Is your franchise system prepared for a cyber attack?
Wyndham and Target are just two of many companies victimized by hackers, and they won’t be the last. Our guest columnists, experts in data security, offer counsel to franchise systems, which have special concerns.
America’s businesses are under attack. Increasingly, the immediate objective of the attack is to gain personal information for later misuse. Exhibit A is Target. From November 27 to December 15, 2013, the bullseye was on the retailer Target Corp. In the middle of the all-important holiday shopping season, Target learned criminals forced their way into its system, gaining access to guest credit and debit card information.
According to the company, approximately 40 million credit and debit card accounts may have been impacted. In addition, the hackers took names, mailing addresses, email addresses or phone numbers, acquiring information on as many as 70 million customers.
In testimony on Capitol Hill, Target’s chief financial officer said the massive breach was caused when “the intruder stole a vendor’s credentials to access our system” and placed malware “on our point-of-sale registers.”
Since the announcement, more than 80 class-action lawsuits have been filed against Target all across the country by consumers, financial institutions and stockholders. One analyst estimates this breach will cost the company a billion dollars.
While Target operates its own stores, franchise systems have also been in the news as victims of similar attacks. While franchisees interact with consumers on a direct basis, the risk posed by hackers can spread to the franchisor, as well.
Franchisors commonly exercise significant control over franchisees, and/or offer significant assistance. Many franchisors offer services that put them in direct contact with customer information, from running centralized reservations to taking credit card numbers for processing.
The Target breach concerned an HVAC vendor whose credentials were stolen. Franchisors frequently perform as vendors for franchisees. Even when franchisors do not act as vendors themselves, they often help franchisees select vendors. Just as often, franchisors oversee the process by which credentials are assigned for access to customer information or even run a shared platform for franchisee information. If the franchisor is handing out the keys, the franchisee may not stand alone when the security of the system is compromised.
The Wyndham case being litigated in New Jersey squarely presents the issue of upstream franchisor liability. In Wyndham, the FTC seeks to hold several Wyndham companies responsible for the alleged theft of credit card information at independently owned and operated franchises: “Defendants’ security failures led to fraudulent charges on consumers’ accounts, more than $10.6 million in fraud loss and the export of hundreds of thousands of consumers’ payment card account information to a domain registered in Russia.”
The Wyndham allegations
Why would anyone but those franchisees be responsible for that breach? The FTC’s complaint made specific allegations about the defendants’ control of franchise-level operations. For example, the FTC alleged:
• The franchise agreements “require each Wyndham-branded hotel to purchase, and configure to their specifications, a designated computer system,” known as a property management system;
• These property management systems “store personal information about consumers;”
• The property management systems “are part of hotels and resorts’ computer network, and are linked to its corporate network;”
• Only defendants, and not the owners of the Wyndham-branded hotels, have administrator access that allows defendants to control the property management systems.
Paul Bond and Mark Melodia are partners at Reed Smith law firm in Princeton, New Jersey, and part of the Global Regulatory Enforcement Group there. Reach them at (609) 987-0050, firstname.lastname@example.org or email@example.com.
What can and should companies operating under the franchise model do? First, they must understand the flow of personal information throughout the franchise system. What information is collected under the brand of the franchise system? With whom is that information shared?
Second, they should allocate financial and operational responsibility for personal information within the franchise system. It should be clear who is ensuring what aspect of data protection, and who will bear the responsibility for any loss.
Third, they should review privacy disclosures, and security promises from the consumer’s point of view. What would a consumer who knows nothing about the corporate structure of your franchise system think is being promised to him or her with respect to privacy and data security? Do those promises match reality?
Fourth, they should prepare and drill for the worst. In the aftermath of the Target breach, the second-guessing about the company’s response has been endless. Did they see the warning signs? Did they react quickly enough, and provide sufficient warning?
A company facing a major breach needs to do a lot in very little time—unless policies, procedures and training are in place, it is likely the response will be unsatisfactory.