Several high profile ransomware attacks have recently rocked the franchise world fomenting uncertainty and anxiety about franchisors’ legal obligations and liability. Ransomware attacks essentially kidnap a company by shutting down its systems and holdings its data hostage until a ransom fee is paid. In addition to the quantifiable hard costs of paying ransom and hiring experts to mitigate damage and re/build cyber defenses, ransomware victims can be damaged by: (a) third-party liability to the customers and other original owners of compromised data; (b) interruption of business operations during the course of and recovery from an attack; and (c) injury to reputation value in the loss of consumer confidence, appearance of incompetence, and customer attrition. In today’s digital golden era, data is among the world’s most valuable assets, earning the tagline: “data is the new oil.” It therefore comes as no surprise that cybersecurity, which has been a hot topic for years, is garnering increased attention and resources from businesses of all sizes and stages. Yet with each new development in defensive cybersecurity, cybercriminals come up with just as many ways to get around those defenses.
It is said that there are two types of businesses: those that have been hacked and those that will be. (A partial misstatement, as many companies in the first group also are members of the second.) While cybersecurity must be incorporated into the strategy of every company across every industry, franchisors are especially at risk as one of their most crucial assets is their brand reputation, which may be severely tarnished following a data breach. The franchisor-franchisee relationship is unique in that while the two parties are technically different companies, they are comingled and reliant upon the other to be successful. But how does this relationship work when defenses fail and a franchise system is kidnapped?
While almost every Franchise Disclosure Document (FDD) contains provisions for data protection and obligations on both the franchisee and franchisor, often the franchisor, whether through the FDD or otherwise, is deemed ultimately responsible for providing the final parameters around the data and security systems. Recent litigation indicates that franchisees are seeking to hold franchisors liable by pointing to the cybersecurity requirements contained within the FDD or the security practices of the franchisor itself to prove the franchisor had ultimate control over the protection of data and therefore, the franchisee should not be held liable. While this may or may not be technically true (the franchisee may have actual control over the “point-of-sale” terminals and local networks which the terminals operate on which may be the cause of the breach), the focus will almost always be on the franchisor. Consumers whose privacy and data have been compromised, and franchisees directly or indirectly impacted by breaches, often look to the franchisor for remedies. In the consumer’s mind, this is because the breach is of the brand - and that is the franchisor (the franchisee is usually transparent to the consumer). In the franchisee’s mind, the control over IT systems is dictated by the franchisor and thus it is the franchisor’s responsibility to provide secure systems, And in the plaintiffs attorney’s mind, they are interested in recovering from the franchisor’s perceived “deep pockets”, generating attorney-produced theories of liability. Effectively, all eyes end up on the franchisor.
Several recent cases (ongoing or settled) are driving franchisors to consider these claims and theories when making decisions regarding their internal policies, their use of data, and language used in their FDDs, franchise agreements, and operations and training manuals.
Though it is impossible to eliminate cybersecurity threats, there are many steps franchisors can take to mitigate the potential damage that a ransomware or other attack can cause.