Data Crises and Franchise Systems
Data issues transcend the legal niceties of which party is the franchisor, which parties are the franchisee, and who are the actors that actually lost the data.
We’ve heard all this BEFORE.
In 2014, it’s almost impossible to go a day without encountering a story about data. In recent months, there has been a steady stream of reports about significant data breaches at major retailers (with more to come). In 2013, one of the major global stories arose concerning Edward Snowden, involving − depending on one’s perspective − a massive theft of U.S. government data, a whistleblower, or both. And yet we live in a world where some people post their most intimate details, insignificant musings, photos, travel itineraries, a list of their family and friends, and even more personal data. Some may consider us to have already ceded more privacy than George Orwell predicted in his legendary (and now ancient) dystopian novel “Nineteen Eighty-Four.”
Protecting Consumers’ Data Privacy
Notwithstanding the voluntary sharing of personal details in social networking environments, the U.S. public has put pressure on the government to protect consumers’ data privacy. For several years, the largest category of complaints lodged with the Federal Trade Commission related to identity theft; it is no surprise that the FTC has been active in the field.
In the last year or so, the FTC acted against large online companies (e.g., Apple, Facebook, and Google) and several companies in the rent-to-own industry, initiated studies of “data brokers,” and continued its potentially landmark case against a hotel chain. In fact, the FTC’s Do Not Call Registry is “the most popular” government program ever, with more than 225 million active registrations as of Sept. 30, 2013.
Now, the U.S. Securities and Exchange Commission will also look into how financial companies defend against cyber-attacks. And, let’s not forget Congress, which is also getting into the game, as legislation is introduced not only to address the National Security Agency’s surveillance programs, but also to adopt national data security standards, similar to, if not broader than, those adopted in almost every state.
Beyond government action, the major credit card issuers (American Express, Discover, JCB International, MasterCard and Visa) have been very active by adopting and refining their PCI Data Security Standards, and in some cases, fining non-compliant businesses.
Data Breaches in a Franchise System
How do liability for data breaches and data ownership issues pan out in a franchise system?
To some extent, data issues transcend the legal niceties of which party is the franchisor, which parties are the franchisee and who are the actors that actually lost the data. A data breach inevitably becomes publicized, and for many companies, the publicity arising from a loss of consumers’ data can be catastrophic. In fact, the damage done by a data breach may be an existential threat to the ongoing viability of a franchise system, perhaps second only to foodborne illnesses where that is a consideration.
Where there is such potential damage to the brand and the system, careful and meticulous attention to detail is needed not only to protect consumers, but also for the benefit of all the franchisees in a system, as well as the franchisor. Because the network is only as strong as its weakest link, data gathering, use and storage presents a “kumbaya moment,” where the franchisor and franchisees in a system all have the same interest.
In modern systems, franchisors and franchisees may share “personally identifiable information” about their customers in a variety of ways and examples abound. A one-way car rental means that the renter’s PII is provided to the renting location, the drop-off location and, of course, the franchisor as well. When an order is placed in one store to be delivered or serviced in another store, PII is exchanged. A guest checking into a hotel provides, or merely confirms, PII on the system-wide hotel reservation network.
Each party that collects, uses and stores data needs to do so carefully. Franchisors ought to consider adopting data policies for their systems so that all parties have common expectations, a plan for meeting those expectations and arrangements in place if something goes wrong.
That said, some franchise systems are already working in the right direction by updating their franchise agreements as needed. The issue of which party owns data collected at the store level is typically addressed by the contract terms of a franchise agreement.
In most up-to-date franchise agreements, the contract provides that transactional and consumer data is owned by the franchisor. However, some agreements do not address data ownership at all. In the context of those contracts, the parties (or the courts) are usually left to examine the circumstances to decide which party (or parties) might have a legitimate claim to ownership of the data, a position that might prompt a “dislike,” if that function were available on Facebook, for the following reasons.
Determining who owns the data can have significant implications for what can be done with the data, both during and after the term of the franchise agreement. For example, can a former franchisee continue to use PII after expiration or termination? Can the franchisor commercialize the data during and after the term and, if so, must it share the revenues with the franchisees?
Because this is an issue in which the franchisor and franchisees in a system typically have the same interest – in that there is a shared interest in careful and proper data collection, use and storage – a thoughtful and careful approach to contract terms is in the best interest of all parties concerned. Misuse of the data (e.g., by a rogue employee of a former franchisee) can create a nightmare for the brand. The franchisor needs to have the tools in its arsenal to take appropriate legal steps to stop misuse before it tarnishes the brand, to the detriment of the remaining franchisees, as well as the franchisor.
Up-to-date franchise agreements specifically address those issues. However, legacy agreements may also have clauses that can target data ownership and use issues. For example, customer lists are typically “confidential information” or a trade secret, and cannot be used for purposes outside the terms of the contract, such as operating competing businesses. Provisions relating to the operating manuals may allow a franchisor to clarify the rules applicable for the system including, for example, data use, management and storage policies. Provisions dealing with systems and services that the franchisor may introduce – coupled with a further assurances clause – may allow the franchisor to require the franchisees to enter into data-related agreements, such as third-party processing agreements or data management agreements.
Data ownership and responsibility for compliance with data privacy rules and best practices are critical to all within a franchise system. In an era of heightened sensitivity to data breaches, just as strong data compliance measures are needed on the ground, so too is strong contract drafting essential to protect the legitimate interests of franchisees, as well as the franchisor, in any franchise system.
Lee Plave, CFE, is a partner and Andrea Gregory is an associate at Plave Koch PLC of Reston, Va. Find them at fransocial.franchise.org.
If this topic interests you, you should join us at FranTech.