Risk Management

Subscribe to Risk Management

I recently attended a very informative panel discussion at this year’s IFA Legal Symposium in Washington D.C. earlier this month on addressing data security risks in franchise systems. The panel, consisting of two attorneys with Bank of America Merchant Services provided some good tips and takeaways for franchise systems:

  1. Do tabletops.   Your franchise system should have a data response plan in place for various potential breach scenarios and practice the plan regularly by conducting tabletop exercises. The last thing you want an executive officer of your brand doing after a breach is googling “Is it illegal to secretly pay $100,000 in Bitcoin to a hacker?”

    47541066 – data breach level to maximum modern conceptual meter, isolated on white background
  2. Consider Standardization of POS Systems. While franchise systems may be reluctant to impose additional requirements in fear of vicarious liability claims, the potential exposure for data breach liability may outweigh those considerations. Engage a consultant to find weak spots in your system. Move away from the hodgepodge of various POS Systems and require all franchisees upgrade to current technology. Unless there is an overriding business need to maintain customer data, consider whether it is possible to have franchisees process data directly with vendor – instead of franchisor’s network. Consider advance technologies like point-to-point encryption and tokenization.
  3. Wait to Register Domain Name. If there is a breach and the franchise system will design a site for customers to determine if data was compromised and obtain instructions on credit monitoring, then do not register a domain name too far ahead of the public release of the breach. It may be a tip off to watchful third-parties who may publicize the breach before you are ready.
  4. Collaborate Efforts. When a breach initially happens, it is not helpful to immediately point fingers. Collaborate your response efforts with the franchisees. Telling a franchisee it is their responsibility and not helping to mitigate damage and address the issues does not help the brand.

Franchise systems have a unique set of potential hurdles when it comes to data breaches but with good policies and practices, brands can reduce risk exposure to protect both the franchisor and franchisees.

Last year at the ABA Forum on Franchising Annual Meeting, the programming included a seminar entitled “Between You and Me: A Toolkit to Counsel in and to Smaller Systems.” The purpose of the session was to provide new in-house lawyers an overview of some of the day-to-day legal conundrums that growing brands face and instructions on how to face such issues.

70454390 – high angle view of magnifying glass over background check form

One of the most interesting and important issues addressed during the panel discussion was the franchise application process. Growing brands are often eager to welcome any prospect willing to pay the initial franchise fee. However, all franchise systems have a reason to be selective in the application process. Once a brand meets that critical mass of 50-100 units, it can often afford to be more discerning. Below are some tips to ensuring that a franchise system only accepts the best:

  1. Confirm supporting documents for financing. A financing arrangement may be straightforward if the franchisee is obtaining traditional financing from an institutional lender. However, if a franchisee is expecting a capital investment from friends and family, then you should still require documentation. You do not want a situation where a franchisee is a few months into development and the investing sibling or uncle backs out of the deal.
  2. Do not just run a background check and throw it in a file. Make sure you thoroughly review the results. The panelist described some war stories about clients ordering a background check on owners but failing to analyze it. The background check revealed some serious red flags about the prospect. The franchisor then faced issues with the franchisee down the line that could have been avoided had the franchisor just reviewed the results in the first place.
  3. Always conduct a search of the lists maintained US. Treasury’s Office of Foreign Asset Control (OFAC). OFAC maintains a list of all people and entities whose assets are blocked by the US government as a result of sanctions. You can conduct your own search at no cost online and it takes under a minute.
  4. Request supporting documentation such as tax returns and account statements to verify assets. Dig deeper when evaluating a prospective franchisee’s financial wherewithal.
  5. Don’t forget to determine the applicant’s citizen or immigration status.

While there is no surefire way to avoid all problem or underperforming franchisees, developing a comprehensive screening process is one method in decreasing the number.

The National Restaurant Association recently released a new guide for restaurant operators looking for more information on how to increase their cybersecurity efforts.

In 2015, the National Restaurant Association released its first manual for restaurant owners called “Cybersecurity 101: A Toolkit for Restaurant Operators” [PDF] which outlined best practices on five core areas of cybersecurity planning. This past month, the National Restaurant Association built on this manual with the release of “Cybersecurity 201: The Next Step,” [PDF]  which provides restaurant-specific type guidance. The National Restaurant Association utilized the expertise of technology personnel from top multi-unit restaurant companies. The guide is a must-read for any franchise system in the food service space.

The guide takes the cybersecurity framework prepared by the National Institute of Standards and Technology (NIST) and adapts it for use in the restaurant hospitality industry. Restaurant franchise systems can learn how to apply the NIST standards by reviewing the real world hypotheticals.

18538865 – thief steals credit card and money. illustration in cartoon style

For example, there is “Sam” whose restaurant experiences a data compromise of customer credit cards. After a forensic team descends on his business, Sam quickly realizes how little he understands about who has access to his computer software, which vendors service his POS Systems and how often he upgrades hardware. The result? Sam lost loyal customers and was slapped with a hefty fine from his credit card processors.

In addition to three other nicely detailed case studies, the guide shows how almost 100 different NIST categories can be applied in a restaurant setting, grades cybersecurity action items from most to least urgent and provides a glossary of cybersecurity terms.  Even the most cyber savvy restaurant systems should find the guide full of useful information.

Many franchise agreements contain a provision that restricts a franchisee from hiring or soliciting the employees of the franchisor or other franchisees. A class action lawsuit that was recently filed in the Eastern District of Texas could require removal of this type of provision in the future. Though this suit is only at the initial complaint phase, the outcome of this case could help shape the future of franchisee restrictive covenants.

In Ion v. Pizza Hut, LLC, Kristen Ion (“Ion”) filed this complaint on behalf of similarly-situated managers of Pizza Hut restaurants. Ion claims that Pizza Hut, LLC (“Pizza Hut”) has colluded with all of its franchisees to engage in anticompetitive behavior in violation of the Sherman Act. Further, Ion claims that the restrictive provision is a naked restraint on competition and a per se violation of the antitrust laws.

The provision at issue, as seen in many franchise agreements, forbids a franchise owner from hiring or soliciting any employees of the franchisor, its units, or any other franchise. Ion claims that this restraint eliminated a franchisee’s incentive to offer competitive employment packages to management personnel and restricted the mobility of such personnel. Further, Ion argues that this restraint lowered salaries and benefits due to the limited job marketplace available to Pizza Hut personnel. Ion claims that the training she received from Pizza Hut is only transferable to other Pizza Hut units.

While Ion consistently refers to the fact that each Pizza Hut franchise is its own independent business that has the right to set its own wages for staff, in the same sentence, she argues that the franchisor and franchisees were “co-conspirators” in the endeavor to suppress those wages and mobility. Further, Ion cites to the continued practice of Pizza Hut and its franchisees to cut employee wages and hours through various policies and argues that this restriction is in furtherance of this purpose (as outlined in various news articles). Lastly, Ion claims that executive compensation and franchisee profit increased at the expense of its low-paid management personnel.

However, based on the facts in the complaint, it seems that Ion never attempted to find another job outside of the Pizza Hut franchise system to support her proposition. Further, the citations to commentary by scholars and professors on the topic logically leads one to assume that there is not yet a basis in prior case law for the requested remedy.

The outcome of this case could substantially and materially alter the scope of franchisee restrictive covenants. Any outcome in favor of Ion would trigger an immediate need for revisions to a franchise agreement that contains this restriction and it is important to keep watch of this case.

Fox Rothschild LLP has deployed a new mobile app to assist companies, including franchisors, as they rush to comply with the European Union’s General Data Protection Regulation (GDPR) – a complex set of new data privacy rules with major implications for businesses.  The app – GDPR Check – helps businesses catalog their data management practices and policies to determine necessary steps to comply with GDPR when it takes effect in May.

“The pending implementation of GDPR will impact all companies that process or control the personal data of any EU citizen,” said Mark G. McCreary, chief privacy officer at Fox Rothschild and co-creator of GDPR Check.  “Every business, regardless of where it is headquartered, will be responsible for complying with these sweeping new data privacy rules when collecting or processing Personal Data,” said Daniel L. Farris, co-chair of the Fox’s Technology Group and co-creator of GDPR Check.

Even if a business does not collect personal data from EU citizens, the GDPR requirements apply to that business if it provides services to another business that must comply with GDPR.  Failure to comply with the regulations can result in fines of up to €20 million (approx. US$24.7 million) or 4 percent of global annual revenue in the prior year.

GDPR Check maps an organization’s data management practices in 17 areas that are key to determining compliance, including:

  • Types of data collected
  • Privacy policies (external and internal)
  • Consent
  • Data retention
  • Breach readiness

The app produces a report for each key area that a company can share with its attorneys and compliance team.

GDPR is intended to protect the rights of EU citizens to control the use of their personal data, including customer data such as birthdates, mailing addresses, IP addresses, product purchases and payment information, as well as supplier data, employee data and “sensitive data” such as health information, race, and sexual orientation.

This is the second app Fox Rothschild has launched in the data privacy space. The firm also maintains Data Breach 411, which provides easy access to applicable state statutes and breach notification rules to enable in-house counsel and compliance professionals, in the midst of a data breach crisis, to quickly identify controlling law and relevant guidance.

GDPR Check is available for free download in the Apple App Store and Google Play stores.

A recent decision in the United States District Court of Arizona (“Court”) could have far-reaching consequences to many franchisors based on the broad-sweeping principles the Court used in its reasoning. In Zounds Hearing Franchising, LLC et. al. v. Bower et. al., the Court answered the question of whether the Ohio Business Opportunity Purchasers Protection Act (BOPPA) trumps a choice of law and venue provision that provides for the application of law other than the State of Ohio.

Here, four franchisees filed suit against Zounds Hearing Franchising, LLC and Zounds Hearing, Inc. (collectively, “Zounds”) in the state court of Ohio for failure to comply with the five-day cancellation requirement under the BOPPA. Further, the aggrieved franchisees claim that Zounds made false, misleading and/or inconsistent representations than that contained in its FDD in connection with the sale of its franchises in violation of the BOPPA. Each Franchise Agreement provides that Arizona law governs the interpretation and enforcement of the Franchise Agreement and all disputes are subject to pre-suit mediation (at Zounds’ option) and venue in Arizona. As such, Zounds moved to remove the suits to Ohio federal court, which then transferred the suits to the instant Court.

In analyzing whether BOPPA should trump the provisions of the Franchise Agreement, the Court relied on the rules of the Restatement of Conflict of Laws. Specifically, the law of the state with the “most significant relationship” to the parties shall govern the agreement or, if the parties chose the law of another state, that state’s law shall govern. However, if the choice of law is contrary to a fundamental policy of the state with the most significant relationship, that state will presume to have the materially greater interest in its state law governing the agreement. In holding that Ohio has the most significant relationship to the parties, the Court noted that all of the franchises and franchisees were located in Ohio and it has a strong interest in protecting its residents, particularly where the underlying statute is designed to protect franchisees that are in an inferior bargaining position. Further, Arizona lacks a statute that protects purchasers of franchises, while BOPPA is directly on point to address the franchisees’ purported harm. Essentially, the franchisees would be left with little recourse against Zounds if Arizona law applied.

Further, the Court held that it is difficult to imagine that a statute that makes certain conduct a crime as being anything but the fundamental policy of the state. Additionally, the Ohio legislature amended the BOPPA in 2012 to explicitly state that any venue or choice of law provision that deprives an Ohio resident of protection thereunder is contrary to public policy, void and unenforceable further evidencing its intent. Lastly, the Court went so far as to say that even if a statute does not explicitly outline that it is fundamental policy of that state, a court still could deem it so by its very nature. Further, the lack of a non-waivability term does not doom the statute under this analysis. These principles may open the door to seemingly endless arguments about what constitutes the fundamental policy of a state.

As such, even though the parties agreed to the Arizona choice of law and venue provisions, the application of Arizona law would be contrary to the public policy of Ohio because Arizona does not have a statute that protects the rights of franchisee purchasers as does Ohio. Further, Ohio has a materially greater interest in the enforcement of its law because the franchisees are Ohio residents and the franchises are located therein.

In the alternative, Zounds filed a motion to compel mediation pursuant to the requirement for pre-suit mediation in Arizona in the Franchise Agreement. Here, the Court determined that the pre-suit mediation requirement violated the franchisees’ rights to Ohio venue because the mediation is “intimately bound up” with the franchisees’ right to sue under the BOPPA. Lastly, the Court determined that the mediations for all four franchisees could be joint despite the Franchise Agreement requiring that all proceedings arising out of the Franchise Agreement be decided on an individual basis. Here, the Court held that because pre-suit mediation was a “proceeding” (as argued by Zounds’ counsel), then the BOPPA prohibitions apply to the mediation requirement and the BOPPA specifically prohibits class action waivers. As such, the requirement to conduct pre-suit mediation was void in violation of the BOPPA. However, the parties conceded to conduct mediation during the course of the suit. As such, the Court required that the parties conduct joint pre-suit mediation. To take it a step further, the Court awarded the franchisees their attorneys’ fees because Zounds burdened the franchisees with a multiplicity of actions in a distant forum. Further, the Court cited the unequal provision in the Franchise Agreement that stated Zounds could recover attorneys’ fees upon a successful claim against a franchisee but did not afford franchisees with a reciprocal right. The Court noted that it would be a presumptive abuse of discretion not to award attorneys’ fees against an unsuccessful party who “used its superior bargaining position to impose such a term”.

Overall, this result could have substantial effects to any franchisor that currently has franchises in Ohio or has Arizona law as its choice of law. This decision suggests courts have wide latitude to determine whether another state has a substantial interest in the transaction and whether that state’s law should govern the agreement. Further, it is important to take note of the consequences this has on a franchisor’s ability to enforce non-binding mediation as a preliminary form of dispute resolution (and on an individual basis) and to collect attorneys’ fees (without a corresponding right afforded to the franchisee). Lastly, it would be prudent for all franchisors to review their franchise agreements in light of this decision.

As cyber scams become more widespread and sophisticated, social engineering fraud is quickly turning into one of the most popular way for a thief to rip-off a company using computers.  Every franchise system should be asking itself and its franchisees “do we/you have insurance coverage to protect against these losses?” In most cases, the answer is No!

43609592 – online scammer reaching to steal money out of a pocket of a naive internet user, vector illustration

Social Engineering Fraud” are schemes that mislead and deceive victims (typically a company employee) into transferring funds or divulging confidential information to a fraudster.   The difference between social engineering theft techniques and other types of cyber attacks is that the victim voluntarily performs the acts of transferring the funds or providing the information. For example, a fraudster may send an email to someone in a human resource department posing as the company’s accountant and request social security numbers and tax information of employees. The unwitting HR employee does not think twice and quickly compiles the information and hits reply.  In other cases, an employee in accounting is tricked into sending a payment to a “vendor” of the company which turns out to be a scammer.

Many companies incorrectly assume that these types of losses are covered under a standard cyber liability policy or crime policy. However, most crime and cyber policies require a computer hack or active invasion of a computer system by a criminal to trigger coverage under a policy.   Insurance carriers argue that there was no “direct” fraud.  This is becoming a huge gap in coverage for franchisors and franchisees as insurance carriers are denying coverage for these claims and winning coverage disputes.

All hope is not lost. Many insurance carriers offer endorsements to either a company’s crime policy and/or cyber policy for social engineering theft losses. The coverage under the endorsement is often sub-limited and may have a higher deductible but it is better than no coverage at all.  Before a loss effects your system, franchisors should do the following:

  1. Ensure that social engineering fraud coverage is clearly part of the franchise system’s crime or cyber policy.
  2. Modify insurance requirements for franchisees to mandate coverage for social engineering fraud claims.
  3. Keep in touch regularly with your broker and insurance counsel to make sure your insurance is covering new risks as they arise.
  4. Educate your employees on spotting potential scams. Many brokers and insurance counsels even offer data security training for clients at reasonable rates.  It is a good place to start.

Janitorial services franchisor Jan-Pro Franchising International, Inc. (“Jan-Pro”) is not the employer of its unit franchisees, according to a recent California federal court decision. Roman v. Jan-Pro Franchising Int’l, Inc., No. C 16-05961 WHA (N.D. Cal. May 24, 2017). The plaintiff franchisees failed to show that Jan-Pro exercised sufficient control over their day-to-day employment activities.

Copyright: stocksolutions / 123RF Stock Photo

What makes this case unique is that Jan-Pro operates a three-tiered franchising structure, often called a subfranchise arrangement. Under this arrangement, Jan-Pro grants subfranchise rights to a regional master franchisee (“Master Franchisee”), who is responsible for selling Jan-Pro unit franchises to individual franchisees (“Unit Franchisees”) in a particular geographic territory. The Unit Franchisees operate the franchised cleaning service business. Importantly, as is common in a subfranchise arrangement, Jan-Pro never directly contracts with its Unit Franchisees. Instead, Jan-Pro directly contracts with its Master Franchisees. Then, the Master Franchisees directly contract with the Unit Franchisees.

 

The plaintiff Unit Franchisees claimed that they were misclassified as independent contractors when they were really Jan-Pro’s employees. They sought minimum wages and overtime premiums from Jan-Pro. The plaintiffs argued that they were Jan-Pro’s employees under California law because the contracts between Jan-Pro and its Master Franchisees permitted Jan-Pro to control the business of the Master Franchisees and Unit Franchisees through its policies and procedures.

Under California law, “to employ” means

  1. To exercise control over the wages, hours or working conditions, or
  2. To suffer or permit to work, or
  3. To engage, thereby creating a common law employment relationship.

Martinez v. Combs, 49 Cal. 4th 35, 64 (2010). However, in the franchise context, controlling the “means and manner” of a franchisee’s operations is not sufficient to make a franchisor an employer. A franchisor is only an employer if it retains or assumes general control over employment matters such as hiring, direction, supervision, discipline and discharge. Patterson v. Domino’s Pizza, LLC, 60 Cal. 4th 474, 498 (2014).

The court concluded that Jan-Pro did not employ the Unit Franchisee’s employees. It reached this result despite the fact that the Master Franchisees exerted control over the Unit Franchisees under the contracts between them. Critical to the court’s analysis was the fact that these contracts did not confer any rights on Jan-Pro to control or terminate the Unit Franchisees. Nor was Jan-Pro a third party beneficiary of these agreements, which could give Jan-Pro the right to directly enforce them. Moreover, Jan-Pro never directly contracted with the Unit Franchisees.

The court’s analysis focused on features that are specific to subfranchise arrangements, especially the lack of a direct contractual relationship between Jan-Pro and its Unit Franchisees. A subfranchise arrangement is only one form of multi-unit arrangement, and is not appropriate for all franchise systems. Franchisors engaged in or considering this system should perhaps not put too much emphasis on the court’s analysis. For one thing, a franchisor may want to have some contractual rights it can enforce directly against Unit Franchisees. Additionally, even if Jan-Pro had directly contracted with Unit Franchisees, there appeared to be scant evidence that Jan-Pro controlled employment conditions in a manner that would make it a joint employer. However, if a franchisor were to indirectly control employment conditions through a subfranchise arrangement, a court might come to a different conclusion. In any event, the court’s decision was well reasoned and grounded in a firm understanding of franchising. It was certainly a win for the franchise model, made especially important by the fact that it took place in California, which is typically considered an employee and franchise friendly jurisdiction.

Ransomware is back in the news. Yet again, massive and not-so-massive corporate enterprises find themselves at risk of having their computer systems and records held hostage to internet raiders. And, in an added twist, this time systems are not necessarily unlocked even after the ransom is paid.

Copyright: tonsnoei / 123RF Stock Photo

What can you do? The key is advance preventative measures. Over at Fox Rothschild’s Privacy Compliance and Data Security blog, we follow these issues regularly. There, we have noted that the United States Computer Emergency Readiness Team at the Department of Homeland Security has provided several recommendations for preventative measures individuals and organizations can take against ransomware attacks, including the following;

  • Have a data backup and recovery plan which can be tested regularly for all critical information;
  • Backups should be kept on separate storage devices;
  • Allow only specified programs to run on computers and web servers to prevent unapproved programs from running (known as application whitelisting);
  • Make use of patches to keep software and operating systems current with the latest updates;
  • Maintain current anti-virus software and scan all downloaded software from the internet prior to executing;
  • The “Least Privilege” principle should prevail – restrict users’ access to unnecessary software, systems, applications, and networks through the usage of permissions;
    Preclude enabling macros from email attachments. Enabling macros allows embedded code to execute malware on the device. Organizations should have blocking software to cut off email messages with suspicious attachments; and last, but certainly not least
  • Do Not Click on unsolicited Web links in emails.

As usual, you should always report hacking or fraud incidents to the FBI’s Internet Crime Complaint Center (IC3).

In the case of the current attack, one of the ways it seems to be spreading is through the use of auto-updating software for an accountancy program. This method of transmission points out the critical importance of turning off “auto-update” self-executing software and scanning every download prior to installation.

Many franchisors employ arbitration as its preferred method of dispute resolution.  Generally, courts view arbitration agreements favorably. An agreement to arbitrate waives the fundamental right to have a court decide the merit of their disputes. As such, valid, enforceable arbitration agreements are required to waive this essential right. Two recent decisions highlight the importance of ensuring that a valid agreement to arbitrate exists between the parties.

arbitration agreement
Copyright: designer491 / 123RF Stock Photo

Theo’s Pizza, LLC v. Integrity Brands, LLC

In this case, the franchisee sued the franchisor for violation of the South Carolina Business Opportunity Sales Act and breach of contract. The franchisor sought to dismiss the action because all actions related to the franchise agreement were subject to arbitration (per the Franchise Agreement). The parties entered into a Market Development Agreement under which the franchisor granted franchisee the right to open multiple units. The Market Development Agreement explicitly stated that the parties must execute a separate franchise agreement for each unit. Despite the franchisee opening its first unit, the parties never signed a Franchise Agreement. The Market Development Agreement and Franchise Agreement both contain clauses that require arbitration of all disputes.

The Court held that the claims arose out of the operation the unit, not the Market Development Agreement.  Thus, in the Court’s opinion, there was not an explicit agreement to arbitrate disputes because the parties never signed the Franchise Agreement.  Additionally, the Court refused to impute an agreement to arbitrate where the franchisee had not expressly agreed to one.

Stockade Companies, LLC v. Kelly Restaurant Group, LLC

In this case, the franchisor terminated the Franchise Agreement for failure to pay royalties. The franchisee continued to operate its business after the termination of the Franchise Agreement. Subsequently, the franchisor filed for an injunction against the franchisee for its continued operation of its business. The franchisor argued that the franchisee’s continued operation of the business infringed on franchisor’s trademark rights and violated the post-termination non-competition clause. The franchisee argued that the franchisor was not entitled to an injunction because all actions under the Franchise Agreement must be arbitrated. However, the Franchise Agreement provided that the franchisor may file for injunctive relief where necessary to protect its proprietary marks and other rights or property.

The franchisee argued that the claims fall within the arbitration clause because (a) they are not “actions” within the meaning of the exclusion clause, (b) they are not “necessary” to protect the franchisor’s property, and (c) the exclusion clause is vague and invalid. The Court dismissed each of the franchisee’s arguments noting that the exclusion clause permits the specific action the franchisor took (the filing of a request for injunctive relief). Further, the franchisor’s (i) right to enforce its non-compete protects its property, and (ii) trademark infringement claims protect its proprietary marks. Lastly, the Court noted that the language of the exclusion clause was clear and that the franchisor had carved out its right to seek injunctive relief. As such, the Court held there was no valid agreement to arbitrate the injunction action.

Conclusion

These cases illustrate it is of utmost importance to ensure that your franchise agreements are well-written and explicit when it comes to dispute resolution procedures. Additionally, when entering into a development relationship, a franchisor must ensure that it enters into a separate franchise agreement for each unit so it is bound by those terms. Lastly, a franchisor must ensure that all reserved rights to obtain injunctive relief are clear and conspicuous. While these recommendations are not earth-shattering, these cases are important reminders of the consequences of improper franchise administration and documentation.