I recently attended a very informative panel discussion at this year’s IFA Legal Symposium in Washington D.C. earlier this month on addressing data security risks in franchise systems. The panel, consisting of two attorneys with Bank of America Merchant Services provided some good tips and takeaways for franchise systems:

  1. Do tabletops.   Your franchise system should have a data response plan in place for various potential breach scenarios and practice the plan regularly by conducting tabletop exercises. The last thing you want an executive officer of your brand doing after a breach is googling “Is it illegal to secretly pay $100,000 in Bitcoin to a hacker?”

    47541066 – data breach level to maximum modern conceptual meter, isolated on white background
  2. Consider Standardization of POS Systems. While franchise systems may be reluctant to impose additional requirements in fear of vicarious liability claims, the potential exposure for data breach liability may outweigh those considerations. Engage a consultant to find weak spots in your system. Move away from the hodgepodge of various POS Systems and require all franchisees upgrade to current technology. Unless there is an overriding business need to maintain customer data, consider whether it is possible to have franchisees process data directly with vendor – instead of franchisor’s network. Consider advance technologies like point-to-point encryption and tokenization.
  3. Wait to Register Domain Name. If there is a breach and the franchise system will design a site for customers to determine if data was compromised and obtain instructions on credit monitoring, then do not register a domain name too far ahead of the public release of the breach. It may be a tip off to watchful third-parties who may publicize the breach before you are ready.
  4. Collaborate Efforts. When a breach initially happens, it is not helpful to immediately point fingers. Collaborate your response efforts with the franchisees. Telling a franchisee it is their responsibility and not helping to mitigate damage and address the issues does not help the brand.

Franchise systems have a unique set of potential hurdles when it comes to data breaches but with good policies and practices, brands can reduce risk exposure to protect both the franchisor and franchisees.

Succession plans ask what will happen when the principal owner/operator is not available.

Copyright: deklofenak / 123RF Stock Photo

A succession plan may be coordinated with an estate plan, which contemplates dispositive transfers through sale, and other means. The disposition can also occur by wills and trusts, buy-sell agreements, augmented by life insurance and family partnerships. A valuation of the business is often a key element in any exit strategy, and the succession plan, estate plan and valuation should be coordinated. These issues need to be coordinated with any restrictions that may exist under a franchise agreement on sale or disposition. In addition, state law may invalidate or alter some of these restrictions. For these reasons, the succession planning probably should be coordinated with lawyers familiar with both franchise law and estate planning.

Confronting the Key Questions

  • How will the business continue if the operator unexpectedly exists, becomes incapacitated or dies?
  • Should the business be continued or liquidated in the unexpected exit of the operator?
  • Would it be better if the business were sold in a planned sale?
  • In the absence of the operator, who will be on the making these key decisions and should a team be established now?

All of these issues require business and tax planning by a team of professionals.

Make the Decisions.

For the next generation, will ownership be separate from management? If the business is transferred to the children, do they have the experience, skill and motivation to take over? If not, the compensation plan to retain key employees needs to executed now.

Who will be on the succession team and trusted advisers? These specialists should include a franchise attorney, CPA or financial advisor, valuation specialist and a tax savy estate planning attorney, Judgment calls need to be made and the franchisee needs to be well informed.

As Benjamin Franklin said, “Those who fail to plan, you are planning to fail.” Make your succession plan decisions early, and with good counsel to maximize your goals.

Fox Rothschild LLP has deployed a new mobile app to assist companies, including franchisors, as they rush to comply with the European Union’s General Data Protection Regulation (GDPR) – a complex set of new data privacy rules with major implications for businesses.  The app – GDPR Check – helps businesses catalog their data management practices and policies to determine necessary steps to comply with GDPR when it takes effect in May.

“The pending implementation of GDPR will impact all companies that process or control the personal data of any EU citizen,” said Mark G. McCreary, chief privacy officer at Fox Rothschild and co-creator of GDPR Check.  “Every business, regardless of where it is headquartered, will be responsible for complying with these sweeping new data privacy rules when collecting or processing Personal Data,” said Daniel L. Farris, co-chair of the Fox’s Technology Group and co-creator of GDPR Check.

Even if a business does not collect personal data from EU citizens, the GDPR requirements apply to that business if it provides services to another business that must comply with GDPR.  Failure to comply with the regulations can result in fines of up to €20 million (approx. US$24.7 million) or 4 percent of global annual revenue in the prior year.

GDPR Check maps an organization’s data management practices in 17 areas that are key to determining compliance, including:

  • Types of data collected
  • Privacy policies (external and internal)
  • Consent
  • Data retention
  • Breach readiness

The app produces a report for each key area that a company can share with its attorneys and compliance team.

GDPR is intended to protect the rights of EU citizens to control the use of their personal data, including customer data such as birthdates, mailing addresses, IP addresses, product purchases and payment information, as well as supplier data, employee data and “sensitive data” such as health information, race, and sexual orientation.

This is the second app Fox Rothschild has launched in the data privacy space. The firm also maintains Data Breach 411, which provides easy access to applicable state statutes and breach notification rules to enable in-house counsel and compliance professionals, in the midst of a data breach crisis, to quickly identify controlling law and relevant guidance.

GDPR Check is available for free download in the Apple App Store and Google Play stores.

Restaurant operators and their financiers often need to predict the future. The operators, mostly from franchised brands, need to adapt to changing tastes and fashion. The financiers need to assess risk before making commitments or investments. Experts in these fields met together in November 2017 to test their assumptions.

Kevin Burke, Managing Director of Trinity Capital LLC, delivered a report which he summarized the economy for restaurants “As Good as it Gets.” The formal title was a very analytical “A Reversion to the Mean: What Happens When Industry Tailwinds End?” Burke’s basic conclusion is that things are great now, but the analytics show eventually the metrics will return to baseline, and this reversion to the mean predicts a slowdown of business and a tightening of credit.

You should in no way conclude that the credit punch bowl will be removed soon. Bankers are still enthusiastic about restaurants, and the chains are doing well. Current valuations of multiples of cash flow for merger and acquisitions average near historical highs of 10.6, and growing franchisors have multiples of double that. Leverage is at near historical highs of 5.3. These are multiples not seen nor sustained since 2007.  Private equity investment has slowed this year, and so have exits from their investments. Everyone looks fat and happy.

While there is still room for growth, current market conditions cannot last forever, and changes are coming via changing demographics. The discretionary spenders driving the restaurant renaissance are now the millennials. Millennials constitute the majority of the U.S. population. Their student loan debt is at all time highs. Less than half of the millennials make as much or more than their parents at the same age. The maturity cycle of millennials will have profound effects on the economy.

Millennials dine-in on delivery, according to Andrew Charles, Senior Analyst, Cowen & Co. Millennials are driving 30% of restaurant industry sales growth based on their delivery predilections. The largest demographic with the most demand for delivery is the 18-34 year-old, living in a major metropolitan area earning in excess of $100,000.00. Demand for delivery is less frequent in the suburbs and mid-size metro areas among 35-44 year-olds earning over $50,000 a year. Demand for delivery is lowest among those in small metro areas or small cities over the age of 45 years old earning less than $50,000.00 per year. Delivery users clearly prioritize convenience and time over the specific restaurant’s food. Based on the data, Charles predicts that the better a restaurant can meet the delivery demands of its customers, the more delivery will drive sales.

Looking at the data alone, this would suggest that restaurants have a great opportunity to expand their business by catering to millennials and providing delivery. However, the world is not that simple. When looking at the buying habits of millennials, they are now saving for houses and having children. For the past two years their restaurant spending as a group has trended down, and is predicted to fall as they invest in housing and their families. This will put a cap on growth and an emphasis on catering more to the millennial lifestyle of automation, convenience, delivery, healthful choices, as well as “foodie” choices.

Expect new entries in the artisan breads, foods and pizza categories. The “better pizza” will follow the “better burger” trend, with state of the art menu, delivery and payment systems. Expect menu changes in the casual dining sector to accommodate millennial tastes and the tastes of their children. Look for brands to tout their autonomous car, drone and other novel promises of delivery. Look for slumps in steak houses and casual dining as these brands need to adjust. Because of these trends, we are seeing a lot of activity in the mergers and acquisitions by strategic buyers ready to upgrade the brands to millennial friendly.

The millennials are the future, and the rest of us are merely tenants.

 

Menu and chef
Copyright: yarruta / 123RF Stock Photo

The Trump administration is moving forward with an Obama-era initiative requiring certain food establishments to list calorie information on menus and menu boards, including food on display and self-service food. The FDA recently released new draft recommendations to help affected businesses comply with the menu labeling rule.

The rule implements the nutrition labeling provisions of the Patient Protection and Affordable Care Act of 2010, which are intended to give consumers direct, point-of-purchase access to nutritional information, including the calorie content of foods. When the rule was originally published, we blogged about its impact on restaurants and followed up with a report on the Small Entity Compliance Guide, which explains the rule’s requirements in a question/answer format.

The rule has met stiff opposition and enforcement has been delayed multiple times. Most recently, just four days shy of implementation, the deadline for compliance was extended to May 7, 2018. The extension was intended to give the FDA time to consider how to reduce the rule’s regulatory burden and increase flexibility, while providing consumers with nutritional information.

The FDA’s recent guidance is non-binding and addresses stakeholder concerns regarding implementation of the rule, including:

  • Clarifying calorie disclosure requirements for self-service food, including buffets and grab-and-go food;
  • Addressing the need for flexible methods to provide calorie disclosure information;
  • Explaining the criteria for distinguishing between menus and marketing materials;
  • Addressing how the FDA will assist covered establishments to comply with the rule, and how it will enforce compliance;
  • Expanding upon the “reasonable basis” standard that covered establishments must meet when disclosing nutritional information; and
  • Explaining the criteria for determining whether establishments (including franchises) and menu items are subject to the rule.

The FDA invites public comment on the draft guidelines through January 8, 2018.  We will continue to monitor developments and the rule’s effect on franchise systems.

Copyright: bluedarkat / 123RF Stock Photo
Copyright: bluedarkat / 123RF Stock Photo

Just four days shy of the enforcement deadline, the FDA extended the date for restaurants and similar retail food establishments to comply with its menu labeling rule. The rule was originally published on December 1, 2014 and requires certain food establishments to list calorie information on menus and menu boards, including food on display and self-service food (the “Rule”). Enforcement was delayed multiple times, and the Rule was slated to go into effect on May 5, 2017. On May 1, 2017, the FDA extended the compliance deadline to May 7, 2018.

The Rule implements the nutrition labeling provisions of the Patient Protection and Affordable Care Act of 2010, which is intended to give consumers direct, point-of-purchase access to nutritional information, including the calorie content of foods. When the Rule was published, we blogged about the Rule’s impact on restaurants and vending machines. We’ve also reported on topics covered in the FDA’s Small Entity Compliance Guide, which restates the Rule’s requirements in plain language in a helpful question/answer format.

Intense lobbying in the final days before the compliance deadline prompted the FDA to again extend the Rule’s implementation. In the meantime, the FDA will consider how to reduce the Rule’s regulatory burden or increase flexibility, while continuing to provide consumers with sufficient nutrition information to make informed choices. The FDA has requested comment over the next 60 days, specifically inviting feedback with respect to:

  1. Calorie disclosure for signage for self-service foods, including buffets and grab-and-go foods;
  2. Methods for providing calorie disclosure information other than on the menu itself, including how different kinds of retailers might use different methods; and
  3. Criteria for distinguishing between menus and other information presented to the consumer.

We will continue to monitor the Rule’s progress and its potential effect on franchisors and franchisees.

Ransomware is back in the news. Yet again, massive and not-so-massive corporate enterprises find themselves at risk of having their computer systems and records held hostage to internet raiders. And, in an added twist, this time systems are not necessarily unlocked even after the ransom is paid.

Copyright: tonsnoei / 123RF Stock Photo

What can you do? The key is advance preventative measures. Over at Fox Rothschild’s Privacy Compliance and Data Security blog, we follow these issues regularly. There, we have noted that the United States Computer Emergency Readiness Team at the Department of Homeland Security has provided several recommendations for preventative measures individuals and organizations can take against ransomware attacks, including the following;

  • Have a data backup and recovery plan which can be tested regularly for all critical information;
  • Backups should be kept on separate storage devices;
  • Allow only specified programs to run on computers and web servers to prevent unapproved programs from running (known as application whitelisting);
  • Make use of patches to keep software and operating systems current with the latest updates;
  • Maintain current anti-virus software and scan all downloaded software from the internet prior to executing;
  • The “Least Privilege” principle should prevail – restrict users’ access to unnecessary software, systems, applications, and networks through the usage of permissions;
    Preclude enabling macros from email attachments. Enabling macros allows embedded code to execute malware on the device. Organizations should have blocking software to cut off email messages with suspicious attachments; and last, but certainly not least
  • Do Not Click on unsolicited Web links in emails.

As usual, you should always report hacking or fraud incidents to the FBI’s Internet Crime Complaint Center (IC3).

In the case of the current attack, one of the ways it seems to be spreading is through the use of auto-updating software for an accountancy program. This method of transmission points out the critical importance of turning off “auto-update” self-executing software and scanning every download prior to installation.

Copyright: byzonda / 123RF Stock Photo
Copyright: byzonda / 123RF Stock Photo

Are you ready for the next frontier in ADA Access Litigation? We invite you to read Part 1 and Part 2 in a series of posts by Fox partner Dori K. Stibolt, regarding the new trend in ADA Title III litigation involving access to the internet for the visually impaired.

Many of these cases have focused on travel, hospitality, restaurant and service companies which necessarily include many companies in the franchise community.  Additionally, claims related to web access for the visually impaired* also implicate the self-serve kiosks which are rapidly becoming popular in many hospitality and service environments.

Become familiar with, and get in front of, this litigation trend so that you provide meaningful access to internet resources for all of your potential customers–and avoid costly litigation as a benefit.

*Self-serve kiosks should also be assessed for compliance with ADA’s 2010 Standards for Accessible Design which includes such issues as clear floor space, location of display screen, reach range of operable parts, etc.  

Copyright: mikkolem / 123RF Stock Photo
Copyright: mikkolem / 123RF Stock Photo

This past Friday, May 12th, ransomware known as WannaCry (also known as WannaCrypt or WCry) spread throughout the world, affecting more than 100,000 systems in 150 countries. Victims of the massive cyberattack included the NHS in the UK, cellular networks in Spain, universities in China and many other large organizations worldwide. For both franchisors and franchisees who are dependent on Windows systems, the attack highlights the significant risks and high costs associated with keeping cybersecurity on the back burner.

Fox partner Mark McCreary provided an update on the attack today on the firm’s Privacy Compliance and Data Security blog, and reflected on its impact after addressing client concerns on Friday and over the weekend.

 

 

Menu and chef
Copyright: yarruta / 123RF Stock Photo

Over two years ago, on December 1, 2014, the U.S. Food and Drug Administration (“FDA”) published a food labeling rule requiring “chain” restaurants and similar retail food establishments to list calorie information on menus and menu boards, including food on display and self-service food (the “Rule”). On May 5, 2017, the FDA will begin enforcing the Rule. Businesses covered by the Rule must be in compliance by May 5, 2017.

The Rule implements the nutrition labeling provisions of the Patient Protection and Affordable Care Act of 2010, which is intended to give consumers direct, point-of-purchase access to nutritional information, including the calorie content of foods. When the Rule was published, we blogged about the Rule’s impact on restaurants and vending machines.

Who does the Rule apply to?

The Rule applies to any chain and franchised food business which meets the following criteria:

  1. It is part of a system with 20 or more locations;
  2. All of the restaurants or food establishments in the chain do business under the same name; and
  3. All of the restaurants in the chain offer for sale substantially the same restaurant-type food menu items.

What must covered businesses do?

Covered businesses are required to determine and disclose to consumers the nutritional content of the food they serve, including by:

  1. Disclosing calorie information on menus and menu boards for standard menu items;
  2. Posting a succinct statement concerning suggested daily caloric intake on menus and menu boards; and
  3. Posting on menus and menu boards a statement that written nutrition information is available upon request.

The Rule was originally slated to come online on December 1, 2015. In response to multiple requests from stakeholders to give businesses more time to comply, the FDA extended the compliance deadline until December 1, 2016. However, per applicable law, the Rule could not be enforced until one year after the FDA published a Level 1 guidance with respect to nutrition labeling of standard menu items. The FDA did so on May 5, 2016, extending the enforcement deadline until May 5, 2017. Recently, the FDA made clear that May 5, 2017 was the deadline for both compliance and enforcement 017.

In addition to the Rule itself, food establishments affected by the Rule should review the FDA’s Small Entity Compliance Guide, which restates the Rule’s requirements in plain language. The Guide is organized in a question/answer format. We’ve previously blogged in detail on the Guide, which includes information on multiple topics, including:

  • What establishments the Rule does and does not cover;
  • What types of food the Rule does and does not cover;
  • How to label menus and other displays with nutritional information; and
  • How to determine nutritional content of foods, including how to substantiate menu labels to the FDA.

Additional industry guidance is also available at the FDA’s website.

The Rule is highly detailed and includes requirements for restaurants to substantiate their nutritional information claims and clarifies how the Rule will be enforced. Experienced counsel can help businesses understand whether they are affected and, if so, how best to satisfy the new standards.