Tim Hortons Restaurant Franchisees Threaten to Sue Over Breach

What happens if you are a restaurant and your cash register system gets hit by a virus?  Short Answer:  You close the doors and turn off the lights.

That is exactly what happened hundreds of Tim Hortons restaurants in Canada.  Apparently Tim Hortons is something like a Dunkin Donuts serving coffee, donuts and some light food, but this week many are not serving anything.

The chain, which has over 4,000 stores in Canada, was hit by some form of virus which targeted their Panasonic cash register systems.  No cash registers, no sales.

Franchisees, which, apparently, are forced to use systems provided by the parent company Restaurant Brands International or RBI, are, not surprisingly, unhappy.

The Great White North Franchisee Association, which represents the majority of the franchisees in Canada, has sent a letter to RBI which blames RBI for the malware, demands financial compensation for lost sales, wages to employees who could not work, reputational damage and spoiled food.

GWNFA says that if RBI refuses to meet with them by tomorrow (they sent the letter earlier in the week), they will file suit against the franchisor.

Since the parent company (the franchisor) is dictating the cash register systems and, apparently, responsible for them, it is not completely unreasonable they the courts could rule that they are financially responsible for the franchisees’ losses.

The Franchisees are saying that Restaurant Brands has “deficient” IT practices.

I have no clue which side is right in this particular battle, but it seems like hospitality chains in general, which seem to get hit with malware regularly, are not placing a high enough priority on cyber security.

According to RBI, most of the stores are back open again, but that doesn’t address the costs that the franchisees were hit with.

Couple of thoughts –

Given that malware in hospitality seems to be a given and also given that having a working point of sale system for a fast food restaurant is critical, not having a business continuity plan, or at least one that worked, is kind of a problem.  Do you have a tested business continuity plan?

It would also appear, given that they are asking the franchisor for compensation, that they didn’t have cyber risk insurance.  If they did, it should have covered lost income, wages, spoiled food, etc.  The insurance company would then pay the claims and the insurance company would sue the parent company, if they thought the parent was responsible.  Not having cyber risk insurance these days is like playing Russian roulette with at least 3 bullets – playing really bad odds.  Do you have the appropriate cyber risk insurance?

Every business should be planning for how to deal with a cyber attack unless using computers is not important to the continued operation of the company – and that, probably, is a very small percentage of the businesses.  PLAN NOW OR REACT LATER.  Reacting is, likely, not going to be very pretty.

Information for this post came from CBC and NARCITY.

Leave a Reply

Your email address will not be published. Required fields are marked *