Data Breaches Likely Coming to a Franchise Near You, Attorneys Warn
Dairy Queen's Shelly O'Callaghan
“If data privacy and security is not keeping you up at night—it should,” said Leonard MacPhee, a partner at Perkins Coie and moderator of a panel on the topic at the International Franchise Association Legal Symposium in Chicago last week.
“It’s probably going to get worse before it gets better,” he added.
Sally King, co-founder of NXG Strategies, offered some sobering statistics about data breaches. “Data breach is getting much, much worse,” she said. Since 2013 more than 208 million records were lost or stolen, in 900 separate data breach incidents, she said. One study suggests 43 percent of any given business in any one year will experience a breach.
“Even though the cyber terror data breach is prominent,” she said, “there’s an equally large threat” from regular humans. Human error accounts for 47 percent of data breaches, including lost and stolen devices, etc. “You can spend millions of dollars on technology, but a single employee can cause a threat.”
Another insider threat is employees recruited by criminals to turn over customer data. “One in seven said they’d sell data, for as little as $150.” She said one survey found.
She also showed real websites that show the extent of the problem, like a “McDumpals” site that offers 1,245 stolen McDonald’s credit cards for $10,500, with a money-back guarantee that the data is still usable. She also showed a blog, buried in a legitimate Trulia real estate website that she found through Google, that recruits people to put together stolen identities from the comforts of home.
Then she showed a slide of franchises with recent data breaches: UPS, Staples, Supervalu, Wyndham Hotels, Dairy Queen, Bistro Burger & Grill and more. The cost of a data breach is $130 per record, for an average insurance claim of $733,000.
Shelly O’Callaghan, general counsel at International Dairy Queen, described Dairy Queen’s breach, which happened in October 2014. “We learned about our breach from law enforcement,” she said, which is a typical scenario, but the breach immediately became public when the famous breach blogger Brian Crebs broke the story.
“What that does is immediately thrust you into the public eye but you don’t have much information yet,” she said. “When it takes more than a week to investigate your locations, the public doesn’t understand it’s franchised,” she said. “One of the biggest things to avoid is going out with information that is not accurate. You want to be in as few news cycles as possible.