Privacy, Data, Security and PCI Compliance — Roles of the Franchisor and Franchisee
The risks and costs are great.
By Len MacPhee
The risk of a data breach is a major issue for retail businesses. The instances of breach by hackers and others, such as former employees, are prevalent and on the rise. And the direct and indirect harm can be substantial. Theft of customer data, as well as confidential and proprietary data, can be devastating to a business and lethal to a brand.
The reputational harm and public relations cost to a brand in the event of a breach resulting in loss or compromise of customer information has had serious negative consequences for multiple brands. And apart from reputational harm, the direct economic impact of a breach, which may include liability to customers, defense of regulatory enforcement actions, costs associated with notification requirements, fines and penalties, can be devastating. he risk of a data breach is a major issue for retail businesses. The instances of breach by hackers and others, such as former employees, are prevalent and on the rise. And the direct and indirect harm can be substantial. Theft of customer data, as well as confidential and proprietary data, can be devastating to a business and lethal to a brand.
For example, the Federal Trade Commission, as a federal regulator for privacy and data security, initiates investigations and brings enforcement actions against companies it perceives to have ineffective security practices related to collection and use of customer information. The costs of defending an investigation and action can be significant, and the FTC may impose substantial penalties and fines. Furthermore, most states have enacted laws mandating companies bear the often substantial cost of notifying affected cardholders and state attorneys general in the event of a data security breach. Customers, as victims of a data breach, may also assert claims, which may be costly to defend and result in liability.
The Payment Card Industry Data Security Standards or “PCI compliance” is another example of costs associated with customer data. This is a set of requirements developed to encourage and enhance data security for credit, debit and pre-paid cards. All companies that accept payment cards are contractually obligated to comply with these standards, which establish the minimum threshold for protecting cardholder data. Companies that are not compliant could face substantial liability. If customer cardholder data is breached, a non-compliant company could be liable for significant fines and penalties, the cost of reissuing new payment cards, fraud losses and legal costs. The card associations may also ban a company from accepting payment cards altogether. Thus, investing in the time and cost of data security and PCI compliance is critical for all retail businesses.
Franchisors Should Ensure Compliance Across the Brand and Provide Assistance
The risks and concerns for a brand with a franchise system present added challenges and issues. While the brand faces the negative impact across the entire system for a data breach at a specific location, the franchisee, as a smaller business, may find it difficult to make the necessary investments and keep up with all the requirements, laws, contractual obligations and best practices. And the FTC and customers are pursuing franchisors for franchisee breaches or inadequate security practices with increasing frequency.
Many franchisors have been hesitant to implement specific requirements or even provide franchisees with significant guidance on data security and PCI compliance. They are concerned that doing so would increase the risk of a liability finding if a data breach occurred even though the franchisee is a separate legal entity such that a franchisor should not be held liable for the franchisee’s actions. Generally, the greater the participation, control or involvement by a franchisor with respect to acts or practices of the franchisee, the greater the risk of a finding that the franchisor is liable for those acts. The risk applies to actions by customers and regulators. If a franchisor establishes required practices and provides the tools or methods or significant support to its franchisees to prevent data breaches, franchisors may be concerned that they will be exposed to an increased risk of liability if, for example, the tools or methods fail.
However, in the case of data security and PCI compliance, there are several counter-veiling reasons why franchisors need to be involved; first, to protect the brand. Consumers may not distinguish between independently owned franchises and the brand so a data breach at one location can have detrimental impact across the entire brand. Second, many franchise systems use an interconnected computer network to varying degrees, allowing sophisticated hackers to expand the target upon entry at one location. One franchisee can be the weak link that allows a breach to occur across the network. Third, with respect to regulators and some claims for vicarious liability, a franchisor’s implementation of policies and requirements for data security may provide a defense. Fourth, through monitoring and auditing, the franchisor can mitigate some risk. Fifth, the parties can allocate the respective responsibilities for achieving and maintaining PCI compliance and provide other protections in the franchise agreements. The bottom line is the risk to the brand of liability to third parties and the government suggests that franchisors should be ensuring franchisees are PCI compliant and undertaking adequate data security protection measures.
Approaches to Ensuring and Assisting Compliance
There are various approaches to ensuring and assisting franchisees’ PCI compliance and data security measures. The approaches typically involve setting up procedures and systems, requiring compliance with the same, training and educating franchisees, and providing access to resources or requiring use of certain equipment and systems, for example, upgraded point of sale. Many franchise systems require participation in an approved vendor program. Franchisors approve and may even contract with a PCI compliance and security vendor the franchisees use. The best approach for a specific brand should take into consideration the terms of the existing franchise agreements and the franchisor’s operating manuals, including the ability to update operational and other practices through operating manuals.
Most franchise agreements have terms providing authority to establish and require compliance with operational and other standards. For example, most agreements contain broad provisions requiring compliance by franchisees with applicable law and compliance with standards and specifications as prescribed by the franchisor. Many agreements also incorporate an operations manual and provide that the manual may be changed to add operational requirements. The contracts should also include reporting obligations and audit rights to the franchisor to ensure compliance. Further, many franchise agreements contain provisions giving the franchisor the right to require franchisees to purchase equipment prescribed by the franchisor or a designated vendor or participate in a vendor sponsored program. As noted above, using the franchise agreement to clearly allocate the responsibilities for achieving and maintaining PCI compliance is wise as well. Further, provisions regarding insurance and indemnification may address related issues.
Franchisors are in the best position to protect the brand and should establish necessary and proper policies for PCI compliance and processes and procedures for the collection, use and security maintenance of all data. Franchisors should address the issue in their contracts and manuals. Franchisors may also provide information, education and training with regular updates to ensure franchisees’ awareness and knowledge of procedures for PCI compliance and ensure compliance through reporting and auditing. Franchisors should also consider the use of approved or mandated third-party providers. n
Len MacPhee is a partner at Perkins Coie LLP. Find him at fransocial.franchise.org.