By F. Georges Sayegh
F. Georges Sayegh, A.S.D., C.Adm, FCMC of Quebec and Ontario, is a franchise and technology transfer consultant and author of 18 books on franchising and associated businesses. One of his books is entitled "Trade Secrets and Confidential Information” written in French. To reach him: email@example.com; Tel: (514) 216-8458.
In recent years, ransomware and other cyberattacks have become the enemy of today's data-driven organization. Attacks are increasingly destructive, driving up the cost of spending per attack to millions of dollars. Cyber threats come in many forms and attackers are using multiple techniques and platforms. It's not a matter of "if" an organization will be targeted by cybercriminals, but rather "when." Cybersecurity breaches have increased involving, among others, notable franchise networks such as Dairy Queen, Supervalu, Jimmy John's sandwich shops, Goodwill and UPS.
Malicious software (malware) often changes configurations before corrupting data. These data breaches are increasingly costing companies in a variety of ways such as recovering (or deleting) lost records, paying for legal defense and settlement, notifying those affected by the breach, and providing credit monitoring services to affected customers or employees. In addition, not having sufficient data security in place, whether or not there is a breach, or using consumer data inappropriately can result in significant liability. Most importantly, the loss of brand reputation can have a negative impact on the entire franchise network that the franchisor has taken years to build.
The cost of reputation is particularly important to franchisors because their most critical assets are their brands. Franchisors often operate in industries with highly competitive brands, where consumers can easily shift their business elsewhere. In the event of an infringement, customers are unlikely to distinguish between the franchisor licensing the brand and the franchisee operating their business using that brand. Therefore, a breach at the franchisee level, having little or nothing to do with the franchisor's actions, can discredit the reputation of the entire brand in the public eye and drastically impact the bottom line of the entire franchise system.
With cyberattacks occurring every 11 seconds, according to the latest data breach report released by IBM and the Ponemon Institute, the cost of a data breach in 2021 was US$4.24 million, a 10% increase from the 2019 average cost of $3.86 million.
The average global cost of cybercrime was expected to peak at US$6 trillion annually by the end of 2021, driven by the proliferation of ransomware attacks.
The Ponemon Institute and IBM Security report takes hundreds of cost factors into consideration, ranging from legal, regulatory and technical activities to loss of brand equity, customer churn and drain on employee productivity.
The latest FTC report on types of identity theft tells us the following:
- Credit card fraud (new and existing accounts) - 32.3%.
- Other identity theft (email or social media, law circumvention, insurance, medical services, online purchases or payments, securities accounts, other) - 26.5%.
- Loan or rental fraud (apartment or home rental, auto loan, vehicle rental, business loan, student loan, home loan) - 14.4%.
- Telephone and utility fraud (landline phone, cell phone - new and existing accounts) - 11.0%.
- Bank fraud (debit cards, electronic funds transfer - new and existing accounts) - 7.3%
- Employment or tax fraud (employment or payroll fraud and tax fraud) - 5.5%.
- Government document or benefit fraud (driver's license issued or falsified, government benefits applied for or received, other government documents issued or falsified) - 3%.
For these reasons, it is crucial for franchisors to understand the issues posed by cybersecurity and the methods to deal with attacks.
Franchisors have a cybersecurity obligation to their franchisees and consumers. They must be aware that they are managing multiple types of consumer data simultaneously, whether through a centralized database at the franchisor's location or processing data using various devices at the franchisee level. Care must always be taken to ensure that data security and consumer privacy are maintained, particularly with respect to:
- Credit card processing;
- Issuing airplane or cruise tickets;
- Renting an automobile, jet ski or snowmobile;
- Booking a hotel room;
- Filling up a gas tank at a gas station;
- Purchasing a cell phone using a home address and disclosing confidential information;
- Purchasing a book or a pair of glasses through a franchise network;
- Buying or renting a computer with a service contract allowing the franchisor's staff to access the customer's data;
- Having dinner in a restaurant chain;
- Purchasing furniture in a small or large store;
- Collecting or processing a patient's medical health information when writing or filling a prescription at a pharmacy;
- Filing a tax return;
- Handling a money transfer providing financial services to individuals.
To list just a few.
Various state and local regulations apply when a data breach affects the parties involved. The burden is on the franchisor to scramble to comply with the various laws or regulations that apply to cybersecurity, whether at the corporate unit level or at the franchisee level.
Data breaches also leave franchisors vulnerable to individual and class action lawsuits filed by consumers. These lawsuits are based on various statutory laws and/or case law. The trend in the courts is to be increasingly harsh on these data breaches, and plaintiffs no longer need to show actual harm (such as identity theft) to seek justice.
Given the nature of franchise systems, a franchisor will often mandate the use of certain types of software packages and computer systems that franchisees must use in their locations in order to ensure uniformity and cohesion throughout the franchise system. The downside of this uniformity is the danger of liability being placed on the franchisor if the required computer systems or programs are compromised although the result of such cases has shown that regulators have not always been successful. For example, in 2012, the FTC filed a suit against Wyndham Hotels, FTC v. Wyndham Worldwide Corp, Civil Action No. 2:13-CV-01887-ES-JAD (U.S. Dist. Court, DNJ) for failing to maintain the security of the computer system it required franchisees to use to store personal customer information. The court fully released the franchisor from liability for data breaches at Wyndham franchised hotels.
Increasingly, we are seeing clauses being introduced into franchise agreements allowing franchisors to access their franchisees' databases. The larger and still unresolved issue for franchisors is the limits of the franchisor's obligation to monitor the activities of franchisees in their use, disclosure and processing of consumer information. To what extent does "involvement" or "knowledge" make a franchisor liable? In cybersecurity, as in other areas, there is an unresolved tension between franchisors' efforts to maintain their legal separation from franchisees and franchisors' involvement in their franchisees' activities to protect the brand. So, in addition to protecting the value of their brands from cyberattacks and bringing their franchise systems into compliance with data laws, franchisors need to guide - but not overly direct - their franchisees' data practices.