Insurers' journeys to build a mastery in the IoT usage
Â
Data Security: A field guide for franchisors
1. March 6, 2015
The technology networks that franchisors use to collect and transmit
business data (e.g., sales tracking, royalty payments, customer credit
card information) are only as secure as their weakest link. And in
franchising, that weak link may be a single franchisee that hasn’t
invested the time and money necessary to ensure its computer systems
are protected against attacks from increasingly sophisticated hackers.
“Many franchisees are operating on razor-thin margins and may be
more concerned with keeping the lights on and other practical
operational matters,” says Johnny Lee, managing director at Grant Thornton LLP’s Forensic, Investigative
and Dispute Services practice, and a leader of the Forensics Technology Services practice. But the reality is
“if you are a franchisee of a known brand, you’re a target.”
Customers simply don’t draw a distinction between the brand and franchisee ownership — and, generally
speaking, you don’t want them to. What may follow when a data breach occurs — negative press reports,
`
Data security: A field guide for franchisors
2. loss of business, penalties and even class-action lawsuits — makes the question of who is responsible for
the information collected and stored through a franchised business essentially a moot point.
Securing card information
Given the high costs of breaches, franchisors need to have some oversight of data security at all of their
The costs of a breach
When there is evidence of a compromise of personal data held by companies — whether
customers' credit card data or other personal details or business intelligence — franchisors and
their franchisee partners can take several investigative steps. They may hire data security experts
to perform forensic audits to detect whether and how a breach occurred, and they should
consider retaining counsel to advise them on their legal and communication strategies.
Penalties. As a condition of accepting credit card payments, there are disclosure obligations to
notify credit card companies and customers of a potential breach within a specific time frame,
which varies depending on the jurisdiction in which the breach occurs. Failure to do so can result
in significant penalties. In addition, nearly every state has a law requiring companies to report
data breaches to the affected parties, and franchisors may have to scramble to comply with
differing laws in the states in which their franchisees operate.
Class-action lawsuits and regulatory action. Data breaches also make franchisors vulnerable
to class-action lawsuits from consumers. Such lawsuits are on the rise, and there are some
notable examples in the franchising sector. The Federal Trade Commission (FTC), acting in its
capacity as a regulator for privacy and data security, can also bring actions against companies it
deems to have ineffective security practices.
In 2012 the FTC filed suit against Wyndham Hotels for failing to maintain the security of the
computer system it required franchisees to use to store customers’ personal information —
leading to three data breaches in less than two years, resulting in fraudulent charges on
customers’ accounts and the export of hundreds of thousands of consumers’ credit card
information to an Internet domain address registered in Russia.1 That case is still pending.
3. franchises. In particular, they must help them comply with the Payment Card Industry Data Security
Standards (PCI DSS). Meeting PCI DSS terms is not easy. They are updated every three years in an effort to
keep up with the ever-changing nature of security threats.
A 2008 report from Visa USA Inc. provides useful guidance on minimizing data compromises in the
franchise sector. Among the company’s recommendations, franchisors should not retain payment card data,
such as magnetic-strip or personal identification number data.
Franchisors should also verify the security procedures of vendors handling maintenance of the point-of-sale
systems, management of firewalls, and the hosting of websites. This is critical to ensuring that such service
providers — defined by the PCI DSS standards as any company that stores, processes, or transmits
cardholder data on your behalf — fully understand the nuances of your operations and are therefore able to
protect your data. “From what we see in audits, this understanding of third-party risk is often not the case at
all,” Lee says. “The reasons for this are neither sinister nor negligent, necessarily. It’s just that everyone is
trying to cover themselves with a fig leaf that’s not quite big enough to address the significant risks
involved.”
Indeed, this is illustrated by the new PCI DSS standards, effective January 2015, which attempt to address
this issue in response to a growing number of examples uncovered by credit card companies in which there
was a lack of clarity between the merchant and the service provider as to which PCI DSS requirements were
being covered by which parties (franchisors, franchisees or their vendors) and what their different roles and
responsibilities were.
“There were cases where one thought the other was addressing a certain requirement or risk when in reality
it was falling through the cracks. PCI standards now say you have to have clearly delineated roles and
responsibilities with service providers. That needs to be done upfront before the contract is signed,” says
Brian Browne, managing director in Grant Thornton’s East region Business Advisory Services practice.
Visa also recommends that franchisors implement network security guidelines. This may include requiring
franchisees to maintain firewall logs for 60 days to create an audit trail, which helps identify suspicious
activity that can then be used to facilitate forensic investigations.
Franchisors are also advised to ensure remote management applications that are used to download business
information, sales polls and survey inventory are secure from hackers. Some of these applications come
4. with default or blank passwords. For protection, it is important to create unique user IDs and complex
passwords, which ideally would be unique to each franchise location.
New PCI DSS requirements include guarding against physical modifications to swipe machines, introduced
by thieves to enable them to surreptitiously copy credit and debit card information. To prevent this, stores
with point-of-sale machines must check them regularly, a function that cannot be outsourced. Employees
need to know how to do it themselves.
5 key cybersecurity best practices
Securing credit card information is just one of many important protective measures. Franchisors should
also:
1. Establish policies and procedures for how franchisees’ employees connect to the Internet and what
they do there. “A lot of malware comes in from employees surfing the web,” says Matt Thompson, Grant
Thornton’s managing director of Business Advisory Services and leader of information technology audit
practice in the Southeast region. This can be particularly challenging because of the high rates of employee
turnover in food and beverage companies.
Turnover presents other problems as well. Disgruntled employees may learn passwords and business
practices that make a company vulnerable. This is one of the reasons background checks are recommended,
as are policies that passwords be changed with some regularity. The high degree of turnover makes frequent
training of employees in best practices for data security essential, too. “It’s these folks who handle the data
and often they have no real appreciation for the value and the risk potential of the private information they
may be handling,” Lee says.
2. Encrypt personal data, redact where possible and institute good data maintenance. Some franchisees
have gotten into trouble through social media marketing campaigns or loyalty programs that gather
consumers' personal information. For example, in 2010, a class action lawsuit was filed against Papa John’s
International, as well as some of its franchisees, by plaintiffs who alleged they received text messages that
they hadn’t consented to receive. The franchisor had to pay $16.5 million in damages.2
5. To protect their customers' privacy, companies need to know what personal information they collect —
e.g., names, email addresses and IP addresses — and follow five key principles set out by the FTC3:
1. Take stock of the data
2. Keep only what you need
3. Lock it down
4. Dispose of what you no longer need
5. Plan ahead to respond to security incidents
And it's not just customer dataÍľ franchises also need to protect personal and financial data gathered from
employees, contractors or vendors.
3. Invest in intrusion-detection software, which monitors networks for suspicious activity, and bolster
your incident-response planning. Experts recommend having an incident plan in place before a breach
occurs, so that it's clear which law enforcement agencies and other parties need to be notified and which
outside counsel and forensic investigators will be called on for help. Franchisors should conduct immediate
investigations when there may have been a breach, and fully document the process. It is also crucial that
they require their franchisees to comply with notification and general policy laws as part of their business
agreement.
4. Hire consultants to test your systems for vulnerabilities. Consultants do this by thinking like hackers
and using the same tools — including automated systems that try out default passwords — to get in.
“Normally companies will fix the majority of the passwords, but might not inventory all of them, which
allows hackers to break in,” Thompson says.
5. Continually enforce policies. It's not enough to have an airtight policy if the policy isn’t exercised in a
consistent manner. “There must be zero daylight between policies and practice, and employers must
monitor for this to have any semblance of assurance,” Lee says.
Extra steps
Franchisors may also want to consider insurance, but must read the fine print of these policies, because pre-
existing breaches — even ones a company was unaware of — can invalidate the insurance. “If your policy
6. says effective Jan. 15 and your breach began last summer, there may be no coverage,” Lee says. “You have
to pay careful attention to the exclusions in your policy, and counsel should be involved in spotting those
important nuances.”
To educate themselves about new risks, franchisors may want to review the Verizon Data Breach
Investigations Report, published each year, which details the types of data breaches that have occurred in
the previous year, Browne says.
New tools may help
In the end, franchisors must make data security and privacy part of the way they do business — educating
themselves about the risks and taking proactive steps to guard against them, as much as possible. Simply
put, “Businesses need to get to the point where they recognize that good privacy practices are good
business,” Lee says. That said, there are some emerging technologies that may help, including point-to-point
encryption and tokenization, which is a process of substituting a sensitive piece of information with a
unique symbol or symbols (known as tokens) that allow companies to disguise sensitive information.
While these new tools may help, there is no substitute for vigilance. “Information Security professionals try
not to capitalize on fear, uncertainty and doubt, but there are some very sophisticated actors out there. A lot
of them have compromised systems without leaving any breadcrumbs, and they are still in these systems
today. While this can be a truly daunting arena, companies need to act now and act boldly to be on a less
reactive footing here,” Lee says.
1See www.ftc.gov/newsÂevents/pressÂreleases/2012/06/ftcÂfilesÂcomplaintÂagainstÂwyndhamÂhotelsÂfailureÂprotect for details.
2See www.law360.com/articles/442855/papaÂjohnÂsÂwillÂdeliverÂ16Â5mÂtoÂendÂtcpaÂclaims for details.
3See www.business.ftc.gov/documents/bus69ÂprotectingÂpersonalÂinformationÂguideÂbusiness for details.
See more at: http://www.grantthornton.com/issues/library/articles/hospitalityÂandÂrestaurants/2015/03ÂdataÂsecurityÂfieldÂguideÂforÂfranchisors
About Grant Thornton LLP