Franchisors: Are You Covering Your Digital Assets?

Seyfarth Shaw LLP

Several high profile ransomware attacks have recently rocked the franchise world fomenting uncertainty and anxiety about franchisors’ legal obligations and liability. Ransomware attacks essentially kidnap a company by shutting down its systems and holdings its data hostage until a ransom fee is paid. In addition to the quantifiable hard costs of paying ransom and hiring experts to mitigate damage and re/build cyber defenses, ransomware victims can be damaged by: (a) third-party liability to the customers and other original owners of compromised data; (b) interruption of business operations during the course of and recovery from an attack; and (c) injury to reputation value in the loss of consumer confidence, appearance of incompetence, and customer attrition. In today’s digital golden era, data is among the world’s most valuable assets, earning the tagline: “data is the new oil.” It therefore comes as no surprise that cybersecurity, which has been a hot topic for years, is garnering increased attention and resources from businesses of all sizes and stages. Yet with each new development in defensive cybersecurity, cybercriminals come up with just as many ways to get around those defenses.

It is said that there are two types of businesses: those that have been hacked and those that will be. (A partial misstatement, as many companies in the first group also are members of the second.) While cybersecurity must be incorporated into the strategy of every company across every industry, franchisors are especially at risk as one of their most crucial assets is their brand reputation, which may be severely tarnished following a data breach. The franchisor-franchisee relationship is unique in that while the two parties are technically different companies, they are comingled and reliant upon the other to be successful. But how does this relationship work when defenses fail and a franchise system is kidnapped?

While almost every Franchise Disclosure Document (FDD) contains provisions for data protection and obligations on both the franchisee and franchisor, often the franchisor, whether through the FDD or otherwise, is deemed ultimately responsible for providing the final parameters around the data and security systems. Recent litigation indicates that franchisees are seeking to hold franchisors liable by pointing to the cybersecurity requirements contained within the FDD or the security practices of the franchisor itself to prove the franchisor had ultimate control over the protection of data and therefore, the franchisee should not be held liable. While this may or may not be technically true (the franchisee may have actual control over the “point-of-sale” terminals and local networks which the terminals operate on which may be the cause of the breach), the focus will almost always be on the franchisor. Consumers whose privacy and data have been compromised, and franchisees directly or indirectly impacted by breaches, often look to the franchisor for remedies. In the consumer’s mind, this is because the breach is of the brand - and that is the franchisor (the franchisee is usually transparent to the consumer). In the franchisee’s mind, the control over IT systems is dictated by the franchisor and thus it is the franchisor’s responsibility to provide secure systems, And in the plaintiffs attorney’s mind, they are interested in recovering from the franchisor’s perceived “deep pockets”, generating attorney-produced theories of liability. Effectively, all eyes end up on the franchisor.

Several recent cases (ongoing or settled) are driving franchisors to consider these claims and theories when making decisions regarding their internal policies, their use of data, and language used in their FDDs, franchise agreements, and operations and training manuals.

Though it is impossible to eliminate cybersecurity threats, there are many steps franchisors can take to mitigate the potential damage that a ransomware or other attack can cause. 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Seyfarth Shaw LLP | Attorney Advertising

Written by:

Seyfarth Shaw LLP

Seyfarth Shaw LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.