I recently attended a very informative panel discussion at this year’s IFA Legal Symposium in Washington D.C. earlier this month on addressing data security risks in franchise systems. The panel, consisting of two attorneys with Bank of America Merchant Services provided some good tips and takeaways for franchise systems:
- Do tabletops. Your franchise system should have a data response plan in place for various potential breach scenarios and practice the plan regularly by conducting tabletop exercises. The last thing you want an executive officer of your brand doing after a breach is googling “Is it illegal to secretly pay $100,000 in Bitcoin to a hacker?”
- Consider Standardization of POS Systems. While franchise systems may be reluctant to impose additional requirements in fear of vicarious liability claims, the potential exposure for data breach liability may outweigh those considerations. Engage a consultant to find weak spots in your system. Move away from the hodgepodge of various POS Systems and require all franchisees upgrade to current technology. Unless there is an overriding business need to maintain customer data, consider whether it is possible to have franchisees process data directly with vendor – instead of franchisor’s network. Consider advance technologies like point-to-point encryption and tokenization.
- Wait to Register Domain Name. If there is a breach and the franchise system will design a site for customers to determine if data was compromised and obtain instructions on credit monitoring, then do not register a domain name too far ahead of the public release of the breach. It may be a tip off to watchful third-parties who may publicize the breach before you are ready.
- Collaborate Efforts. When a breach initially happens, it is not helpful to immediately point fingers. Collaborate your response efforts with the franchisees. Telling a franchisee it is their responsibility and not helping to mitigate damage and address the issues does not help the brand.
Franchise systems have a unique set of potential hurdles when it comes to data breaches but with good policies and practices, brands can reduce risk exposure to protect both the franchisor and franchisees.