Franchisor or Franchisee: Who is liable in a data breach?

The FTC recently suggested that a company can be held liable for giving sensitive information to another company that does not employ good data security practices.
– Managing Data Breaches by David Zetoony & Louise Nutt via Franchising.com

In 2014, hundreds of Dairy Queen franchises experienced theft of customer credit and debit card numbers. Attackers had infiltrated point-of-sale terminals with data-theft software called “Backoff,” which previously had hit Target. The home office didn’t do a great job of getting on top of the situation. Similar breaches have affected Home Depot, Goodwill, UPS, and Supervalu, all of which rely on franchisees to create their own disaster recovery plan.

Why does this matter?

When companies don’t have security and breach reporting policies for their franchisees, their locations are more vulnerable to attacks, and their response to problems will be slow and uncoordinated. Most local managers lack the ability to set up a secure point of sale system, and local weaknesses allow access to the central data systems.

For clients, this lack of attention to detail can deliver a devastating blow to the reputation of the brand as a whole. Data breaches can be devastating enough that a Franchisee may be forced to close their doors; causing loss of income to their employees as well as themselves. The franchiser isn’t necessarily able to escape at least some of the blame as poor security at franchised locations can result in liability for the corporate level. Take for instance when a subsidiary of Wyndham hotels experienced a data breach that affected over 600,000 customers, to which the FTC tried to hold Wyndham Worldwide liable.

To protect its legal position and its reputation, the corporate level needs to require its franchisees to use strong security practices, and declare standard tools and procedures to protect the data they handle along with measures in place to make sure the proper upgrades and maintenance are in compliance.

Point of sale terminals are a frequent weak point. It’s necessary to treat them as seriously as any other computer in the business’s network. They might be running old software which no longer gets security updates or may lack antivirus protection. If left in unsecured locations, a criminal might be able to install skimming devices on their card readers. Integrated security solutions may offer an effective way to protect a retail sales network.

Research for Yourself!

Here are a few related articles we have found to get you started on educating yourself on this topic:

 

We can supply the IT solutions you need to protect your data. Please contact us to learn more.

Save

Save

Save

Advertisements