Protecting Personal Data in Franchise Systems: New Notification Laws

Over the past four years, 38 states have enacted laws mandating consumer notifications if there is a theft of personal data from a company's computers. The Federal Trade Commission ('FTC') has brought enforcement actions against companies for not properly protecting sensitive personal data. These state and federal laws are in addition to general privacy laws and policies that require advanced disclosures to those giving personal information.

How can a franchisor or multi-state franchisee comply with 38 state laws and with the FTC determinations? This article provides an overview of how to reduce potential liability. It will also discuss how franchisors with access to customer data of their franchisees should implement mandatory programs for their systems.

Variations Among the Statutes

California was the first state to legislate a response to identity theft in 2003 by enacting Cal. Civ. Code, ' 1798.82, et. seq., requiring any business or person 'that maintains computerized data that includes personal information that the person or business does not own ' [to] notify the owner or licensee of the information of any breach of the security of the data, immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.' Id. at ' 1798.29(a). The statutory purpose is to provide sufficient notice to individuals whose personal information has been stolen so they can take steps to prevent thieves from using that information to empty their bank accounts or use their credit cards.

Thirty-seven states have followed California's lead by enacting similar consumer notification laws, and legislation is pending in an additional 10 state legislatures. The requirements of these 37 statutes, while strikingly similar to the California statute, are not uniform, and the remedies and penalties for failing to provide proper notice varies. Some states, like California, permit civil actions by consumers, including class action lawsuits and the recovery of attorney's fees. Id. at ' 1798.84. New York invests enforcement in its state attorney general, and it allows for fines up to $150,000. N.Y. Gen. Bus. Law ' 899-aa6(a). Fines in Florida can range up to $500,000. Fl.Stat. Ann. 817.5681(1)(b)(2).

Enforcement Actions

On the federal level, the FTC has taken the lead, finding the failure to secure personal data an unfair business practice. 15 U.S. C. ' 45(a). Two enforcement actions stand out. In June 2005, the FTC entered into a settlement agreement with BJ's Wholesale Club ('BJ's') for not properly protecting the personal information of thousands of its customers. The FTC required BJ's to implement a comprehensive information security program that it was required to audit for the next 20 years. In January 2006 the FTC settled with ChoicePoint, a consumer data broker that had compromised more than 163,000 consumer financial records, for a similar 20-year stipulated judgment, in addition to $10 million in penalties and $5 million in consumer redress.

The primary goal of this regulatory scheme ' both the FTC and the state statues ' is to encourage companies to protect personal data. The state statutes define personal information to include non-public information such as Social Security numbers, driver's licenses, or state identification cards, and an '[a]ccount number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account.' 815 Ill. Comp. Strat 530/5. This past October, California amended its statute to include medical and health insurance information. Cal. Civ. Code ' 1798.29(e)(4)(5). Many of the statutes encourage companies to protect personal data by maintaining it in encrypted or redacted form by automatically exempting such data from the notification requirement. The FTC in the BJ's enforcement action, however, focused on the company's failure to employ a whole variety of proper security measures beyond encryption to protect the personal data.

The state notification statutes, unlike the FTC, are principally designed to prevent identity theft by requiring companies to notify individuals when their personal data has been compromised through a data breach. Even if a company that is the subject of a data breach is not located in one of the 38 states where notification laws exist, notification is required if the company conducts business in a state where an individual whose data was compromised resides. See, e.g., Id. at ' 1798.82(a). Each of the 38 state statutes set forth various ways this notification may be accomplished. These may include direct mailing, e-mailing, telephonic and public notices, and, in some situations, posting notice of the breach on a public Web site.

The timing of the notice is obviously critical. The California statute, like most of the other 37 states, requires the notice to 'be made in the most expedient time possible and without unreasonable delay.' Cal. Civ. Code ' 1789.29(a). Wisconsin defines a reasonable time 'not to exceed 45 days after the entity learns of the acquisition of personal information.' WI ST 895.507(3). Texas requires notification 'as quickly as possible.' Tex. Bus. & Com. Code, ' 48.103(b). Also, most of the statutes permit notifications in accordance with 'an information security policy' so long as its 'procedures are otherwise consistent with the timing requirements' of the statute. See e.g. Del. Code Ann. tit. 6 ' 12B-103. There are exceptions to the timing of the notification that must be consulted.

One difficulty arises for companies in the ambiguous circumstance when there may not be sufficient evidence to conclude that personal information 'is reasonably believed to have been acquired by an unauthorized person.' Cal. Civ. Code 1798.29(a). Should a company make a notification in this situation? For most businesses, this is a critical issue, since notification does not send a positive message to customers, who will likely blame the business for mishandling their personal data. For example, two customers who use their credit cards on a Web site and report to the Web site owner that there has been a fraudulent use of their credit cards does not necessarily mean that there has been a data breach of all of the Web site's credit card information. Whether the fraudulent use of these two credit cards is coincidental or is the result of a security breach can only be resolved by a thorough investigation. Some state statutes give guidance on the required investigation to determine the likelihood that personal information will be misused for identity theft or fraud purposes.

Franchisor Concerns

Some franchisors, such as those in the hotel industry, attempt to control all customer data, in part to reduce liability under the privacy laws. Franchisees generally prefer to own their customer data, and they may resist franchise agreements that give franchisors control. Franchisors should at least require franchisees to comply with general privacy laws and with the new notification laws.

Franchisors must also warn franchisees that their names and addresses will become public under new Franchise Disclosure Document Guidelines. However, more sensitive franchisee data must be protected under general privacy and the new notification laws.

Measures to Reduce Liability

Franchisors and franchisees would be well-advised to take steps to minimize the potential of a security breach of a customer data base. This begins with thorough and updated encryption, redaction, and other security measures of data on company computers. The protection of personal information should be a prime focus of any corporate compliance program. For that reason, the New York Stock Exchange ('NYSE') requires its members to establish a compliance program that includes the protection of 'all non-public information that might be ' harmful to ' its customers, if disclosed.' NYSE's Listed Company Manual, ' 303A, ' 10.

A franchisor also should take the following steps:

' Conduct an immediate investigation whenever facts emerge that suggest a breach of personal data. A plan should be in place to deal with data breaches so an informed decision can be made immediately whether notice needs to be provided to law enforcement or consumers or whether the company should employ self-help by filing an immediate court action to retrieve the stolen data.

' Notify the appropriate law enforcement agency if it is determined that a security breach occurred. Research state laws.

' Maintain accurate and complete documentation whenever the possibility of a data breach is raised ' the facts known about the alleged breach, the steps taken to determine whether a breach occurred, and all communications with law enforcement. It is critical to create a contemporaneous record that may later be viewed by government regulators or private litigants, particularly if the decision is made not to notify consumers or law enforcement, to show that the company acted expeditiously and responsibly in its response to the data breach.

' Finally, franchisors should require franchisees in their franchise agreements to comply with these notification laws and with general privacy laws. The franchise agreement should allow the franchisor to take each of the steps outlined above. For customer and franchisee data under their control, franchisors should take the same steps as do other companies.

Nick Akerman is a partner in the New York office of Dorsey & Whitney who specializes in the protection of trade secrets and computer data; he can be contacted at 212-415-9217. Gary R. Duvall is a partner in the firm's Seattle office, specializing in franchising and licensing; he can be contacted at 206-903-8700. Portions of this article were published in The National Law Journal, a sister publication of this newsletter.

Over the past four years, 38 states have enacted laws mandating consumer notifications if there is a theft of personal data from a company's computers. The Federal Trade Commission ('FTC') has brought enforcement actions against companies for not properly protecting sensitive personal data. These state and federal laws are in addition to general privacy laws and policies that require advanced disclosures to those giving personal information.

How can a franchisor or multi-state franchisee comply with 38 state laws and with the FTC determinations? This article provides an overview of how to reduce potential liability. It will also discuss how franchisors with access to customer data of their franchisees should implement mandatory programs for their systems.

Variations Among the Statutes

California was the first state to legislate a response to identity theft in 2003 by enacting Cal. Civ. Code, ' 1798.82, et. seq., requiring any business or person 'that maintains computerized data that includes personal information that the person or business does not own ' [to] notify the owner or licensee of the information of any breach of the security of the data, immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.' Id. at ' 1798.29(a). The statutory purpose is to provide sufficient notice to individuals whose personal information has been stolen so they can take steps to prevent thieves from using that information to empty their bank accounts or use their credit cards.

Thirty-seven states have followed California's lead by enacting similar consumer notification laws, and legislation is pending in an additional 10 state legislatures. The requirements of these 37 statutes, while strikingly similar to the California statute, are not uniform, and the remedies and penalties for failing to provide proper notice varies. Some states, like California, permit civil actions by consumers, including class action lawsuits and the recovery of attorney's fees. Id. at ' 1798.84. New York invests enforcement in its state attorney general, and it allows for fines up to $150,000. N.Y. Gen. Bus. Law ' 899-aa6(a). Fines in Florida can range up to $500,000. Fl.Stat. Ann. 817.5681(1)(b)(2).

Enforcement Actions

On the federal level, the FTC has taken the lead, finding the failure to secure personal data an unfair business practice. 15 U.S. C. ' 45(a). Two enforcement actions stand out. In June 2005, the FTC entered into a settlement agreement with BJ's Wholesale Club ('BJ's') for not properly protecting the personal information of thousands of its customers. The FTC required BJ's to implement a comprehensive information security program that it was required to audit for the next 20 years. In January 2006 the FTC settled with ChoicePoint, a consumer data broker that had compromised more than 163,000 consumer financial records, for a similar 20-year stipulated judgment, in addition to $10 million in penalties and $5 million in consumer redress.

The primary goal of this regulatory scheme ' both the FTC and the state statues ' is to encourage companies to protect personal data. The state statutes define personal information to include non-public information such as Social Security numbers, driver's licenses, or state identification cards, and an '[a]ccount number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account.' 815 Ill. Comp. Strat 530/5. This past October, California amended its statute to include medical and health insurance information. Cal. Civ. Code ' 1798.29(e)(4)(5). Many of the statutes encourage companies to protect personal data by maintaining it in encrypted or redacted form by automatically exempting such data from the notification requirement. The FTC in the BJ's enforcement action, however, focused on the company's failure to employ a whole variety of proper security measures beyond encryption to protect the personal data.

The state notification statutes, unlike the FTC, are principally designed to prevent identity theft by requiring companies to notify individuals when their personal data has been compromised through a data breach. Even if a company that is the subject of a data breach is not located in one of the 38 states where notification laws exist, notification is required if the company conducts business in a state where an individual whose data was compromised resides. See, e.g., Id. at ' 1798.82(a). Each of the 38 state statutes set forth various ways this notification may be accomplished. These may include direct mailing, e-mailing, telephonic and public notices, and, in some situations, posting notice of the breach on a public Web site.

The timing of the notice is obviously critical. The California statute, like most of the other 37 states, requires the notice to 'be made in the most expedient time possible and without unreasonable delay.' Cal. Civ. Code ' 1789.29(a). Wisconsin defines a reasonable time 'not to exceed 45 days after the entity learns of the acquisition of personal information.' WI ST 895.507(3). Texas requires notification 'as quickly as possible.' Tex. Bus. & Com. Code, ' 48.103(b). Also, most of the statutes permit notifications in accordance with 'an information security policy' so long as its 'procedures are otherwise consistent with the timing requirements' of the statute. See e.g. Del. Code Ann. tit. 6 ' 12B-103. There are exceptions to the timing of the notification that must be consulted.

One difficulty arises for companies in the ambiguous circumstance when there may not be sufficient evidence to conclude that personal information 'is reasonably believed to have been acquired by an unauthorized person.' Cal. Civ. Code 1798.29(a). Should a company make a notification in this situation? For most businesses, this is a critical issue, since notification does not send a positive message to customers, who will likely blame the business for mishandling their personal data. For example, two customers who use their credit cards on a Web site and report to the Web site owner that there has been a fraudulent use of their credit cards does not necessarily mean that there has been a data breach of all of the Web site's credit card information. Whether the fraudulent use of these two credit cards is coincidental or is the result of a security breach can only be resolved by a thorough investigation. Some state statutes give guidance on the required investigation to determine the likelihood that personal information will be misused for identity theft or fraud purposes.

Franchisor Concerns

Some franchisors, such as those in the hotel industry, attempt to control all customer data, in part to reduce liability under the privacy laws. Franchisees generally prefer to own their customer data, and they may resist franchise agreements that give franchisors control. Franchisors should at least require franchisees to comply with general privacy laws and with the new notification laws.

Franchisors must also warn franchisees that their names and addresses will become public under new Franchise Disclosure Document Guidelines. However, more sensitive franchisee data must be protected under general privacy and the new notification laws.

Measures to Reduce Liability

Franchisors and franchisees would be well-advised to take steps to minimize the potential of a security breach of a customer data base. This begins with thorough and updated encryption, redaction, and other security measures of data on company computers. The protection of personal information should be a prime focus of any corporate compliance program. For that reason, the New York Stock Exchange ('NYSE') requires its members to establish a compliance program that includes the protection of 'all non-public information that might be ' harmful to ' its customers, if disclosed.' NYSE's Listed Company Manual, ' 303A, ' 10.

A franchisor also should take the following steps:

' Conduct an immediate investigation whenever facts emerge that suggest a breach of personal data. A plan should be in place to deal with data breaches so an informed decision can be made immediately whether notice needs to be provided to law enforcement or consumers or whether the company should employ self-help by filing an immediate court action to retrieve the stolen data.

' Notify the appropriate law enforcement agency if it is determined that a security breach occurred. Research state laws.

' Maintain accurate and complete documentation whenever the possibility of a data breach is raised ' the facts known about the alleged breach, the steps taken to determine whether a breach occurred, and all communications with law enforcement. It is critical to create a contemporaneous record that may later be viewed by government regulators or private litigants, particularly if the decision is made not to notify consumers or law enforcement, to show that the company acted expeditiously and responsibly in its response to the data breach.

' Finally, franchisors should require franchisees in their franchise agreements to comply with these notification laws and with general privacy laws. The franchise agreement should allow the franchisor to take each of the steps outlined above. For customer and franchisee data under their control, franchisors should take the same steps as do other companies.

Nick Akerman is a partner in the New York office of Dorsey & Whitney who specializes in the protection of trade secrets and computer data; he can be contacted at 212-415-9217. Gary R. Duvall is a partner in the firm's Seattle office, specializing in franchising and licensing; he can be contacted at 206-903-8700. Portions of this article were published in The National Law Journal, a sister publication of this newsletter.