Franchise Industry Must Tackle Privacy

Consumers are growing more sensitive about the privacy of their financial information, and franchisors are no different than other businesses needing to become more attentive to protecting customer data. 'Information privacy and security is one of the most fast-paced and constantly changing areas of the law today,' stated Kirk Nahra, chair, Wiley Rein & Fielding's privacy practice, in a conference call on April 20, targeted specifically to the privacy challenges that franchises face.

Laws regulating privacy are not uniform at the moment, with the financial services and health care industries operating under specific rules written for them, but most other industries covered by broad fair practices rules in '5 of the Federal Trade Commission ('FTC') Act and state laws. As incidents of privacy breaches have become more common, the FTC and state lawmakers have taken stronger steps to combat the problem.

Earlier this year, the FTC created a new Division of Privacy and Identity Protection in the Bureau of Consumer Protection. 'It is not very common for FTC to create a new division, which says a lot about the priority it places in this area,' said David Koch, chair, Wiley Rein & Fielding's franchise practice. The new FTC division has 30 professionals, he said, in contrast with the single professional who is dedicated to franchise issues. 'The bottom line is that if you are worried about [running afoul of] the Franchise Rule or privacy laws, the latter is more likely.'

Franchise systems are particularly vulnerable to privacy issues because by their very nature franchisors and franchisees need to share data, Koch said. Franchisors should be aware that laws regarding privacy are becoming more restrictive on sharing between nonaffiliated parties, which franchisors and franchisees are usually deemed to be.

Understanding the FTC's Fair Information Practices

As the lead federal agency developing privacy standards, the FTC several years ago developed five principles for Fair Information Practices. In March 2006, FTC Commissioner Pamela Jones Harbour discussed these at a major conference of privacy professionals in Washington, DC, and Nahra emphasized that companies must tailor privacy programs to meet these principles:

1. Notice. Customers have the right to know what you are doing with their information. Companies have the obligation to give notice.
2. Choice. Customers have certain rights to choose what can be done with their personal information. Companies must offer either 'opt-in' or 'opt-out' choices for sharing of information.
3. Access. Individuals must have the ability to find out what information about them is being captured and be able to verify that information. Franchisors and franchisees that conduct credit checks on job applicants are familiar with these types of requirements through the Fair Credit Reporting Act.
4. Security. Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use, and must take reasonable steps to prevent misuse. In other words, a company might have the best security rules in the world, but if the rules are not backed up with actual security measures (inside the company and with outside vendors), they will not be effective.
5. Enforcement. The FTC's enforcement focus is increasing.

Information Security

While there are a multitude of privacy issues that franchisors should be concerned about today, Nahra and Koch pinpointed information security as the single-most important matter. 'You need to ask yourself, 'Do I and my franchisees have an effective security program?' said Nahra. 'Clearly, it's the hottest area in security now. ' It has generated so many of the high-profile news stories across the country.'

Franchisors might be chilled by the expansion of the FTC's enforcement in a June 2005 settlement with discount retailer BJ's Wholesale Club, after the company failed to secure its wireless network, and intruders gained access to customers' credit card information. The FTC found that BJ's security failure was an 'unfair' business practice under '5 of the FTC Act ' a finding that extended the Commission's reach in two critical ways. First, 'there was no specific law that applied to BJ's information security practices,' Nahra said. 'They did not violate any specific security laws, because there are no specific laws applied to them.'

Second, BJ's had not made any promises to customers about protecting their information. 'So FTC has said you have an obligation to provide and maintain security, even if you don't promise to do so,' said Nahra. 'This is a very broad, very significant case.'

Developing and Maintaining an Effective Security Program

To be prepared in today's risky environment, Nahra and Koch said that franchisors must develop and implement detailed, written information security programs, and constantly update and assess their effectiveness. 'The weakness I find most commonly is that companies have [a few security measures] in place, but often it is not written,' said Nahra.

The FTC expects companies to ensure against 'any reasonably anticipated' threats, said Koch. Companies should designate an employee or employees as coordinator of security. Companies also must identify the risks and assess the sufficiency of safeguards. Assessing sufficiency is very difficult, said Nahra, and he noted that sufficiency is not necessarily related to results. In other words, a firm can be deemed to have a security weakness that doesn't result in a breach; conversely, it might have taken reasonable precautions against a breach, but the
precautions failed.

Koch suggested that franchisors start the process by looking at data flows. 'It's really critical to understand [data flows] to determine if you have sufficient security at each step of your process,' said Koch. 'Assess which information you must protect; not all information is equally sensitive. For example, a shoe store that loses information about customers' shoe size is different than losing credit card numbers.'

In looking at data flows, franchisors inevitably will have to consider who owns customer data ' they or the franchisees? 'In old franchise agreements, this was often not well-defined, and we saw fights over who owns the customer data,' said Koch. 'Under new UFOCs, the trend is to define who owns customer data ' and usually the franchisor gets it.'

If a franchisor owns customer data, Koch, said the franchisor 'probably' is liable for keeping it secure, even if it resides with the franchisee. 'If it resides with franchisee, what measures are they taking to keep it secure?' Koch asked. 'Do you need to add policies to your guidance manual?'

Also, franchisors should be aware of their responsibilities to maintain security within their own networks. 'One of the major weaknesses of companies' security programs is when they open their whole network to all employees, regardless of their need to access information,' said Koch. 'You should analyze which information each employee needs, and [you should monitor to determine] if they are downloading what they shouldn't have.'

Franchisors also have vendor relationships, either when they act as vendors or contract with third parties. Security arrangements in vendor relationships are subject to due diligence expectations, and contracts should reflect privacy requirements.

Mitigation Strategies in the Event of a Breach

The other hot-button issue today is how a company responds to a breach. From a franchisor's perspective, a breach carries with it not only the direct costs of solving the problem and making customers whole, but it can generate negative publicity that will harm a franchise brand.

'If you are going to pick a single highest-profile topic, this is probably it,' said Nahra. 'Mitigation begins by identifying what happened and why. What was the cause? Then, what was the harm incurred? There's a difference if it was from a package wrongly delivered than from a hacker. Then you must figure out how to stop the problem ' technology, training, education, and also the legal steps.'

A good mitigation strategy includes a plan about how to notify consumers whose information was compromised. The bellwether case in this area is ChoicePoint, a company that maintains databases of individual credit reports and provides them to third parties for marketing purposes. In December 2004/January 2005, it was alleged that ChoicePoint was not conducting due diligence about who was seeking the credit information, and it allowed access to unauthorized parties.

The greatest outcry over ChoicePoint arose when the company said it would only inform California residents whose account information had been accessed, because other states did not require notification. In the face of criticism, the company reversed its policy, but the incident led to more than 20 states passing notification laws in 2005, and another 20 or more states are poised to do so in 2006, said Nahra. Congress may step in with a national law this year.

Franchisors must be aware of these notification laws and their various triggers. Typically, notification is required when a consumer's name is distributed in conjunction with other information, such as a Social Security, driver's license, or credit card or bank number. The potential for harm to an individual is a factor, and unencrypted data are considered more vulnerable than encrypted data. California requires notification in the event of almost any breach of computerized information; North Carolina requires notification for breach of 'unencrypted records or data ' where illegal use of the personal information has occurred or is reasonably likely to occur, or creates a material risk of consumer harm.'

Koch recommended that franchisors encourage their franchisees to follow guidelines in a booklet published by the Council of Better Business Bureaus ('BBB') in April 2006, Security and Privacy Made Simpler. The guide breaks down information security, mitigation, and other issues into specific steps that small businesses can implement. 'It can help franchisors with vicarious liability, because it shows that you are relying on [someone else's] expertise in this area,' said Koch.

Although there has not yet been a test case in which a franchisor has been ruled vicariously liable for a franchisee's security breach, Koch suggested that franchisors' claims of owning customer data clearly raise the stakes. Well-defined mitigation and notification plans become even more critical when liability issues are involved.

'But giving notice, even in full compliance with these laws, does not mean you will not get sued,' Nahra cautioned. 'All it means is that you
complied with the law, the goal of which is to reduce the potential
for harm.'

That lesson can be applied to many facets of information security and privacy, concluded Koch. 'We have not yet seen a great deal of litigation about privacy breaches, but it is rising,' he said. 'Potentially the franchisor has the obligation to notify its franchisees about privacy law and liability if breaches occur. But whether you have a legal obligation or not, it is in your interest to educate yourself and your franchisees, and to provide information in this area. By reducing the risk for a franchisee's breach, you reduce the risk to yourself.'

Consumers are growing more sensitive about the privacy of their financial information, and franchisors are no different than other businesses needing to become more attentive to protecting customer data. 'Information privacy and security is one of the most fast-paced and constantly changing areas of the law today,' stated Kirk Nahra, chair, Wiley Rein & Fielding's privacy practice, in a conference call on April 20, targeted specifically to the privacy challenges that franchises face.

Laws regulating privacy are not uniform at the moment, with the financial services and health care industries operating under specific rules written for them, but most other industries covered by broad fair practices rules in '5 of the Federal Trade Commission ('FTC') Act and state laws. As incidents of privacy breaches have become more common, the FTC and state lawmakers have taken stronger steps to combat the problem.

Earlier this year, the FTC created a new Division of Privacy and Identity Protection in the Bureau of Consumer Protection. 'It is not very common for FTC to create a new division, which says a lot about the priority it places in this area,' said David Koch, chair, Wiley Rein & Fielding's franchise practice. The new FTC division has 30 professionals, he said, in contrast with the single professional who is dedicated to franchise issues. 'The bottom line is that if you are worried about [running afoul of] the Franchise Rule or privacy laws, the latter is more likely.'

Franchise systems are particularly vulnerable to privacy issues because by their very nature franchisors and franchisees need to share data, Koch said. Franchisors should be aware that laws regarding privacy are becoming more restrictive on sharing between nonaffiliated parties, which franchisors and franchisees are usually deemed to be.

Understanding the FTC's Fair Information Practices

As the lead federal agency developing privacy standards, the FTC several years ago developed five principles for Fair Information Practices. In March 2006, FTC Commissioner Pamela Jones Harbour discussed these at a major conference of privacy professionals in Washington, DC, and Nahra emphasized that companies must tailor privacy programs to meet these principles:

1. Notice. Customers have the right to know what you are doing with their information. Companies have the obligation to give notice.
2. Choice. Customers have certain rights to choose what can be done with their personal information. Companies must offer either 'opt-in' or 'opt-out' choices for sharing of information.
3. Access. Individuals must have the ability to find out what information about them is being captured and be able to verify that information. Franchisors and franchisees that conduct credit checks on job applicants are familiar with these types of requirements through the Fair Credit Reporting Act.
4. Security. Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use, and must take reasonable steps to prevent misuse. In other words, a company might have the best security rules in the world, but if the rules are not backed up with actual security measures (inside the company and with outside vendors), they will not be effective.
5. Enforcement. The FTC's enforcement focus is increasing.

Information Security

While there are a multitude of privacy issues that franchisors should be concerned about today, Nahra and Koch pinpointed information security as the single-most important matter. 'You need to ask yourself, 'Do I and my franchisees have an effective security program?' said Nahra. 'Clearly, it's the hottest area in security now. ' It has generated so many of the high-profile news stories across the country.'

Franchisors might be chilled by the expansion of the FTC's enforcement in a June 2005 settlement with discount retailer BJ's Wholesale Club, after the company failed to secure its wireless network, and intruders gained access to customers' credit card information. The FTC found that BJ's security failure was an 'unfair' business practice under '5 of the FTC Act ' a finding that extended the Commission's reach in two critical ways. First, 'there was no specific law that applied to BJ's information security practices,' Nahra said. 'They did not violate any specific security laws, because there are no specific laws applied to them.'

Second, BJ's had not made any promises to customers about protecting their information. 'So FTC has said you have an obligation to provide and maintain security, even if you don't promise to do so,' said Nahra. 'This is a very broad, very significant case.'

Developing and Maintaining an Effective Security Program

To be prepared in today's risky environment, Nahra and Koch said that franchisors must develop and implement detailed, written information security programs, and constantly update and assess their effectiveness. 'The weakness I find most commonly is that companies have [a few security measures] in place, but often it is not written,' said Nahra.

The FTC expects companies to ensure against 'any reasonably anticipated' threats, said Koch. Companies should designate an employee or employees as coordinator of security. Companies also must identify the risks and assess the sufficiency of safeguards. Assessing sufficiency is very difficult, said Nahra, and he noted that sufficiency is not necessarily related to results. In other words, a firm can be deemed to have a security weakness that doesn't result in a breach; conversely, it might have taken reasonable precautions against a breach, but the
precautions failed.

Koch suggested that franchisors start the process by looking at data flows. 'It's really critical to understand [data flows] to determine if you have sufficient security at each step of your process,' said Koch. 'Assess which information you must protect; not all information is equally sensitive. For example, a shoe store that loses information about customers' shoe size is different than losing credit card numbers.'

In looking at data flows, franchisors inevitably will have to consider who owns customer data ' they or the franchisees? 'In old franchise agreements, this was often not well-defined, and we saw fights over who owns the customer data,' said Koch. 'Under new UFOCs, the trend is to define who owns customer data ' and usually the franchisor gets it.'

If a franchisor owns customer data, Koch, said the franchisor 'probably' is liable for keeping it secure, even if it resides with the franchisee. 'If it resides with franchisee, what measures are they taking to keep it secure?' Koch asked. 'Do you need to add policies to your guidance manual?'

Also, franchisors should be aware of their responsibilities to maintain security within their own networks. 'One of the major weaknesses of companies' security programs is when they open their whole network to all employees, regardless of their need to access information,' said Koch. 'You should analyze which information each employee needs, and [you should monitor to determine] if they are downloading what they shouldn't have.'

Franchisors also have vendor relationships, either when they act as vendors or contract with third parties. Security arrangements in vendor relationships are subject to due diligence expectations, and contracts should reflect privacy requirements.

Mitigation Strategies in the Event of a Breach

The other hot-button issue today is how a company responds to a breach. From a franchisor's perspective, a breach carries with it not only the direct costs of solving the problem and making customers whole, but it can generate negative publicity that will harm a franchise brand.

'If you are going to pick a single highest-profile topic, this is probably it,' said Nahra. 'Mitigation begins by identifying what happened and why. What was the cause? Then, what was the harm incurred? There's a difference if it was from a package wrongly delivered than from a hacker. Then you must figure out how to stop the problem ' technology, training, education, and also the legal steps.'

A good mitigation strategy includes a plan about how to notify consumers whose information was compromised. The bellwether case in this area is ChoicePoint, a company that maintains databases of individual credit reports and provides them to third parties for marketing purposes. In December 2004/January 2005, it was alleged that ChoicePoint was not conducting due diligence about who was seeking the credit information, and it allowed access to unauthorized parties.

The greatest outcry over ChoicePoint arose when the company said it would only inform California residents whose account information had been accessed, because other states did not require notification. In the face of criticism, the company reversed its policy, but the incident led to more than 20 states passing notification laws in 2005, and another 20 or more states are poised to do so in 2006, said Nahra. Congress may step in with a national law this year.

Franchisors must be aware of these notification laws and their various triggers. Typically, notification is required when a consumer's name is distributed in conjunction with other information, such as a Social Security, driver's license, or credit card or bank number. The potential for harm to an individual is a factor, and unencrypted data are considered more vulnerable than encrypted data. California requires notification in the event of almost any breach of computerized information; North Carolina requires notification for breach of 'unencrypted records or data ' where illegal use of the personal information has occurred or is reasonably likely to occur, or creates a material risk of consumer harm.'

Koch recommended that franchisors encourage their franchisees to follow guidelines in a booklet published by the Council of Better Business Bureaus ('BBB') in April 2006, Security and Privacy Made Simpler. The guide breaks down information security, mitigation, and other issues into specific steps that small businesses can implement. 'It can help franchisors with vicarious liability, because it shows that you are relying on [someone else's] expertise in this area,' said Koch.

Although there has not yet been a test case in which a franchisor has been ruled vicariously liable for a franchisee's security breach, Koch suggested that franchisors' claims of owning customer data clearly raise the stakes. Well-defined mitigation and notification plans become even more critical when liability issues are involved.

'But giving notice, even in full compliance with these laws, does not mean you will not get sued,' Nahra cautioned. 'All it means is that you
complied with the law, the goal of which is to reduce the potential
for harm.'

That lesson can be applied to many facets of information security and privacy, concluded Koch. 'We have not yet seen a great deal of litigation about privacy breaches, but it is rising,' he said. 'Potentially the franchisor has the obligation to notify its franchisees about privacy law and liability if breaches occur. But whether you have a legal obligation or not, it is in your interest to educate yourself and your franchisees, and to provide information in this area. By reducing the risk for a franchisee's breach, you reduce the risk to yourself.'