Data breaches keep ‘zors up at night
Shelly O’Callaghan, general counsel at International Dairy Queen, had one of her worst days ever in October 2014, when news broke about a data breach at the Minneapolis-based franchise.
“We learned about our breach from law enforcement,” she said, which is a typical scenario, and it immediately became public when the famous breach blogger Brian Crebs broke the story.
“What that does is immediately thrust you into the public eye but you don’t have much information yet,” she said, at a recent panel on the topic.
“When it takes more than a week to investigate your locations, the public doesn’t understand it’s franchised,” she said. “One of the biggest things to avoid is going out with information that is not accurate. You want to be in as few news cycles as possible.”
Experts say every franchisor should heed the advice. “If data privacy and security is not keeping you up at night—it should,” said Leonard MacPhee, a partner at Perkins Coie and panel moderator at the International Franchise Association Legal Symposium this spring. “It’s probably going to get worse before it gets better,” he added.
Sally King, co-founder of NXG Strategies, offered some sobering statistics about data breaches. “Data breach is getting much, much worse,” she said. Since 2013 more than 208 million records were lost or stolen, in 900 separate data breach incidents, she said.
“Even though the cyber terror data breach is prominent,” she said, “there’s an equally large threat” from regular humans. Human error accounts for 47 percent of data breaches, including lost and stolen devices. “You can spend millions of dollars on technology, but a single employee can cause a threat.”
Another insider threat is employees recruited by criminals to turn over customer data. “One in seven said they’d sell data, for as little as $150,” one survey found.
She displayed real websites that show the extent of the problem, like a “McDumpals” site that offers 1,245 stolen McDonald’s credit cards for $10,500, with a money-back guarantee that the data is still usable. She showed a blog, buried in a legitimate Trulia real estate website that she found through Google, which recruits people to put together stolen identities from the comfort of home.
Then she showed a slide of franchises with recent data breaches: UPS, Staples, Supervalu, Wyndham Hotels, Dairy Queen, Bistro Burger & Grill and more. The cost of a data breach is $130 per record, for an average insurance claim of $733,000.
O’Callaghan at Dairy Queen described what they did after the breach. Dairy Queen has 4,300 U.S. locations, all but two of them franchised, so in the first couple of weeks they visited all the restaurants to see the scope of the problem.
They also trained their field consultants in two days, then held a webinar for “thousands” of franchisees to attend. “Our affected group was less than 10 percent of our U.S. stores, so at the end of the day all this money and resources went to less than 10 percent of the system,” she said.
Paul Reeve is an attorney for UPS and The UPS Store, which also had a data breach last fall when malware was installed on some of their point-of-sale systems. They have 4,500 centers, each with two or three computers, so they, too, immediately went out to find where the malware existed. “First you have to find out what you’ve got, and then second contain it,” he said.
Added O’Callaghan, “The finger-pointing starts very early,” with franchisees blaming the franchisor and vice versa, so it’s important to immediately let everyone know the issue of blame will be tabled until later, when the breach is managed and contained.
The panelists outlined the notification process required by nearly all the states, each with differing statutes. Choose the most stringent and write your notification to that standard, advised Reeve.
MacPhee, the panel moderator, said traditionally attorneys have advised franchisors to stay out of direct control of actions at their franchisees’ businesses, to avoid vicarious liability and joint-employer problems. In the case of data breaches, however, he believes they should be proactive because the stakes are so high.
Jennifer Debrow concurred, speaking on a separate panel at an IFA Franchise Business Network meeting in January. “The potential brand damage is so big that the franchisor oftentimes takes control,” said Debrow, a Gray Plant Mooty attorney in Minneapolis.
Meredith Bauer is corporate counsel at Anytime Fitness in Hastings, Minnesota. Along with her director of information technology, Joe Kingland, the franchise is putting together an extensive compliance program around the topic of data security. “It’s been top of mind in our organization, and we talk about it every day,” she said.
The first step, Kingland said, is to figure out what data actually comes into your organization. “Start with a questionnaire,” he advised, asking every person in your organization, franchise and corporate, about what data they get and in what form.
“It took time for us to find where the data comes from,” Kingland said. “Create a map around where all of this data is, and secure the map.”
Include vendors in your search, and be sure they’re insured against data breaches. “We looked at making sure the vendors had the basics in their contracts and policies,” he said, but keep in mind that software vendors, for example, don’t necessarily host their own data.
At Dairy Queen, they’re scrutinizing things like remote access for vendors. “Before, we didn’t have a person watching the logs for remote access,” said Jen Beck, VP and assistant general counsel there. “We’re bringing it in-house now.”
One point is certain, Beck said, in the event of a breach: “I have lived and breathed data breach for the last few months,” she said in January, with no end in sight.
Beth Ewen is managing editor of Franchise Times. Send interesting legal and public policy cases to her at email@example.com.