Cybersecurity and Franchising: How to Protect your Brand while avoiding Vicarious Liability

By: F. Georges Sayegh, S.A.D., FCMC

In recent years, ransomware and other cyberattacks have become the enemy of today's data- driven organization. Attacks are increasingly destructive, driving up the cost of spending per attack to millions of dollars. Cyber threats come in many forms and attackers are using multiple techniques and platforms. It's not a matter of "if" an organization will be targeted by cybercriminals, but rather "when." Cybersecurity breaches have increased involving, among others, notable franchise networks such as Dairy Queen, Supervalu, Jimmy John's sandwich shops, Goodwill, and UPS.

Malicious software (malware) often changes configurations before corrupting data. These data breaches are increasingly costing companies in a variety of ways such as recovering (or deleting) lost records, paying for legal defense and settlement, notifying those affected by the breach, and providing credit monitoring services to affected customers or employees. In addition, not having sufficient data security in place, whether or not there is a breach, or using consumer data inappropriately can result in significant liability. Most importantly, the loss of brand reputation can have a negative impact on the entire franchise network that the franchisor has taken years to build.

The cost of reputation is particularly important to franchisors because their most critical assets are their brands. Franchisors often operate in industries with highly competitive brands, where consumers can easily shift their business elsewhere. In the event of an infringement, customers are unlikely to distinguish between the franchisor licensing the brand and the franchisee operating their business using that brand. Therefore, a breach at the franchisee level, having little or nothing to do with the franchisor's actions, can discredit the reputation of the entire brand in the public eye and drastically impact the bottom line of the entire franchise system.

With cyberattacks occurring every 11 seconds, according to the latest data breach report released by IBM and the Ponemon Institute, the cost of a data breach in 2021 was US$4.24 million, a 10% increase from the 2019 average cost of $3.86 million.

The average global cost of cybercrime was expected to peak at US$6 trillion annually by the end of 2021, driven by the proliferation of ransomware attacks.

The Ponemon Institute and IBM Security report takes hundreds of cost factors into consideration, ranging from legal, regulatory, and technical activities to loss of brand equity, customer churn, and drain on employee productivity.

The latest FTC report on types of identity theft tells us the following:

• Credit card fraud (new and existing accounts) - 32.3%.
• Other identity theft (email or social media, law circumvention, insurance, medical services, online purchases or payments, securities accounts, other) - 26.5%.
• Loan or rental fraud (apartment or home rental, auto loan, vehicle rental, business loan, student loan, home loan) - 14.4%.
• Telephone and utility fraud (landline phone, cell phone - new and existing accounts) - 11.0%.
• Bank fraud (debit cards, electronic funds transfer - new and existing accounts) - 7.3%
• Employment or tax fraud (employment or payroll fraud and tax fraud) - 5.5%.
• Government document or benefit fraud (driver's license issued or falsified, government benefits applied for or received, other government documents issued or falsified) - 3%.

For these reasons, it is crucial for franchisors to understand the issues posed by cybersecurity and the methods to deal with attacks.

Franchisors have a cybersecurity obligation to their franchisees and consumers. They must be aware that they are managing multiple types of consumer data simultaneously, whether through a centralized database at the franchisor's location or processing data using various devices at the franchisee level. Care must always be taken to ensure that data security and consumer privacy are maintained, particularly with respect to:

• Credit card processing;
• Issuing airplane or cruise tickets;
• Renting an automobile, jet ski or snowmobile;
• Booking a hotel room;
• Filling up a gas tank at a gas station;
• Purchasing a cell phone using a home address and disclosing confidential information;
• Purchasing a book or a pair of glasses through a franchise network;
• Buying or renting a computer with a service contract allowing the franchisor's staff to access the customer's data;
• Having dinner in a restaurant chain;
• Purchasing furniture in a small or large store;
• Collecting or processing a patient's medical health information when writing or filling a prescription at a pharmacy;
• Filing a tax return;
• Handling a money transfer providing financial services to individuals. 

To list just a few.

Various state and local regulations apply when a data breach affects the parties involved. The burden is on the franchisor to scramble to comply with the various laws or regulations that apply to cybersecurity, whether at the corporate unit level or at the franchisee level. Data breaches also leave franchisors vulnerable to individual and class action lawsuits filed by consumers. These lawsuits are based on various statutory laws and/or case law. The trend in the courts is to be increasingly harsh on these data breaches, and plaintiffs no longer need to show actual harm (such as identity theft) to seek justice.

Given the nature of franchise systems, a franchisor will often mandate the use of certain types of software packages and computer systems that franchisees must use in their locations in order to ensure uniformity and cohesion throughout the franchise system. The downside of this uniformity is the danger of liability being placed on the franchisor if the required computer systems or programs are compromised although the result of such cases has shown that regulators have not always been successful. 

For example, in 2012, the FTC filed a suit against Wyndham Hotels, FTC v. Wyndham Worldwide Corp, Civil Action No. 2:13-CV-01887-ES-JAD (U.S. Dist. Court, DNJ) for failing to maintain the security of the computer system it required franchisees to use to store personal customer information. The court fully released the franchisor from liability for data breaches at Wyndham franchised hotels.

Increasingly, we are seeing clauses being introduced into franchise agreements allowing franchisors to access their franchisees' databases. The larger and still unresolved issue for franchisors is the limits of the franchisor's obligation to monitor the activities of franchisees in their use, disclosure and processing of consumer information. To what extent does "involvement" or "knowledge" make a franchisor liable? In cybersecurity, as in other areas, there is an unresolved tension between franchisors' efforts to maintain their legal separation from franchisees and franchisors' involvement in their franchisees' activities to protect the brand. So, in addition to protecting the value of their brands from cyberattacks and bringing their franchise systems into compliance with data laws, franchisors need to guide – but not overly direct – their franchisees' data practices.

Franchise strategy for strengthening cybersecurity
Here’s a helpful overview of cybersecurity preparedness:

1.Dedicate specific human resources to data security and privacy compliance.

2. Conduct a risk assessment/audit. Map franchise system data by asking the following questions: what information is stored? Who has access? Is it essential? If essential, is it properly encrypted? If it's not essential, should it continue to be stored? Companies should get rid of unnecessary data if it is a reasonable business decision.

3. Involve experts to determine what laws and contractual requirements apply to the franchised system and the data obtained through mapping.

4. Have specialists review the franchise system's data security and privacy policies, create them if necessary or modify them to comply with applicable laws. Ensure consistency between internal policies and policies shared with the public.

5. Select suitable cyber insurance policies for the franchisor and require franchisees to obtain appropriate insurance. Experienced franchise, cybersecurity and insurance consultants as well as risk managers play a critical role here.

6. At the same time, review and update commercial contracts with third parties (e.g., point-of- sale vendors, custom software package providers for a particular franchise network) to ensure consistent and appropriate protection in light of the types of data involved.
 
7. Review the franchise agreement, operations manual, franchisor manual, training manual, network franchise consultant manual, information technology manual, security manual, and any other system documentation for appropriate protections and policies.

8. Adopt a cybersecurity incident response plan.

In Conclusion
With digital transformation and hyperconvergence creating unintended gateways to risk, vulnerabilities, attacks and failures, a cyber resilience strategy is quickly becoming a necessity for any enterprise. A cyber resilience strategy helps the business reduce risk, financial impact, and reputational damage.

Malware often changes configurations before corrupting the data itself. Therefore, it is critical to detect any configuration changes before the actual data is infected. Cyber Incident Recovery's platform configuration feature and others protect configuration data for virtual and physical workloads, applications, storage systems and network devices in onsite, public cloud, hybrid and multi-cloud environments.
Protecting a franchise network is an ongoing process, requiring careful planning. But with the right people, technology and policies in place, every franchisor will have a better chance of finding and fixing vulnerabilities, detecting and thwarting threats and avoiding disasters.

The company should create response plan templates that take into consideration, among other things:

1. Sample Incident Response Plan

• Incident Response Team Responsibilities;
• Testing and Updating Response Models;
• Incident Response Process Overview;
• Incident Response Checklists: Incident Discovery and Confirmation, Containment and Continuity, Eradication, Recovery, Lessons Learned.

2. Incident Response Plan

• Incident Response Team;
• Incident Response Notifications;
• Employee Responsibilities;
• Incident Types;
• Definition of a security breach;
• Procedure for classifying potential incidents;
• Response Procedure;
• Recovery;
• Periodic testing and remediation.

3. Incident Response Model

• Roles, responsibilities, and contact information;
• Threat Classification;
• Compliance and Legal Requirements;
• Incident response phases and actions taken.

4. Security Incident Response Plan

• How to recognize a security incident;
• Roles and responsibilities;
• External contacts;
• Payment cards - what to do if compromised;
• Steps to respond to an incident: Report, Investigate, Inform; Maintain continuity; Resolve and recover; Review;
• Specific types of incident response: Malware; Payment terminal tampering; Unauthorized wireless access points; Equipment Loss; Non-compliance with security policies; Periodic testing and updates of IR plan.

5. Technology Department Incident Response Plan.

• Incident response procedure referencing more detailed plans for specific types of incidents such as malware, system outages, active intrusion attempts.

6. Incident Response Model

• Objective;
• Scope;
• Incident definitions and examples;
• Roles and Responsibilities;
• Incident response steps and procedures.

Finally, a cybersecurity awareness training program should be created with practical steps to build a culture of security throughout the organization, including how to:

• Develop a security awareness strategy first;
• Leverage advocates to create an effective awareness program;
• Establish a specific budget covering cyber security programs;
• Present cyber security awareness training to senior managers;
• Promote and strengthen the security awareness program;
• Know where other organizations stand with information and benchmarks;
• Uncover best practices and essential components of an effective program;
• Define your team's roles and responsibilities;
• Develop a more mature incident response plan with actionable steps;
• Connect to industry-leading resources on incident management.

These are just a few things that franchise network managers need to address to move their entire organization toward a safety mindset.

--

About the Author

F. Georges Sayegh, S.A.D., FCMC, is an expert-consultant in franchising and technology transfer. He is also the author of 18 books on franchises and related businesses. To reach him: gsayegh@gsayegh.com 

A version of this article was first published on the Canadian Franchise Opportunities website.

--

Headline image by kjpargeter on Freepik