year. This year has already seen a dramatic increase in phishing scams, as approximately 80 businesses have already been targeted during tax season. These are only the businesses that reported phishing scams, and the real number is certainly dramatically larger.

The IRS has previously stated that tax season is likely partly responsible for this surge in phishing emails. Last year, the IRS issued an alert to payroll and human resources professionals about emails purporting to be from company executives requesting employees’ personal information.

“Now the criminals are focusing their schemes on company payroll departments,” said IRS Commissioner John Koskinen. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”

The IRS bulleted some of the requests contained in these fake emails:

  • Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (name, social security number, date of birth, home address, salary).
  • I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me ASAP.

No organization is immune during phishing season. Last year a large social media provider issued an apology and offered two years of identity theft insurance and monitoring after one of its workers inadvertently released sensitive company payroll information to a criminal. The unidentified employee opened an email that appeared to be from the victim company’s CEO. Although none of the company’s internal systems were breached and no user information was compromised, hundreds of employees had their personal information exposed to the public.

The FBI has also warned the public and has published suggestions to avoid becoming a victim during phishing season, including:

  • Keep in mind that most companies, banks, agencies, etc., don’t request personal information via email. If in doubt, give them a call (but don’t use the phone number contained in the email — that’s usually phony as well).
  • Use a phishing filter. Many of the latest web browsers have them built in or offer them as plug-ins.
  • Never follow a link to a secure site from an email. Always enter the URL manually.
  • Don’t be fooled (especially today) by the latest scams.

The Minnesota Department of Revenue recently announced its excellent Stop. Connect. Confirm. program. From the Department of Revenue’s announcement:

When a request for private/sensitive information is made, Stop. Connect. Confirm.

  1. Stop – Stop for a moment before complying with the request and sending that information.
  2. Connect – Connect with the person who sent you the request by phone or by walking over to see them. Do not respond to the email to get confirmation of the sender’s identity. The sender may be a criminal who has disguised his or her identity by spoofing your colleague’s email address.
  3. Confirm – Confirm with the executive requesting the information that the request is legitimate.

Businesses can download and print this poster and display it in their human resources and payroll departments to remind employees to Stop. Connect. Confirm. if a request for employee personal information is made.

If your employer notifies you that your W-2 or other personal information has been compromised:

  • Review the recommended actions by the Federal Trade Commission at or the IRS at
  • File a Form 14039, Identity Theft Affidavit if your tax return is rejected because of a duplicate Social Security number or if instructed to do so by the Internal Revenue Service.

More of these attacks should be expected as tax season, and phishing season, continue, so organizations should be vigilant about ensuring that all employees are aware about phishing scams.

Earlier this week, the Wall Street Journal (subscription required) and The American Lawyer (subscription required) both reported that well-respected large law firms Cravath, Swaine & Moore and Weil, Gotshal & Manges had been hacked in incidents dating back to last summer.  They’re not alone; other major law firms were also the victims of breaches.  Further details provided by The American Lawyer and a Crain’s Chicago Business article suggest that a Russian cyber-criminal named “Oleras” targeted the mergers & acquisitions practices of about 50 law firms for the purposes of insider trading. The attacks took multiple forms, both directly on the firms’ networks and indirectly through sophisticated phishing techniques targeting select employees.  Both firms hold highly valuable trade secrets and information on undisclosed mergers that could be garnered and misused through access to documents residing in firm systems – share purchase agreements, merger agreements and letters of intent, for instance.

Malware and Ransomware conceptGiven these developments, it is time for U.S. businesses to think beyond identity theft when considering data security. Though individual health and financial data remain a significant concern, data security increasingly requires protecting extremely valuable business information from economic espionage. The potential dollar value of the information gained by criminals in these attacks could easily amount to hundreds of millions of dollars and surpass that of major data breaches in other industries, such as retail.  In this case, the intellectual property at risk was business, financial and strategic in nature. However, technical research and development information has the potential to be even more valuable.  For example, imagine the value of learning about an advance in quantum computing technology before the public.  Keeping this scenario in mind, companies should remain vigilant and proactive in securing their networks and training employees to spot phishing attacks and other malicious communications.

The IRS announced in August 2015 that credit monitoring and other identity protection services following a data breach are not taxable. It has now expanded the decision to include identity protection services offered prior to a breach occurring.

Comments received by the IRS showed that data breaches are a significant concern for companies. Despite increased efforts for data breach prevention, companies must face the reality that breaches are bound to happen. An increasing number of organizations are providing identity protection services to employees before a data breach to help detect problems and minimize the negative impact to business operations.

The Treasury Department and the IRS had this to say:

“The IRS will not assert that an individual must include in gross income the value of identity protection services provided by the individual’s employer or by another organization to which the individual provided personal information (for example, name, social security number, or banking or credit account numbers). Additionally, the IRS will not assert that an employer providing identity protection services to its employees must include the value of the identity protection services in the employees’ gross income and wages. The IRS also will not assert that these amounts must be reported on an information return (such as Form W- 2 or Form 1099-MISC) filed with respect to such individuals.”

This is a victory for all sides. Employers can offer services without increasing federal payroll taxes, and employees receive a service free of additional federal tax liability. The IRS did clarify that this does not apply to cash received in lieu of identity protection services or to proceeds received under any theft insurance policy.

On July 20, 2015, in Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (7th Cir. 2015), the Seventh Circuit held that the United States District Court for the Northern District of Illinois wrongfully dismissed a class action suit brought against Neiman Marcus after hackers stole their customers’ data and debit card information.  The District Court originally dismissed the plaintiffs’ claims because they had not alleged sufficient injury to establish standing.  The District Court based its ruling on a United States Supreme Court decision, Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138 (2013), which held that to establish Article III standing, an injury must be “concrete, particularized, and actual or imminent.”

However, the Seventh Circuit clarified that Clapper “does not, as the district court thought, foreclose any use whatsoever of future injuries to support Article III standing.”  Rather, “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” are sufficient to confer standing.

In Remijas, the Seventh Circuit explained that there is a reasonable likelihood that the hackers will use the plaintiffs’ information to commit identity theft or credit card fraud.  “Why else would hackers break into a store’s database and steal consumers’ private information?” – the Seventh Circuit asked.  The Seventh Circuit held that the plaintiffs should not have to wait until the hackers commit these crimes to file suit.

The Seventh Circuit also considered that some of the plaintiffs have already paid for credit monitoring services to protect their data, which it held is a concrete injury.  Neiman Marcus also offered one year of credit monitoring services to its customers affected by the breach, which the Seventh Circuit considered an acknowledgment by the company that there was a likelihood that their customers’ information would be used for fraudulent purposes.

Ultimately, this decision may serve to soften the blow dealt by Clapper to data breach plaintiffs.  Specifically, based on this ruling, plaintiffs who have not incurred any fraudulent charges, but have purchased credit monitoring services, or have spent time and money protecting themselves against potential fraud may argue that they have standing.

Jeffrey M. Friedman, Andrew M. Halbert and Joseph Superstein write:

What has generally been common practice for thousands of companies may present an opportunity for identity thieves. When a company takes steps to “administratively dissolve” by failing to comply with certain legal or fiduciary duties such as filing timely annual reports, following certain procedural requirements, or paying its taxes, the state in which the company is incorporated may revoke or dissolve the noncompliant company. This approach opens the possibility of a number of problems, including (but not limited to) identity theft.

Copyright: kentoh / 123RF Stock Photo
Copyright: kentoh / 123RF Stock Photo

With proper guidance and advice, the practice of administratively dissolving a company may eliminate several potential vulnerabilities. One of the most overlooked and growing areas of concern is that thieves are targeting “dormant” entities at an increasing rate. Criminals realize that these entities may be vulnerable because they are less likely to be monitored for any business registration activity. The risks associated with not properly dissolving a state registered company may quickly amount to hundreds of thousands of dollars.

Identity theft trends indicate that criminals are looking to exploit state filing systems and business registration websites for financial gain. By filing bogus reports with Secretary of State offices or altering online business records, these criminals have been able to steal considerable amounts of cash and property using fraudulently obtained lines of credit. By altering business records, criminals may appear to have the authority to act on behalf of a victim entity, which in turn, enables them to apply for credit accounts with various lenders, retailers, and suppliers. In one case, according to an Atlanta TV news segment, a Georgia-based music company became the victim of a corporate identity theft scheme similar to that described above in which the thieves ran up nearly $300,000 in fraudulent credit card transactions. Creditors attempting to verify application information may face difficulties immediately detecting fraudulent activity because the business records on file with the state have been altered to match the fraudulent credit application.

To avoid the unnecessary exposure and risk of identity theft, we are now advising our clients to take the appropriate affirmative steps in order to voluntarily and safely dissolve their business without being left vulnerable to such criminal activity.

Jeffrey M. Friedman is a partner, Andrew M. Halbert is an associate and Joseph Superstein is a summer associate in Fox Rothschild’s Chicago, IL office.


With the amount of commerce conducted through networks increasing exponentially each year, the importance of implementing robust cybersecurity polices is as critical as ever. Just last month, the Congressional Research Service released its paper about cybersecurity information sharing and how this helps companies decrease preventable breaches. Coupled with industry research, the paper is a must-read for industry leaders of any business dealing with Internet-based transactions.

How Security Breaches Impact the U.S. and World Financially 

Data privacy and securityThe Center for Strategic International Studies places cybercrime between $375 and $575 billion globally per year. This estimate takes into account hundreds of millions of people who have had personally identifiable information (PII) stolen, plus damages incurred by companies and the global economy. The 2014 Ponemon Institute Cost of Cyber Crime Study calculated an average increase for cybercrime cost for U.S. companies of 9% from 2013 to 2014. These numbers are only expected to grow.

Cybersecurity Information Sharing

Information sharing about new threats, best practices and industry trends is beneficial:

  • Small businesses can prepare for and protect against attacks.
  • Information sharing can positively impact the reputation of a company in the industry. Having a reputation as a solid corporate citizen will encourage other companies to do the same.
  • Money saved on security development may be diverted to other security measures or company needs, thus preventing duplication of work.

Corporations Hesitant to Share Information

Companies have shown a reluctance to share information due to concern about violating privacy and antitrust laws. The government recognizes these concerns and “provided guidance that will not consider generally accepted cybersecurity information sharing to be anticompetitive behavior.” (Congressional Research Service paper, P.4)

Additionally, concerns exist regarding decreasing sales numbers and falling stock prices. Companies hit by data breaches have experienced mixed stock results: some saw increasing stock prices within a three-month period post-breach, occurred, while others saw stock prices plummet during the same period.

Methods for Sharing Cybersecurity Information

Publicly traded companies are required by the SEC to reveal information with “substantial likelihood that the disclosure of the omitted fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.” It is important to note that neither the SEC nor courts have mandated when companies need to announce such information.

The Information Sharing and Analysis Center (ISACs) program was enacted in 1998 so that private sector, nonprofit member entities could collect, analyze and share information. ISAC groups exist for different industries, and they share information anonymously with government and other ISAC group members. Membership cost is dependent on a company’s desired membership level.

Congress has attempted to pass legislation to give companies incentives for information sharing. Three bills have unsuccessfully been introduced during 113th Congress.

In Summary

  • Increasing cybercrime has resulted in billions of dollars lost in the global economy.
  • It behooves companies to share cyber crime information to prevent future attacks, reduce expenses and build a positive industry reputation.
  • ISACs provides means of sharing information anonymously with the government and other industry players.