An ounce of prevention is worth much more than a pound of cure when it comes to cyber security for franchise systems.
St. Louis, Missouri (PRWEB) January 21, 2015
Franchisors and their franchisees collect, maintain and share a tremendous amount of customer information. As franchising expands from hamburgers to insurance to massage to medical care, the types of information collected, maintained and shared by and between franchisors and franchisees and the computer hardware and software they use also expands. Requirements, laws and regulations which govern the security of this information range from the Payment Card Industry Data Security Standards (i.e., requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment for such information) to the Health Insurance Portability and Accountability Act of 1996 or "HIPAA" (which generally protects health information) to the Gramm-Leach-Bliley Act (which applies to companies which provide financial products or services to individuals, like loans, financial or investment advice or insurance), to many varied State and other laws and regulations (e.g., State cyber security laws which protect to one degree or another a wide array of sensitive information). While franchising and its players have expanded rapidly, the methods and players involved in hacking and illegally using data have expanded even more rapidly. While the laws related to data security and data breaches have tried to keep up with the growth and methods by which those breaches occur, franchisors and franchisees (who many times are completely unaware of the laws and requirements that they are supposed to comply with and at other times are just trying to make money in a still shaky economy) are, generally, lagging way behind in compliance, policies, proceudures, safeguards and insurance to keep their cusomters' data safe in the first place and keep themsevles and their customers out of harm's way.
"The penalties and damages related to a data breach can be extremely high," says Eric Riess, a franchise consultant, CPA and attorney with Greensfelder in St. Louis and a co-founder of the Franchise Brokers Association in Orlando. "Statutory damages, attorney's fees, costs of notice, costs of PR firms, restitution, financial institution indemnification and customer indemnification are just some of the types of damages that a franchisee and its franchisor can be responsible for in connection with a data breach," Riess adds. "To add to the misery, many times, the various laws consider each independent customer's stolen or improperly shared information to constitute an independent data breach, increasing exponentially the penalties associated with what would be considered by an average person as a single data breach," says Marilyn Nathanson, a partner of Riess who works closely with him to protect the interests of franchisors, franchisees and their customers. According to Riess, many franchisors and their franchisees don't even know that their commercial liability insurance policies specifically exclude cyber security coverage and are not looking into how to obtain such coverage or requiring their franchisees, pursuant to either their franchise agreements or operations manuals, to obtain that coverage.
The cyber security program that Riess and Nathanson have developed starts by mapping the data of a franchise system (e.g., What information is stored? Who has access to it? Is it essential to operations?). The next step in the program is to determine what regulations, requirements and statutes apply to the franchised system and the data discovered and determined through the mapping. Third, Riess and Nathanson's data team reviews all data security and privacy policies that exist within the franchise system, modify them to comply with the laws, regulations and requirements identified in the second step and create them where they do not exist. Privacy statements are next reviewed, modified and created. Insurance review and negotiation is the next step. "Just because the damages related to a data breach can be high doesn't mean you can't obtain affordable cyber security policies if you know the right people to ask," Riess advises. As the sixth step, Riess and Nathanson's team reviews, modifies and drafts agreements with thrid parties who or whose systems may have access to data (e.g., point of sale software vendors) and relevant sections of the franchise disclosure document, franchise agreement and operations manual to ensure proper protections. Finally, the team helps create incident response plans so that if a data breach does occur, the franchisor and its franchisees know which steps to take in a logical and methodical manner.
"When a data breach occurs, panic can set in for all persons involved," Riess states. That's why the data breach team and program developed by Riess and Nathanson have also developed a rapid response approach to help franchisors and their franchisees get control over a data breach when it occurs. "It's critical that we take strategic and logical steps to comply with all laws and mitigate damages to all persons involved while, at the same time, control our reactions, public statements, the media and costs related to the breach," Riess added.
Since it is now renewal time for franchisors and their franchise disclosure documents, it is also a perfect time for them to assess and mitigate their exposure to data breach issues. "I understand that franchisors are hesitant to seek proactive cyber security protection as a result of its anticipated cost," Riess explains. "But franchisors need to understand that an ounce of prevention is worth much more than a pound of cure when it comes to data breaches and cyber security," Riess adds. Franchisors and franchisees, alike, may be shocked at finding how relatively easy some fixes and protections can be. The simple requirement of data encryptian, for example, can save an entire franchise system from being destroyed by a data breach.