July 20, 2016

CYBER CENTER: Cyber-Security Considerations for Franchisors: Protecting the Brand While Avoiding Vicarious Liability

David B. Ramsey

High-profile cyber breaches in franchised networks have increased in recent years, involving such notable franchise networks as Dairy Queen, Supervalu, Jimmy John’s sandwich shops, Goodwill, and UPS, among others.

A data breach can cost a company dearly in a variety of ways, such as recovering (or doing without) lost records, paying for legal defense and settlement, notifying those impacted by the breach, and providing credit-monitoring services for affected customers or employees. In addition, simply not having enough data security in place—regardless of whether there is a breach—or using consumer data in an inappropriate way can result in hefty liabilities. Crucially, the public reputation cost can result in lost business.

The reputation cost is especially acute for franchisors because their most critical assets are their brands and the associated goodwill. Franchisors often operate in highly brand-competitive industries where consumers can easily take their patronage elsewhere. Customers are unlikely to distinguish between the franchisor that licenses the brand and the franchisee that owns and operates a particular franchised outlet where a breach occurs. Therefore, a breach at the franchisee level, having little or nothing to do with actions by the franchisor, may discredit the reputation of the entire brand in the eyes of the public and drastically impact the bottom line of the entire franchise system.

For the above reasons, it is crucial for franchisors to understand the issues posed by cyber security and the methods to tackle it. This article provides an overview of the legal considerations for franchisors and pointers on bolstering the cyber security of a franchise system.

Cyber-Security Duties of Franchisors to Their Franchisees and to Consumers

Franchisors must be aware of, and concurrently manage, two emergent trends affecting their legal obligations on cyber security.

First, there is the increased number and scope of laws and standards requiring compliance with data security and consumer privacy. Second, there is the push by various government agencies to expand the boundaries of liability for a franchisor vis-à-vis the actions of its franchisees, depending on how the franchisor conducts its relationships with its franchisees.

The increase in cyber-security laws and standards has been dramatic. An expanding range of laws and industry best practices govern the security of personal information of the type often collected by franchisors and their franchisees in their business. For example, the Payment Card Industry Data Security Standards (PCI DSS) are industry rules mandated and regularly updated by the major credit-card companies. These rules are designed to ensure that all entities that process, store, or transmit credit-card information maintain a secure environment for such information. The PCI DSS are often used to determine whether a company’s data security is adequate. If franchise systems interact with consumers using credit cards, the PCI DSS requirements likely apply. For example, as a condition of accepting credit-card payments, there are contractual disclosure obligations to notify credit-card companies and customers of a potential breach within a specific time frame, depending on the jurisdiction in which the breach occurs. Failure to do so can result in significant penalties, such as steep fines.

In certain industries, additional laws become relevant. Examples include the Health Insurance Portability and Accountability Act (HIPAA) in businesses involving the collection or handling of health/medical information and the Gramm-Leach-Bliley Act in industries providing financial products or services to individuals. Various state and local regulations also apply. Nearly every state requires companies to report data breaches to the affected parties. Franchisors may have to scramble to comply with differing laws in the states in which their franchisees operate.

Data breaches also make franchisors vulnerable to individual and class-action lawsuits from consumers. These lawsuits are based on statutory and/or common law and have increased in recent years. The trend has been for federal courts to dismiss these cases for lack of Article III standing when the plaintiff’s only alleged injury is that a data breach occurred and information might have been revealed, or that the plaintiff was compelled to purchase credit monitoring. The case law on standing appears to be shifting, however. Plaintiffs may not always need to show actual harm (such as identity theft) for their cases to go forward.

Accompanying the expansion of rules on cyber security is the growth in government agency interpretations of the duties of franchisors, including potential vicarious liability for the acts or omissions of their franchisees. Cyber security is a natural area in which government agencies have taken action in this regard. Given the nature of franchise systems, a franchisor often will impose requirements for certain types of computer systems or software that franchisees must use in their businesses to achieve uniformity and cohesiveness throughout the franchise system. The flip side of that uniformity is the danger of imputed responsibility of the franchisor if those required computer systems or programs are compromised. Regulators have attempted to place such imputed responsibility on franchisors for breaches of data security or data privacy whether the breaches occur at the franchisor or the franchisee level, although in the final outcome of such cases, the regulators have not always succeeded in doing so (for example, in the Wyndham Hotels case discussed immediately below).

In recent years, the Federal Trade Commission (FTC), acting in its capacity as a regulator for privacy and data security, has brought actions against companies that it deems to have ineffective cyber security. In 2012, the FTC filed suit against Wyndham Hotels, FTC v. Wyndham Worldwide Corp., Civil Action No. 2:13-CV-01887-ES-JAD (U.S. Dist. Court, D. N.J.), for failing to maintain the security of the computer system it required franchisees to use to store customers’ personal information. (Full disclosure: the author’s law firm furnishes franchise counsel to Wyndham Worldwide Corporation and its subsidiaries from time to time, but played no role in and had no prior knowledge of the events of this case.) The FTC alleged that there were three data breaches in less than two years, resulting in fraudulent charges on customers’ accounts and the export of hundreds of thousands of consumers’ credit-card information to an Internet domain address registered in Russia. The FTC sought to hold Wyndham, as franchisor, liable due to the data and privacy breaches that occurred in its system at franchised hotels.

The settlement outcome with the FTC in Wyndham is instructive. It involved a stipulated order entered in December 2015 that entirely relieved the franchisor of any responsibility for data breaches at franchised Wyndham Hotels. This outcome is significant because the FTC’s complaint strongly urged the court to impose vicarious liability for franchisee data breaches upon the franchisor. If the court had done so, it would have made the franchisor responsible for all data-security practices and lapses at franchised hotels. Happily for franchisors, that did not happen in this case, one of the first of its kind in the franchise sector.

Although the outcome of the Wyndham case provides some comfort to franchisors, another case brought by the FTC in March 2014 is much less comforting. In In the Matter of Aaron’s, Inc., 2014 WL 1100702 (F.T.C.), File No. 122-3264, the final Agreement Containing Consent Order made clear the danger of imputed liability for franchisors in some cases if the franchisor does not oversee and monitor its franchisees’ consumer privacy practices.

Aaron’s, Inc. was a national rent-to-own retailer of consumer electronics, appliances, and furniture, with over 700 franchised stores and over 1,300 company-owned stores throughout the United States. In Aaron’s, a number of franchisees were alleged to have installed privacy-invasive software on the computers rented to consumers that covertly collected confidential and personal consumer information (e.g., the software logged keystrokes, captured screenshots, and activated computer webcams). The information collected was transmitted from the rented computers to franchisee e-mail accounts.

The circumstances in Aaron’s, which involved what the FTC called “cyber-spying software” on computers that customers brought into their homes and used for a host of personal and private matters, might easily be distinguished from the type of business conducted by most franchisors and their franchisees. However, the FTC in Aaron’s put forward a broader legal position that should concern all franchisors: that a franchisor can be liable for data security/privacy violations that were committed only by franchisees (and not committed in company-owned stores) if the franchisor “knowingly assisted” the franchisees in committing the violations. Based on the allegations advanced under the FTC’s complaint in Aaron’s (note that defendant Aaron’s neither admitted nor denied these allegations), “knowing assistance” by the franchisor could include the following scenarios:

  • The franchisor allowed franchisees, through access to a third-party software designer’s website, to activate certain cyber-spying software from that designer, which the franchisees then used to monitor people through the computers rented to those people, thereby invading their privacy.
  • The franchisor’s corporate server was used to transmit and store e-mails containing content obtained through such monitoring.
  • The franchisor provided franchisees with vital technical support about the software program and how to use it, such as publishing trouble-shooting advice about installing the program on rented computers and avoiding conflicts with antivirus software.

Based on the above, Aaron’s tells us that a franchisor may be deemed an active participant in the franchisees’ wrongful cyber activities through its knowledge of the practice and its technical support for those activities, even though the franchisor did not initiate the practice or utilize the practice in its own franchisor-owned stores.

The broader, unresolved issue for franchisors following Aaron’s and Wyndham Hotels is the boundaries of the franchisor’s obligation to monitor activities of franchisees in their use, disclosure, and handling of consumer information. How much “involvement” or “knowledge” makes a franchisor liable? In cyber security as in other areas, there is an unresolved tension between the efforts of franchisors to maintain their legal separation from franchisees and the involvement of franchisors in the activities of their franchisees in order to protect the brand. Thus, besides guarding the value of their brands from cyber attacks and making their franchise systems comply with data laws, franchisors should guide—but not excessively direct—their franchisees’ data practices.

Cyber Vulnerabilities Common to Franchisors

As part of their everyday businesses, franchisors and their franchisees often collect, maintain, and share large volumes of customer information. As franchising expands into more industries (from insurance, to massage, to medical care and beyond), the types of information collected and the hardware and software involved also expand.

Especially vulnerable are small- and mid-sized franchised businesses, many of which are too small to implement sophisticated cyber defenses alone. The technology networks that franchisors use to collect and transmit data (e.g., sales tracking, royalty payments, and customer credit-card information) are often linked to their franchisees’ systems. Accordingly, a single franchisee that has not invested the time or money necessary to ensure its computer systems are protected can compromise an entire franchise system. Thus, a franchisor’s franchise network is vulnerable from multiple entry points: each franchisee office; each franchisee outlet; each computer terminal or POS at a franchised outlet; the computer terminals and POS at each company-owned or affiliate-owned outlet; the franchisor’s corporate headquarters; and all the vendors whose systems connect with the franchise system.

Many franchisors have a vested interest in ensuring that cyber-security “hygiene” training is frequently accomplished throughout the franchise system. For example, part of a franchisor’s PCI DSS responsibility is to guard against physical modifications to swipe machines introduced by thieves to surreptitiously copy credit- and debit-card information. To prevent this, retail outlets with point-of-sale (POS) machines must check them regularly, and employees should be trained to do so.

Although many franchisors think of vulnerability mainly in terms of their POS systems, much more is at issue, as the following realities illustrate:

  • Hardware setup vulnerabilities can easily go undetected. For example, where franchise locations handle both back-of-the-house transaction data and provide front-of-the-house Internet access to customers, the routers for these two functions should be on separate networks, but often are not.
  • Franchisees must know about inappropriate means of taking payment or personal data from customers, but often do not.
  • When personnel use mobile devices to remotely access their office computers, such devices should use encrypted software to transmit data, but often do not, giving hackers a way in.
  • Data from the franchise system should be backed up regularly to mitigate loss, but often is not.
  • Franchisors should run the data from and to vendors through a malware screen, but often do not.

Furthermore, certain industries where franchising is common, such as quick-service restaurants, have high employee turnover. This inherently increases the threat of data breaches. Disgruntled former employees may have passwords and knowledge of security practices, making a company vulnerable to theft or sabotage (hence the importance of frequent password-changing policies). As people leave, new training should be provided to newcomers on data-security practices, but is often overlooked.

A final vulnerability common to franchisors is that many guard trade secrets or know-how (such as a secret recipe) crucial to their brand. These materials are often stored and disseminated to franchisees via online intranets. For franchisors, the threat of electronic breach of such secrets is an especially worrisome danger of cyber crime.

Cyber-Security Provisions in Franchise Documentation

Franchisors should require their franchisees, where appropriate, to obtain cyber insurance coverage. Franchise agreements often have long terms (e.g., 10, 15, or 20 years); therefore, existing franchise agreements signed a number of years ago (and which may extend far into the future) probably do not address cyber insurance. However, many franchise agreements contain provisions permitting the franchisor to modify insurance requirements over time based on changes in the industry, the marketplace, or relevant risks. Therefore, in many cases adding a requirement of cyber insurance is not a foreclosed option.

Beyond requiring insurance, the franchisor should demand that the franchisee provide a Certificate of Insurance from the insurer, naming the franchisor as an additional insured. Typically a minimal burden on the franchisee, it often is overlooked by franchisors.

Furthermore, franchisors should require their franchisees, where appropriate, to comply with a data policy set by the franchisor. Franchisees often look to the franchisor for guidance on a data policy. The content of a data policy depends on the industry, but the elements are common: what data should not be collected; what anti-virus programs must be installed and how frequently they must be updated; what e-mails should not be opened; under what conditions data may be transferred; how data may not be used; and a requirement that franchisees promptly report suspected data breaches to the franchisor.

Finally, franchisors may require that their franchisees participate in third-party or industry-sanctioned training programs and certify completion of the training and implementation of specified data safeguards. Here, as with certain other areas of franchisee operations, there is a balance the franchisor must strike: provide the franchisee with advice, guidance, and assistance (and even requirements where needed to protect the brand), but do not become too involved in franchisee operations to the point of risking vicarious liability claims against the franchisor.

Cyber Risks Overlooked by Franchisors

Much of cyber crime is committed by highly organized criminals based overseas. They aim to obtain sensitive information like user names and passwords to access company bank accounts online. With this access, they engage in unauthorized banking transactions and steal directly from corporate accounts.

A common way that cybercriminals steal information is through e-mail “phishing” and “spear phishing” scams: getting someone inside the company’s network to open an e-mail or the attachment to it, which implants malware in the target company’s computer systems. Both franchisors and their franchisees must ensure that the anti-virus and spyware software on their systems, and the operating systems themselves, are updated with the current version at all times. Companies whose employees have Internet access through company computers should educate their employees about e-mail scams, including recognizing phishing e-mails and always deleting such e-mails.

Given the breadth and hidden dangers of the Internet, however, addressing e-mail is not enough. Employees should exercise caution with online social media. Criminals use social media to trick users into downloading malware or sharing account information. However, when it comes to employee use of personal social media accounts on company computers, there is only so much that companies can control. An increasing number of states (21 as of May 2015) ban employers, with some exceptions, from requiring an employee to provide his or her social media account username or password. Therefore, the key is communicating a clear policy, defining what social media use in the workplace is not permitted, and encouraging the use of robust privacy settings as opposed to the minimum that such websites might allow.

Franchisor Strategy for Cyber-Security Hardening

An outline for cyber-security preparedness:

  1. Dedicate specific human resources to data-security and privacy compliance.
  2. Conduct a risk assessment/audit. Map the data of the franchise system, asking: What information is stored? Who has access? Is it essential? If essential, is it encrypted properly? If not essential, should it continue to be stored? Companies should dispose of needless data if it is a reasonable business decision.
  3. Involve legal counsel in determining what laws and contractual requirements apply to the franchised system and the data discovered through the mapping exercise.
  4. Have legal counsel review the data security and privacy policies of the franchise system, create them where needed, or modify them to comply with applicable laws. Ensure consistency of internal policies and policies shared with the public.
  5. Select appropriate cyber insurance policies for the franchisor and require franchisees to obtain appropriate insurance. Legal counsel or risk managers experienced with franchising, cyber security, and insurance play a vital role here.
  6. Concurrently, review and update commercial contracts with third parties (for example, POS vendors) to ensure consistent and proper protection in light of the types of data involved. As a telling example, note that the massive customer data breach at retail chain Target was reportedly the result of a vendor’s lax protection of its password credentials, which allowed unauthorized access to the Target POS system. Contracts should include appropriate representations and indemnifications by such counterparties. Contracts might also address who pays for breach notification costs and forensic work and may mandate cooperation with law enforcement/regulatory investigations stemming from a breach.
  7. Examine the franchise disclosure document, franchise agreement, operations manual, and other system documentation for proper protections and policies. For example, network security guidelines should be in place, such as requiring franchisees to maintain firewall logs for a certain period of time to provide a forensic audit trail when needed.
  8. Adopt a cyber-security incident response plan.

Although the cost of the foregoing may worry franchisors, these types of prevention costs are dwarfed by the recovery costs of a major data breach. Cyber consultants can streamline the process, find key weaknesses, think like hackers, and use those tools to get in. They play an invaluable role in saving costs while designing a better security program.

Aside from the outline above, franchisors should enlist their franchisees, vendors, and other stakeholders in the franchise system in security practices. Franchisors should consider regular training for all stakeholders and their respective employees and vendors about the data security policies of the franchisor. The rationale for such training is protection of the franchisor brand. The banks a franchisor uses are also stakeholders. Working with them, franchisors can implement treasury-management products and services to reduce their cyber risk. For instance, ACH Positive Pay (where companies set filters to control how much money can be paid electronically to any one vendor) prevents check and electronic fraud by alerting the franchisor and/or franchisees to potentially fraudulent transactions before they hit company accounts.

There are many simple choices that improve security. Using business credit cards reduces the instances where bank account information is shared with outside parties. Requiring two or more individuals to originate or approve significant electronic fund transfers reduces the risk of fraud. Conducting financial transactions on dedicated computers and not on computers used for web browsing or e-mail reduces the chance of malware or other cyber vulnerabilities.

Finally, franchisors should stay abreast of developments in cyber-security technologies. Examples include point-to-point encryption, block-chain software, and tokenization (substituting a piece of information with a unique symbol or symbols (known as tokens) to disguise the information). Although some technologies are not yet mature and packaged for commercial implementation, it is worth following their development to stay ahead of the curve and hopefully protect one’s brand better than the competition.

Useful resources where franchisors can learn more about cyber security are below:

  • staysafeonline.org (educational site of the National Cyber Security Alliance)
  • pcisecuritystandards.org (PCI DSS standards)
  • verizonenterprise.com/DBIR (Verizon’s data breach investigations reports)

David B. Ramsey

David B. Ramsey is an associate at the law firm of Kaufmann, Gildin & Robbins in New York City.