Information Security

To protect our businesses and our customers, we are dedicated to maintaining the highest levels of cybersecurity throughout our operations. Our Chief Information Security Officer (CISO) and Chief Technology Officer (CTO) manage our network operations and software development across corporate and franchise locations. They provide regularly scheduled information security updates to the Board of Directors’ Audit Committee, which is comprised of all independent members and is tasked with risk monitoring and mitigation activities in connection with information security risks. The CISO and CTO also provide annual updates to the entire Board of Directors reviewing incident reports, security strategies, and tests conducted at a minimum annually for cyber threat risks. Two members of our Board of Directors have prior information security experience.

Our Information Security Policy provides guidance on the requirements necessary to ensure the security of JACK data, systems and networks. It applies to all individuals who access IT resources or data owned by the company. We use commercially reasonable efforts to follow industry standards and best practices, including the NIST Cybersecurity Framework, for our IT Security Incident Response Plan.

Our technology structures undergo an annual assessment by a third party to evaluate risk using the NIST Cybersecurity Framework. The IT Security Incident Response Plan defines a cybersecurity incident and outlines the roles, responsibilities and procedures for us to respond effectively. Having a structured plan enables a rapid response, effective recovery, clear communication and coordinated action to major security incidents. Our plan allows us to reduce recovery time and cost and also maintain business continuity.

Our IT Application Security Program includes reviews and assessments of security vulnerabilities and remediation. We use commercially reasonable efforts to update security systems regularly to protect against known vulnerabilities. We plan to perform vulnerability scans at least quarterly and penetration testing at least annually as well as after any significant infrastructure or application modification. Whitebox and blackbox security testing and manual penetration testing is performed to monitor security controls and defenses.

All employees and third-party contractors with access to JACK IT infrastructure must annually acknowledge that they have read and understand the IT User Acceptance Policy. Employees and contractors must also complete information security awareness training upon initial hire and annually thereafter.

To our knowledge, we have not experienced any information security breach in the last three years. We maintain an appropriate Cyber/Breach Response insurance policy in the event any breach were to occur.

We have measures in place to protect the confidentiality, integrity and availability of franchise and customer information. Most personally identifiable information (PII) handled by our restaurants is associated with payment cards, which are predominantly protected by an EMV chip reader that encrypts and tokenizes customer data, so it passes through our networks without retaining any personal information. JACK does not store any credit or debit card information from customers. All information is processed through a third-party firm. To maintain the safety and security of our customers’ private payment information, we follow the Payment Card Industry Data Security Standard (PCI DSS) to ensure our processes and systems are well equipped for proper data protection. Employees and third-party contractors with access to the JACK cardholder data environment (CDE) or systems used to support the CDE, complete annual PCI awareness training. JACK corporate restaurant employees also receive periodic security training on devices that capture payment card data.