Four quick news tidbits

Bagging bags in Calif.
Restaurants in California’s Santa Clara County will be forbidden to provide plastic bags for takeout, delivery or leftovers after April 22, an apparent first for the industry.

The plastic-bag giveaway ban, which has been in effect since January for supermarkets and c-stores, is intended to cut litter. Proponents had argued that the measure would also protect sea animals from ingesting bags that blow out to sea. Before the law was extended to include restaurants, proponents cited research indicating that 75% fewer bags were blowing onto the county’s beaches.

The hope is that consumers will get into the habit of bringing their own reusable bag to establishments, a common practice for retail shoppers in many parts of Europe.

Santa Clara was one of the first jurisdictions in the country to ban polystyrene takeout containers.

Eat your greens, Jared
Look for Subway units in New York to try tossed-to-order chopped salads. The lunchtime entrees, prepared while customers walk down a line to specify what they want in the salad, are supplanting sandwiches as the lunchtime staple for Manhattan office workers. You can now even get one from a Duane Reade drugstore.

Another seafood item for McD’s
McDonald’s, meanwhile, is widely reported to be working on a second seafood item, a shareable product called Fish McBites, patterned after Chicken McBites. The only other fish item on the burger giant’s menu is the Filet-O-Fish.

Hand me another For Sale sign
Add Checkers/Rally’s to the list of restaurant chains that are being shopped around. Other brands on the block reportedly include Mimi’s Café, Einstein Noah Restaurant Group, Houlihan’s and Taco Bueno. 

Seeing red over doing good

For bulls, it’s a red cape, for werewolves, a full moon, and for linebackers, a football in the other team’s hands. If there’s a trigger that turns restaurateurs into mad, snorting beasts, it has to be the suggestion they do some social engineering because do-gooders think they should.

If Rosetta Stone wanted to add an Advanced Cursing language course, all it’d have to do is turn on a digital recorder and ask a restaurateur, Hey, couldn’t you do more on your menu to promote health? Or counter obesity? Or assist the working poor? Or help foreign-language speakers learn English?

The answers would be too extreme for a Sailors’ Cussing and Swear Words blog. For this more genteel niche of the blogosphere, suffice it to say the comebacks would range from, “Have you lost your friggin’ mind?” to “Kumbaya this!” [Insert corresponding hand gesture here.]

Mix in a few snipes about being business people, not sociologists or Mother Teresas, season it with a few muttered assertions about creeping communism, and you’ll have the dynamic we’re always covering online and on our pages. Because of the restaurant industry’s size and social penetration, someone is always proposing that it be a means for achieving some profound public good. And the business pushes back because that noble objective typically runs contrary to a profit motive.

Contrast that reflex with the mindset evident in foodservice operations that feed grade-schoolers, college students, hospital employees and staff, and company employees. FoodService Director, a sister magazine that serves the so-called non-commercial market, is constantly reporting on the efforts of high-volume facilities to feed kids a breakfast they’re too disadvantaged to get at home, or to make sure the clienteles eat fresher, more local and generally healthier fare.

Schools and colleges are planting gardens as an education tool and vegetable source, healthcare facilities are teaching elders how to cook nutritious meals for themselves, and green efforts across the board go much further than what’s done in the commercial sector.

In an upcoming issue of FoodService Director, you’ll read about a school foodservice director who started a new job by defining what constitutes good food and then revamping the recipes to fit his criteria—standards like no added sugar, and zero trans fats.

Restaurateurs dismiss that social sensitivity as a luxury enjoyed by professionals who don’t have the profit pressures that govern a street operator’s life. In that view, non-commercial foodservice is an amenity for the host site, not a moneymaker.

The notion is as antiquated as a hand-cranked eggbeater. Today, foodservice directors have to be mindful of what their charge is contributing to their employer, be it a college, school, or contract management concern.

The thresholds for revenues or traffic—participation, in non-commercial-speak—may not be as high as they are for restaurants. Ditto for the profits.

That still doesn’t explain why the director of a super-high-volume college operation would look at the windows of his dining room and think, Hmmm, what a good place for a hydroponic garden. You’ll read about that in an upcoming issue, too.

There’s more to the discrepancy than merely a difference in financial pressures. Perhaps the greater sensitivity is a result of dealing every moment with clienteles that need to be protected or nurtured—school kids, or young adults, or the ill and infirm.

Whatever the reason, non-commercial foodservice is proving that larger world issues don’t have to be ignored in the pursuit of sales and profits. Indeed, some of the most talked-about concepts on the restaurant side are underscoring the point—newcomers like LYFE Kitchen, or New Age strategists like Chipotle and Starbucks.

Where exercising that consciousness is feasible, it’s a happy situation indeed. It’s no bull, or certainly no reason to wave a red flag.

Restaurants' new food-safety-scale worry

It’s time to play Guess That Threat. Let’s skip right to the bonus round.

Contestants, here’s the question: What seldom-encountered but ever-looming threat can put a restaurant out of business with a single incident?

If you answered “food-borne illness,” you lose even the lovely parting gifts. But consider yourself lucky that experience hasn't burned the correct answer into your brain. Then you’d be among the small but growing number of restaurateurs who’ve learned how hackers can devastate a business by swiping guests’ credit card info.

The oblivious might find out when grim-looking people with wires in their ears show up at the front door, flashing Secret Service credentials. Or when they’re hit with six-figure fines from their credit-card company or bank. Those blows to the bottom line would be in addition to the 16% of clientele that experts say a retail business typically loses after a data theft.

“Stealing credit cards is big business,” Brad Cyprus of VendorSafe Technologies told the seemingly chilled audience at the FSTEC foodservice technology conference this week. “This is no longer some college students hacking into your computers. This is organized crime.”

Cyprus’ company sells data-security devices to restaurants, so he has a business reason to sound the alarm. Yet his warning was relatively mild compared to the ones delivered by other speakers at the conference.

Then there was the video about a two-unit operation called Spanky’s, which had to close because fines and fees were running into the hundreds of thousands. The proprietor explained on camera that she’d assumed the restaurants were safe from a security breach because they’d just been outfitted with new POS and computer equipment. She didn’t know she’d been hacked until the affected parties started demanding make-good payments.

As Cyprus and others explained, data crooks spend millions of dollars today on programs and technology to swipe passwords. Then they slip inside a restaurant company’s protected computer files and patiently harvest credit card information over a period of weeks or months. It’s not a rip-and-run situation, like you see in the movies. The hacked operation may not know it’s been robbed until the data is sold and customers start screaming about the outrageous charges on their monthly bills.

Once the intruders find a way into the technology of a certain chain, they’ll proceed franchisee by franchisee or restaurant by restaurant, quietly robbing data until the alarm is sounded.

Other times, restaurants help the thieves by failing to reset the password that allows employees to enter a new system. Seventy-five percent of the restaurants whose data was stolen were still using the default passwords left by their vendor, according to the Secret Service, which has jurisdiction over card data theft. Default passwords are usually meant to be simple, memorable series of numbers or letters—something as obvious as 1-2-3-4 or the start of the restaurant’s name.

Once they crack the code, the hackers surf the vendor’s website for mentions of other restaurants serviced by the company, recounted Dave Matthews, CIO for the National Restaurant Association. Then they see if those places failed to reset their password, too.

If a restaurant is hacked, the operator, not the credit card company or the bank that issued the card, is in the crosshairs. Despite the lobbying efforts of the NRA and its allies on the matter, the laws and regulations specific that “all of the costs can be transferred down to you as the merchant,” said Matthews.

Restaurants are vulnerable in part because this is something beyond their ken. “You know restaurants, not data security,” noted Matthews. “You are not the bad guys. The bad guys are the crooks out there."

Another big reason for the industry’s vulnerability is trust where it’s not due. Restaurants buy the technology to safeguard their data, but they don’t ask the installer if it has followed the best practices recommended by the technology’s supplier. They may have left some backdoor entries.

Hackers are also adept at finding new ways to swipe data. Operators have to install the update patches recommended by their vendors to safeguard data, or to do the upgrades their POS vendors advise. Operators typically grumble about the revisions, damning the suppliers for trying to snag a few more dollars.

Get over it, the speakers advised. Keep your protections current through constant upgrades, because the thieves are constantly finding new ways to bust you. You should be as vigilant as you are about food safety, they agreed.

Matthews aired a practical list the NRA has just developed to help restaurateurs safeguard customers’ information.

“Unless you have a support staff or unless you have a trusted advisor, don’t try to do this yourself,” he advised. “You just won’t get it.”

The precautions that he urged restaurants to make part of their standard procedures:

1)   Install and maintain a firewall configuration to protect cardholder data. “You need to get this done,” he Matthews stressed.

2)   Do not use vendor-supplied defaults for systems passwords. Reset them immediately.

3)   Protect cardholder data by not storing it. “Get rid of it—you don’t need it anymore,” said Matthews. If an operation needs to retain it for some reason, encrypt the data. 

4)   Encrypt transmission of cardholder data across open, public networks. “I don’t expect any of you restaurateurs to know what that means,” but a technology specialist would understand, Matthews said.

5)   Maintain a vulnerability management program. Use and regularly update anti-virus software. In addition, develop and maintain or purchase secure systems and applications, and make sure they’re updated.

6)   Implement strong access control measures by restricting access to cardholder data. “That’s a fancy way of saying, ‘Make sure everyone has a unique password,’” explained Matthews.

7)   Regularly monitor and test networks and security systems with external scans.

8)   Maintain some form of an Information Security Policy, a HAACP for technology. 

“Be aware of what you have to do,” advised Matthews. “View this as food safety. It’s risk management and risk mitigation for your business.”

Restaurant technology playing catch-up?

Imagine if the course of food trends was suddenly reversed and home kitchens became the place where cutting-edge culinary ideas were hatched and advanced. In that alternate reality, restaurants would be the followers, hoping to catch up with customers who were more inventive and advanced.

Cue Rod Serling, because that’s exactly the Twilight Zone that restaurants have entered with technology. The youngsters coming through the front and back doors are lugging more sophisticated yet easier to use devices than what they wield on the job.

That was one of the more surprising observations of the panel that kicked off today’s FSTEC conference, a shopping and idea-sharing event for the tech specialists of the restaurant business. 

“This ‘consumerization’ of technology is something we see as a stealth issue right now,” said panelist David Matthews, the chief information officer of the National Restaurant Association. “When your customers are bringing better technology to the workplace than the restaurant has, that’s a problem for us.”

Agreed Don Zimmerman, the CIO of Wendy’s: “Anytime that consumers have better technology in their hands than we do in our restaurants, that’s a potential that we not only have to address, but that could potentially harm us.”

Consider, for instance, the social-media implications. Customers and employees likely have very effective equipment to tarnish a restaurant’s reputation, using nothing more than a smart phone and the smarts they’ve developed through extended practice. What do restaurants have in the way of know-how and technology to avert being slimed?

“For them, technology is second nature,” remarked Kelly Maddern, the newly appointed CIO of Burger King.

Rob Grimes, FSTEC’s host and presenter, described how an unnamed restaurant chain wanted to require employees to use their own phones for work purposes, the way delivery drivers use their own cars. He suggested that it could be the model of the future, with the order placement function of a POS system replaced by an app that employees download.

The panelists disagreed, though Matthews suggested that tablets might supplant the sort of hardware component of today’s POS set-ups. That way, he explained, restaurateurs would only have to focus on selecting the right software.

BK’s Maddern concurred, to a point. The hardware component of tomorrow’s POS systems will be largely irrelevant, she asserted. “We have to continue look at the software side,” she said, with the search focused on what’s easy to deploy and “easy to use, so your employees can use it.”

I’ll be tweeting and blogging from FSTEC through Tuesday. E-mail me at promeo@cspnet.com if there’s something in particular you’d like me to cover, or anything you’d like me to ask of the show’s presenters and vendors.