Publications Cybersecurity: Franchisors and Franchisees Beware

Franchisors and franchisees should collaborate and coordinate their online activities to provide for security and control over the franchises valuable proprietary commercial and consumer data.

By: Marc Lieberstein and Raymond Aghaian

Almost a year ago this column wrote about privacy and franchising and discussed the various way franchisors and franchisees needed to step up their compliance with several state laws enacted to protect consumer privacy data. Increasingly, you are hearing about security breaches, data leaks and other kind of data theft in the franchise world. This is because frequently the franchise systems operate as a connected mass of franchisees all of whom collect, store and transmit a diverse array of consumer and personal data to the franchisor. In other words, franchisors and franchisee make a nice easy target for cyber theft.

In December 2018, Cybint News reported that “[43%] of cyberattacks target small business. 64% of companies have experienced web-based attacks. 62% experienced phishing & social engineering attacks. 59% of companies experienced malicious code and botnets and 51% experienced denial of service attacks.” Cybersecurity: A Global Priority and Career Opportunity (ung.edu). And whether you are a large or small franchisor, it could cost a lot of money to remedy the breach or satisfy any breach claims. IBM reports that it takes an average of 280 days to identify and contain a data breach, and that the “data breach average cost increased 2.6% from USD 4.24million in 2021 to USD 4.35 million in 2022. The average cost has climbed 12.7% from USD 3.86 million in the 2020 report.” Cost of a Data Breach Report 2022 | IBM.

The 2016 data breach at Wendy’s provides a good reason for franchisors to take cybersecurity seriously and to act on it sooner rather than later. In the Wendy’s case, hackers gained access to some of Wendy’s third-party vendor credentials and accessed the franchisor system containing sensitive customer information, including names, credit/debit cards, and other personal identifiable information. Using a RAM-scraping malware program, the hackers infected over 1,000 franchise-owned restaurant systems. Wendy’s eventually settled the matter for over $53 million.

So, what are the potential cybersecurity threats franchise systems are facing currently? One threat is database hacking, where hackers get into a company’s records and access confidential/proprietary information and then seek to have the company pay extortion or otherwise seek to expose the company failures in the marketplace. Statistics show that recently there has been a massive rise in such database hacking. And it’s not just the franchise POS system that is open to attack, but the franchise intranet, email systems, and supply chain networks are all fair game for the hackers. In many instances, once hackers have access to the email system, and other than gaining confidential and even trade secret related information, they often utilize a man in the middle attack wherein a perpetrator positions himself in between a user and an application intercepting a conversation and directing the unbeknownst user to wire funds to an account other than that intended by the user.

If franchisors and franchisees do not have good data protection and security policies and procedures, as well as good security software, hackers can attack the network and find weak spots to exploit the company’s security and software systems. Malware, including the use of viruses, is frequently used by hackers for this purpose and it works to slow down and/or stop software from functioning. Viruses can also be used to destroy files or databases. Ransoms are usually a required payment for removing the malware and getting your systems back up and running. Franchisors must keep their cybersecurity software, including malware and virus detection systems, up to date. And they, along with their franchisees and employees, must be constantly reminded to be on the lookout for suspicious emails from unknown sources, as both malware and virus attacks are frequently implemented via email. Indeed, phishing emails are often used to release malware or viruses on to an unknowing network or database. In this phishing scenario the hackers assume the identity of a legitimate person or company and then prompt the recipient to click a link, which then enables the download of the malware/virus software onto the network.

Another weak link in the franchise cybersecurity chain is passwords. Franchise officers and employees, as well as their vendors/suppliers, may input their login credentials to a fraudulent website, or passwords may just be outright stolen from vulnerable database accounts. To avoid these password issues, franchisors, franchisees and their respective employees and third-party suppliers should utilize password coding systems that allow for frequent changing of passwords, more random passwords with more specific variables to create a stronger password.

On the legal side of the cybersecurity equation franchisors should take care to implement strong cybersecurity policies and procedures not only for their operation and employees, but also to mandate such procedures for the franchisee and its employees. The question than arises whether franchise agreements go far enough in mandating cybersecurity protocols that must be implemented by the franchisee and enforced and monitored by the franchisor and/or franchisee. While franchisors must walk a careful line not to assert too much control over its franchisee activities to avoid employee misclassification claims, the franchise agreement obligations should be stressed expressly in any franchise agreement and disclosed in the franchise disclosure document, as usually there are fees associated with software installation, training and compliance. At a minimum, the franchise agreements should expressly set a “floor” for security standards by mandating “reasonable security” practices as required by various federal and state laws. Franchisors should consider creating a team of people dedicated to cybersecurity to manage data protection and monitor for compliance and detect vulnerabilities before breaches happen or early on in any breach event. Franchisees should be required and encouraged to adopt similar cybersecurity protocols of their own in operating their franchises. And at both franchisor and franchisee levels, data breach and remedial policies and procedures should be developed and in place for when, and if, a cybersecurity breach happens. For example, there should be mandatory reporting provisions for breaches or security incidents; mandatory cooperation provisions between the parties in the event of a breach and its remediation; and mandatory provisions about who controls the breach response and any publicity in the event of a breach.

Cybersecurity issues in franchising are not going away. Indeed, one can likely expect to hear about more breaches in the future. Franchisors and franchisees should collaborate and coordinate their online activities to provide for security and control over the franchises valuable proprietary commercial and consumer data.

Marc Lieberstein and Raymond Aghaian are partners at Kilpatrick.