Cyber liability poses some unique questions for franchise organizations. Often after a data breach, any well-known retail brand name might lick their wounds, learn a lesson or two, release the specifics around the compromised data, and move on.
An interesting wrinkle arises when you factor the nature of the relationship between the franchisees and the central corporate entity. The franchisees, in most cases, are independent business owners who pay for the privilege of using the Corporate brand and supporting services. When a breach occurs, the affected owners could take a substantial hit to their wallets in the form of lost income, lost wages, spoiled food and other costs, and might look to the corporate “mothership” to make them whole again.
These sort of liability questions might lead the franchisees to take legal action that could significantly impact the potential financial payouts. This situation highlights the fact that franchise organizations have a unique set of challenges when it comes to cyber threats.
The Downside of Franchisor/Franchisee Interdependence
Franchisors and franchisees have an interesting interdependent relationship because while they are different companies, they share entangled domains of trust and risk. Each relies on the other to do its part to protect information and information systems, but many times the incentives aren’t aligned to position both for success. Some of the factors contributing to this poor alignment include
• The franchisee is often a small individual business that doesn’t have the resources to adequately defend itself when threats arise.
• The franchisor typically avoids getting involved in the specifics of how a franchisee operates because the franchisee is an independent and separate organization and the franchisor isn’t structured for this level of micro-management. After all, the entire model behind a franchise- based enterprise is to allow the business to grow organically by taking advantage of the capital and sweat equity of each franchisee.
• The franchisee operates a local network that depends on services provided by the franchisor. Sometimes the networks share technical access to each other, which can be exploited by attackers to move laterally across networks.
• In many situations, franchisees will share a third-party resource for IT management. Even though franchises are operated independently, shared administration creates a logical broad domain of trust that can be leveraged to launch attacks which hit all independent franchises simultaneously.
Naturally, attackers are aware of all this and it’s not uncommon for them to target individual franchise locations in order to pivot to others or gain access to the broader franchisor network. Alternatively, they may target third-party service providers in order to hit large numbers of franchises at scale. When this happens, complicated questions of liability arise.
• What obligations do individual stores have to protect themselves and each other from cyber threats?
• What role does the franchisor play?
• What’s the appropriate level of security when defending against sophisticated attackers and
what penalties should be assessed when those defenses aren’t up to the task?
• When defenses fail, who is responsible for reporting the breach to consumers?
Regulators are Taking a New Approach
Regulators are shifting the way they view the franchisor/franchisee organizational relationship, even though these are independent operations. When the consumer walks in the front door and swipes his credit card, he’s placing his trust in the logo on the outside of the building, not in the unseen entity whose name is on the local lease.
In 2015, Wyndham Hotels and Resorts settled a lawsuit launched by the U.S. Federal Trade Commission after a data breach at a single franchise hotel in Phoenix raised questions concerning Wyndham’s responsibility to protect consumer data across its 8,000 independent hotels around the globe. As part of its settlement, Wyndham agreed to launch a comprehensive information security program for franchisees, including conducting annual audits.
In 2018, an attack on Canada’s Tim Hortons added a new twist. Most often, when security breaches associated with a retail brand hit the news, it’s because of the impact on consumers. However, the Tim Hortons incident involves direct B2B liability with quantifiable financial damages. This case could set an important precedent and should put all franchisors on notice that keeping their franchisees at an arm’s length can lead them to ignore key risks they should be addressing — for instance, the fact that the franchise business model exposes a complex and extensive attack surface. It’s time for franchisors and franchisees to sit down together and ensure that all franchise defenses are up to the challenge of today’s most sophisticated, targeted threats. It’s also time the insurance industry step up with new products that address these new complicated risks for all parties.