Data security: A field guide for franchisors

Tax Tip IconThe technology networks that franchisors use to collect and transmit business data (e.g., sales tracking, royalty payments, customer credit card information) are only as secure as their weakest link. And in franchising, that weak link may be a single franchisee that hasn’t invested the time and money necessary to ensure its computer systems are protected against attacks from increasingly sophisticated hackers.

“Many franchisees are operating on razor-thin margins and may be more concerned with keeping the lights on and other practical operational matters,” says Johnny Lee, managing director at Grant Thornton LLP’s Forensic, Investigative and Dispute Services practice, and a leader of the Forensics Technology Services practice. But the reality is “if you are a franchisee of a known brand, you’re a target.”

Customers simply don’t draw a distinction between the brand and franchisee ownership — and, generally speaking, you don’t want them to. What may follow when a data breach occurs — negative press reports, loss of business, penalties and even class-action lawsuits — makes the question of who is responsible for the information collected and stored through a franchised business essentially a moot point.
The costs of a breach
When there is evidence of a compromise of personal data held by companies — whether customers' credit card data or other personal details or business intelligence — franchisors and their franchisee partners can take several investigative steps. They may hire data security experts to perform forensic audits to detect whether and how a breach occurred, and they should consider retaining counsel to advise them on their legal and communication strategies.

Penalties. As a condition of accepting credit card payments, there are disclosure obligations to notify credit card companies and customers of a potential breach within a specific time frame, which varies depending on the jurisdiction in which the breach occurs. Failure to do so can result in significant penalties. In addition, nearly every state has a law requiring companies to report data breaches to the affected parties, and franchisors may have to scramble to comply with differing laws in the states in which their franchisees operate.

Class-action lawsuits and regulatory action.
Data breaches also make franchisors vulnerable to class-action lawsuits from consumers. Such lawsuits are on the rise, and there are some notable examples in the franchising sector. The Federal Trade Commission (FTC), acting in its capacity as a regulator for privacy and data security, can also bring actions against companies it deems to have ineffective security practices.

In 2012 the FTC filed suit against Wyndham Hotels for failing to maintain the security of the computer system it required franchisees to use to store customers’ personal information — leading to three data breaches in less than two years, resulting in fraudulent charges on customers’ accounts and the export of hundreds of thousands of consumers’ credit card information to an Internet domain address registered in Russia.1 That case is still pending.

Securing card information
Given the high costs of breaches, franchisors need to have some oversight of data security at all of their franchises. In particular, they must help them comply with the Payment Card Industry Data Security Standards (PCI DSS). Meeting PCI DSS terms is not easy. They are updated every three years in an effort to keep up with the ever-changing nature of security threats.

A 2008 report from Visa USA Inc. provides useful guidance on minimizing data compromises in the franchise sector. Among the company’s recommendations, franchisors should not retain payment card data, such as magnetic-strip or personal identification number data.

Franchisors should also verify the security procedures of vendors handling maintenance of the point-of-sale systems, management of firewalls, and the hosting of websites. This is critical to ensuring that such service providers — defined by the PCI DSS standards as any company that stores, processes, or transmits cardholder data on your behalf — fully understand the nuances of your operations and are therefore able to protect your data. “From what we see in audits, this understanding of third-party risk is often not the case at all,” Lee says. “The reasons for this are neither sinister nor negligent, necessarily. It’s just that everyone is trying to cover themselves with a fig leaf that’s not quite big enough to address the significant risks involved.”

Indeed, this is illustrated by the new PCI DSS standards, effective January 2015, which attempt to address this issue in response to a growing number of examples uncovered by credit card companies in which there was a lack of clarity between the merchant and the service provider as to which PCI DSS requirements were being covered by which parties (franchisors, franchisees or their vendors) and what their different roles and responsibilities were.

“There were cases where one thought the other was addressing a certain requirement or risk when in reality it was falling through the cracks. PCI standards now say you have to have clearly delineated roles and responsibilities with service providers. That needs to be done upfront before the contract is signed,” says Brian Browne, managing director in Grant Thornton’s East region Business Advisory Services practice.

Visa also recommends that franchisors implement network security guidelines. This may include requiring franchisees to maintain firewall logs for 60 days to create an audit trail, which helps identify suspicious activity that can then be used to facilitate forensic investigations.

Franchisors are also advised to ensure remote management applications that are used to download business information, sales polls and survey inventory are secure from hackers. Some of these applications come with default or blank passwords. For protection, it is important to create unique user IDs and complex passwords, which ideally would be unique to each franchise location.

New PCI DSS requirements include guarding against physical modifications to swipe machines, introduced by thieves to enable them to surreptitiously copy credit and debit card information. To prevent this, stores with point-of-sale machines must check them regularly, a function that cannot be outsourced. Employees need to know how to do it themselves.

5 key cybersecurity best practices
Securing credit card information is just one of many important protective measures. Franchisors should also:

1. Establish policies and procedures for how franchisees’ employees connect to the Internet and what they do there. “A lot of malware comes in from employees surfing the web,” says Matt Thompson, Grant Thornton’s managing director of Business Advisory Services and leader of information technology audit practice in the Southeast region. This can be particularly challenging because of the high rates of employee turnover in food and beverage companies.

Turnover presents other problems as well. Disgruntled employees may learn passwords and business practices that make a company vulnerable. This is one of the reasons background checks are recommended, as are policies that passwords be changed with some regularity. The high degree of turnover makes frequent training of employees in best practices for data security essential, too. “It’s these folks who handle the data and often they have no real appreciation for the value and the risk potential of the private information they may be handling,” Lee says.

2. Encrypt personal data, redact where possible and institute good data maintenance. Some franchisees have gotten into trouble through social media marketing campaigns or loyalty programs that gather consumers' personal information. For example, in 2010, a class action lawsuit was filed against Papa John’s International, as well as some of its franchisees, by plaintiffs who alleged they received text messages that they hadn’t consented to receive. The franchisor had to pay $16.5 million in damages.2

To protect their customers' privacy, companies need to know what personal information they collect — e.g., names, email addresses and IP addresses — and follow five key principles set out by the FTC3:
  1. Take stock of the data
  2. Keep only what you need
  3. Lock it down
  4. Dispose of what you no longer need
  5. Plan ahead to respond to security incidents

And it's not just customer data; franchises also need to protect personal and financial data gathered from employees, contractors or vendors.

3. Invest in intrusion-detection software, which monitors networks for suspicious activity, and bolster your incident-response planning. Experts recommend having an incident plan in place before a breach occurs, so that it's clear which law enforcement agencies and other parties need to be notified and which outside counsel and forensic investigators will be called on for help. Franchisors should conduct immediate investigations when there may have been a breach, and fully document the process. It is also crucial that they require their franchisees to comply with notification and general policy laws as part of their business agreement.

4. Hire consultants to test your systems for vulnerabilities. Consultants do this by thinking like hackers and using the same tools — including automated systems that try out default passwords — to get in. “Normally companies will fix the majority of the passwords, but might not inventory all of them, which allows hackers to break in,” Thompson says.

5. Continually enforce policies. It's not enough to have an airtight policy if the policy isn’t exercised in a consistent manner. “There must be zero daylight between policies and practice, and employers must monitor for this to have any semblance of assurance,” Lee says.

Extra steps
Franchisors may also want to consider insurance, but must read the fine print of these policies, because pre-existing breaches — even ones a company was unaware of — can invalidate the insurance. “If your policy says effective Jan. 15 and your breach began last summer, there may be no coverage,” Lee says. “You have to pay careful attention to the exclusions in your policy, and counsel should be involved in spotting those important nuances.”

To educate themselves about new risks, franchisors may want to review the Verizon Data Breach Investigations Report, published each year, which details the types of data breaches that have occurred in the previous year, Browne says.

New tools may help

In the end, franchisors must make data security and privacy part of the way they do business — educating themselves about the risks and taking proactive steps to guard against them, as much as possible. Simply put, “Businesses need to get to the point where they recognize that good privacy practices are good business,” Lee says. That said, there are some emerging technologies that may help, including point-to-point encryption and tokenization, which is a process of substituting a sensitive piece of information with a unique symbol or symbols (known as tokens) that allow companies to disguise sensitive information.

While these new tools may help, there is no substitute for vigilance. “Information Security professionals try not to capitalize on fear, uncertainty and doubt, but there are some very sophisticated actors out there. A lot of them have compromised systems without leaving any breadcrumbs, and they are still in these systems today. While this can be a truly daunting arena, companies need to act now and act boldly to be on a less reactive footing here,” Lee says.

1See for details.
2See for details.
3See for details.