Cyber-Safety First!: Protecting the Integrity of Your Brand

By now everyone is painfully aware that even a modest data breach at a medium-sized company can cause a world of pain. Cyber response costs alone (including reimbursing credit card companies for having to issue replacement cards) can run into the millions. There also are costs associated with discovering and fixing the breach and instituting appropriate security and administrative controls to ensure that such a breach "never happens again" (an optimistic statement, but there you have it). And once a breach becomes public, reputational costs leading to a loss of customer trust and related goodwill are impossible to predict.

Franchises are not immune from this type of reputational devastation. In recent years, big names like Home Depot, Dairy Queen, Goodwill, Supervalu, UPS, and Wendy's have all suffered massive, costly data breaches. In fact, because of their large consumer base and the potentially decentralized nature of their IT operations, franchises are prime targets for hackers. While response costs are likely not much different than at other businesses, the reputational fallout for a franchise that suffers a data breach is potentially far worse.

Franchisors routinely require franchisees to adhere to design guidelines on the look and feel of their retail stores and often mandate that supplies be purchased from a list of reputable providers, all in the name of maintaining brand reputation. Privacy and cybersecurity should be no different. By requiring franchisees to comply with a firm set of data protection requirements and ensuring compliance through routine audits, the chances of a breach, and the concomitant reputational loss, can be greatly reduced.

Imagine that a hacker decides to target four or five Dallas-based units of a national franchise, all owned by a single franchisee. Because the franchisee's POS devices are not compliant with PCI-DSS, the hacker is able to steal the credit card information of thousands of the local franchisee's customers. Once the breach becomes public (and state breach notification requirements make public disclosure a virtual certainty), the name of the franchise becomes associated with the breach--even if the franchisor did nothing wrong.

This affects not only the franchisor, but also every other franchisee whose data was not compromised because the brand takes the hit through "guilt by association." A good PR firm may be able to help confine the negative impact to only the careless franchisee and its units, but the cost to do so may be prohibitively expensive. Moreover, the franchisor is forced to react to the situation after it has occurred, instead of trying to get out in front with preventive measures.

What you can do

While there is no guarantee that preventive measures, however stringent, will stop a data breach from occurring (indeed, the worn cliche is that it's not "if" but "when"), there are several options that franchisors should consider to minimize the chances of an illegal intrusion and thus be able to credibly declare that "We did everything we could" to prevent the loss of personal information.

1. Consider centralizing credit card processing and payroll functions through a single server housed at corporate headquarters. Although this option puts the franchisor in the driver's seat in terms of consistency of security measures, it does have the potential to magnify the effect of a data breach if the hacker penetrates that corporate server: they would then have access to customer information from all franchisees. Hence, maintenance of stringent security protocols, including encryption, access limitations, and dual authentication procedures, would fall to the franchisor to implement and enforce through a thorough audit program (see item 4).
2. Alternatively, consider outsourcing these functions to two or three trusted data security firms that you have thoroughly vetted and researched. And require franchisees, through contractual provisions in the franchise agreement, to use one of them. This front loads the franchisor's due diligence, but it allows day-to-day security to be handled off-site (for a price, of course).
3. As a corollary to item 2, franchisors should require all franchisees to comply with PCI-DSS. As mentioned, many franchisee data infiltrations come through the POS devices used to accept credit card payments at the individual units. Since part of PCI-DSS involves hardware requirements for POS devices, requiring franchisees to comply with these requirements will minimize the risk of a data breach (and they must do it anyway if they want to process credit card payments at all).
4. With all of the above items, franchisee compliance with data security requirements must be rigorously enforced through regular privacy audits. Whether the franchisor employs outside vendors or does the job in-house, a thorough audit of each franchisee should be conducted at least once a year and should include a review of adherence to set access controls, encryption and password protocols, software updates, employee training, and the documentation of any security anomalies or incidents. Noncompliance (or the failure to cure any defects within a reasonable time) should prompt severe sanctions, including possible termination.
5. You can never be too prepared, but instituting and regularly testing a PCI-DSS Incident Response Plan would help reduce the fallout after a data breach occurs. When you do have a cyber intrusion, it is also a good idea to let your lawyers hire the outside forensic consultants to keep the investigation confidential as work product.

Franchisors go to great lengths to ensure the consistency of their brand across franchisees and locations, yet this diligence may not extend to information systems and cybersecurity. Fix that oversight and your system stands a better chance of weathering the storm when a data breach occurs.

 Eric Levy, Edward (Eddie) Block, and Peter Vogel are attorneys at Gardere Wynne Sewell. Levy is a senior attorney focusing on transactional and compliance matters related to information privacy and security. Block has more than 20 years of experience as an information security professional. Vogel is a trial partner who chairs the firm's Internet, eCommerce & Technology Group and co-chairs the Cybersecurity & Privacy Group.