With wake-up call finally heard, firms get serious about security
'The use and safeguarding of data is absolutely essential to the efficient operation of any business today,' says one attorney, and franchises have special concerns. Experts outline a playbook.
Many small businesses view themselves as unlikely targets for cyber criminals. But with Target Corp., Coca-Cola Co. and Neiman Marcus making headlines as victims in recent months, professional services experts say franchise operators are realizing anyone could get hit.
“This is the issue that is going to define commerce for the rest of time,” says Lee Plave, Plave Koch, about cyber security and privacy.
And because they lack the resources of those Fortune 500 companies and often don’t have state-of-the-art systems in place, small businesses actually are hit at a much greater rate—and franchised businesses may be at even greater risk.
That’s because even when franchisors regularly upgrade their systems and emphasize the importance of network safety and data compliance, their franchisee networks often consist of business owners with varying levels of financial resources and technical savvy.
“You have a lot more people who are in and out of the network,” says Collin Hite, leader of the Insurance Recovery Group at Hirschler Fleischer in Richmond, Virginia. “One weak franchisee or one weak link that allows a breach to occur has a domino effect in a franchisor kind of world because they are all interconnected through the network.”
Franchisors and franchisees are separate legal entities, potentially with no crossover in terms of legal liability with respect to data breaches, says Lee Plave, a partner with Plave Koch in Reston, Virginia, and a member of the International Franchise Association’s Marketing and Technology committee.
That said, they are linked by brand name, which should be incentive enough for them to work together to ward off potential attackers.
“In the public’s eye, it’s the brand that either carries the ball the right way or it drops the ball,” Plave says. “And if the brand drops the ball, it probably matters little to a customer that it was one particular franchisee who didn’t pay attention to that detail. They see the name of the brand and say ‘Aha, the brand is the one that made the mistake.’”
Franchisors are in the best place to run their system and should take the lead in protecting that brand by ensuring there is a plan in place for the collection, use and security maintenance of all data. The company should address the issue in its initial contracts, but also in the policy manuals. And the franchisor needs to make sure franchisees know what they have to do to comply and how to do it.
“This is a matter of training, training, training,” Plave says. “It’s set expectations, it’s train, it’s reinforce, it’s retrain.”
One of the biggest problems stems from the collection of credit-card data, Plave says. If someone takes an order over the phone and writes down a card number on a piece of paper, how is that information protected? And is all the information a company collects really important to receive and retain?
Credit-card companies have been proactive in creating standards those who accept their cards must meet. The Payment Card Industry Data Security Standard is a comprehensive set of requirements that applies to all merchants that take credit cards, says Tom Epstein, CEO of Franchise Payments Network and chair of the IFA’s PCI/Security subcommittee.
The standards were written by the PCI Security Standards Council, founded by Visa, MasterCard, American Express, Discover and JCB to establish a baseline for protecting cardholder data. Visa, in particular, is placing an increased onus on the franchisor for maintaining security and incidents can result in penalties being assessed against parties deemed to have problems.
Epstein says franchisees may balk at the cost, for example, of upgrading a point-of-sale system to a new version while not understanding the system-wide risk noncompliance places on the entire brand. Franchisors have to ensure the importance is communicated upfront and throughout the relationship.
That includes ensuring employees across the system are schooled on processes for handling all the data that comes in at any level. If something goes wrong, “Visa or MasterCard is going to hold the merchant responsible,” he says.
In the past, franchisors have been hesitant to provide franchisees with guidance on technology compliance issues, fearing they would make themselves liable if a breach occurred, says David Katz, a partner and leader of the Privacy and Information Security Practice Group at Nelson Mullins Riley and Scarborough in Atlanta.
Creating a system that addresses technology and network issues in advance and to ensure they are complied with is one of the best protections, he adds. How those agreements are structured is still being fleshed out—whether it’s part of the original franchise agreement or a separate document—but it’s vital, he says, to outline responsibility. “The reality is franchisees look toward the franchisor for a lot of help and a lot of direction, whether it’s by agreement or by practice,” Hite says.
In case something does go wrong, it’s vital for franchisors and franchisees to buy good insurance policies.
A good policy for franchisors will indemnify them against claims due to franchisee errors, says Angela Elbert, a partner at Neal, Gerber & Eisenberg in Chicago. But be advised, she adds, the traditional routes for covering cyber liabilities and losses—such as general liability, errors and omissions or directors’ and officers’ liability areas in overall policies—are routinely being stripped and replaced by stand-alone cyber and privacy insurance policies.
It’s a growing field with many companies writing them and they often differ depending on the company. So it’s important, Elbert says, to talk with an insurance broker or a lawyer to make sure the business has sufficient coverage.
“This is all pretty new,” she adds. “Policies are getting better.”
A good policy with a reputable carrier will help the harmed business handle repairing the network, and provide public relations efforts to protect its reputation, Hite says. It also will provide third-party protection aimed at covering claims from customers, providing credit monitoring for victims and help with a defense against any potential lawsuits.
“Where does a franchisee go and find the right IT forensics person and the PR person?” Hite says. “The beauty of the insurance is they have those vendors pre-vetted basically on retainer and they bring it in immediately to provide a 360 degree response to the problem.”
With several high-profile incidents recently in the news, small businesses and franchises have begun recognizing they can’t ignore these needs.
“We’ve been beating this drum for five or six years now,” Epstein says. “The Target thing really woke everybody up.”
Any company that hasn’t sufficiently dealt with preventing breaches puts the survival of their business at risk. “This is the issue that is going to define commerce for the rest of time,” Plave says. “The use and safeguarding of data is absolutely essential to the efficient operation of any business today—and it’s an Achilles heel at the same time.”