Franchise Companies vs. Hackers: Twenty Questions on Cybercrime

“With a faltering economy, companies need to be especially vigilant about protecting their most sensitive data against nervous or disgruntled employees,” Bosnian told the BBC. A prime example of this is the recent case of mortgage giant Fannie Mae, which narrowly avoided a software time bomb set to destroy all data on its computers. Federal authorities allege that a disgruntled contractor embedded a malicious code in Fannie's system, set to go into effect on all 4,000 of the company's servers months after he was gone. The code was tucked at the end of a legitimate software program scheduled to run each morning and was discovered only by chance by another Fannie technician.

According to the Identity Theft Resource Center, based in San Diego, breaches were up more than 25% in 2008 and affected more than 35.7 million people. “This may be reflective of the economy, or the fact that there are more organized crime rings going after company information using insiders,” said Linda Foley, the Center's co-founder. “As companies become more stringent with protecting against hackers, insider theft is becoming more prevalent.”

Accordingly, a franchise company must evaluate its risk to determine and implement appropriate policies and procedures. The authors have formulated a “Chan Scale of Cyber In-Security',” which can provide franchise companies a framework for considering the potential harm that can be caused:

1 Chan ' Low risk. Hacker has gained entry to system, but minimally. Minor risk of business disruption, but access can aid attackers in gathering information and planning future attacks.

2 Chans ' Medium. “Malware” has been implanted in the company's network that could cause malfunctions and mischief. Significant risk of a business disruption that could result in financial loss and/or damage of good-will.

3 Chans ' Medium-to-high. Using sniffers or other equipment, hackers have obtained PII from point-of-sale systems. Significant risk of business disruption that could create financial loss and/or damage of goodwill.

4 Chans ' High. Often an inside job in which data are stolen by a disgruntled employee. Serious risk of business disruption that would result in financial loss and damage of goodwill; customers' PII may be vulnerable, as well as company's confidential information and financial information.

5 Chans ' Critical. Hackers have breached system and can access PII as well as the company's financial information and confidential information. Severe risk of business disruption, financial loss, and damage of goodwill. System, applications, and database have been compromised.

In light of such exposure, franchise companies may have to reach out to members of the organization with diverse areas of expertise, including legal, technical, risk management, finance, and crisis management. Here are 20 questions about cybersecurity that need to be answered. (For an exhaustive review of this subject, see The Financial Impact of Cyber Risk, published jointly in 2008 by the American National Standards Institute and the Internet Security Alliance. The report provided the basis for many of the questions herein.)

General

1) What is the definition of cyber security?

Answer: The protection of any computer system, software program, and data against unauthorized disclosure, transfer, modification, or destruction, whether accidental or intentional. Cyber-attacks can come from internal networks, the Internet, or other private or public systems.

2) Is cybercrime on the rise?

Answer: On average, there has been a reported cybersecurity event every single day since 2006. Thefts of PII have been reported regularly in the media, but other types of attacks against public and private entities, though much less often reported, have resulted in data destruction, down time, etc.

3) What financial exposure attaches to cybercrimes?

Answer: Major liability may be incurred from individual litigation, class litigation, regulatory investigation, contract dispute, loss of customers, reputation damage, data theft, denial of service, cyber terrorism, cyber extortion, and fraud.

Questions for the Company's Lawyer

4) Has the company's cyber liability been analyzed?

Answer: Potential liabilities may relate to the information kept by the company, its vendors, or third parties.

5) Has cyber protection been built into contracts with vendors?

Answer: Wherever possible, vendors (especially applications vendors) should be required to warrant that company data are appropriately protected and should be required to indemnify the company for losses arising from cybersecurity breaches that are the fault of the vendor. Furthermore, contracts should require that vendors have network security insurance, which shifts the financial burden for losses to the insurer. The other benefit of insurance is,
typically, it indicates that a third party (the insurer) has thoroughly evaluated the vendor's cybersecurity systems.

6) Has the cyber risk to trade secrets and other IP been assessed?

Answer: Confidential operating manuals, trade secrets, and other intellectual property are the mainstays of franchise systems. Because these usually are held in electronic or digital form, they are easily subject to misappropriation through a cyber attack. Unlike the theft of physical assets, a theft of digital assets leaves the stolen asset behind ' which makes the theft much more difficult to discover ' so that without penetration testing and proper monitoring, a franchise company may not even know it's been compromised.

7) What can be done to mitigate cyber risk, and how often should a franchise company conduct a cyber analysis or cyber audit?

Answer: Performing comprehensive reviews of all systems and system logs at least quarterly is essential. Franchise companies also must perform a legal audit of all applicable regulations, vendor contracts, internal procedures, and policies to deal with potential thefts of PII. In the event of a breach, the audit trail will help to keep the costs of litigation under control.

8) Has the company analyzed what regulations (federal, state, local, and global) exist with respect to cyber data, and whether or not the company is in compliance?

Answer: Some statutes addressing liability include:

• Communications Act of 1934, updated in 1996;
• Computer Fraud and Abuse Act of 1984;
• Computer Security Act of 1987;
• Economic Espionage Act of 1996;
• Electronic Communications Privacy Act of 1986;
• Federal Privacy Act of 1974;
• Health Insurance Portability and Accountability Act of 1996;
• National Information Infrastructure Protection Act of 1996; and
• U.S.A. Patriot Act of 2001.

In the 21st century, a company cannot expect to claim ignorance of applicable regulations and get away with it.

9) How is compliance monitored on an ongoing basis?

Answer: In the event of a security breach, a company must be able to demonstrate that it had reasonable processes in place to ensure compliance with regulations, including access controls and visible audit trails. Without these processes, a company's potential liability increases.

10) Does the company have policies in place with respect to data retention, data destruction, privacy policies, and disclaimers to customers?

Answer: If a security breach occurs, the company should expect a regulatory investigation. Unless the company is able to show that its policies were well documented, up-to-date, and observed, it will risk significant fines, agency oversight, or worse. The policies must be more than mere window dressing; failure to conform to a company's own stated, internal policies may be worse than having no policies at all.

Questions for the Technology Team

11) Is there a companywide compendium or directory of what regulated data the company has, where it exists, and what format it's in?

Answer: If there is, it must be regularly reviewed. If the directory doesn't exist, it must be created.

12) How vulnerable are the confidentiality, integrity, and availability of the company's data systems?

Answer: Confidential information includes anything a company wants to keep out of the hands of competitors and the public. Examples include recipes, operations manuals, customer lists, and personal data about executives and employees. There must be a plan in place to keep this information secure, and it is also important to maintain the integrity (i.e., the accuracy) of the company's records and the availability of systems to keep the business running (e.g., to avoid or contain a denial-of-service attack). The cost of downtime can be devastating.

13) Does the company have physical security controls at each of its sites (data center, home office, franchisees, or other sites)?

Answer: Physical security, which is relatively low-tech, can easily be overlooked in the process of protecting digital assets. Nonetheless, good cybersecurity practices must include appropriate barriers to the accidental or malicious access to vital systems by unauthorized persons, such as keeping them away from company computers.

14) How often does the company re-evaluate its technical exposure?

Answer: Although a security plan might be sufficient at any one point in time, new techniques for exploiting vulnerabilities are always being developed by hackers. In order to provide long-term protection, the franchise must have personnel and processes in place to maintain current about new types of threats and must engage in regular periodic internal penetration and security testing.

Questions for the Crisis Management Team

15) Has the company prepared incident response and business continuity plans based on a full understanding of the potential financial impact of a crisis? And has the company conducted “fire drills” to see if its plans work?

Answer: Unfortunately, there is no way to ensure protection against cyber attacks 100% of the time. This makes careful planning and flawless execution of a crisis management plan a necessity. The company should conduct mock drills on a regular basis, evaluate the performance of all components, and make adjustments to remedy any deficiencies.

16) If the company's computer system is penetrated, does the company's crisis communications plan include provisions to advise all necessary parties about the situation? If there's a cybersecurity event involving PII, does the company have an existing set of procedures to identify who must be notified and how to do it?

Answer: Many regulators demand prompt notification of individuals affected by a data security breach. The company must have protocols in place to communicate the required details to the regulators and the affected populations quickly and accurately.

17) Does the company have a budget and reserves to account for a cyber event? Is it reflected in the company's financials?

Answer: The expense of dealing with a cybersecurity event can come as a shock. According to some studies, the average cost of basic notification for a large data breach can be $1-$2 per customer record and may reach $3-$6 if call center services are required. According to research from the Ponemon Institute, a security research firm, the cost of data breaches in 2007 was $202 per compromised record.

Questions for the Franchise Executive in Charge of Insurance

18) Does the company have insurance to cover cyber events? Is there a provision regarding PII?

Answer: This must be carefully reviewed with the company's P&C carrier because most policies focus on damage to tangible assets only.

19) Does the policy cover identity theft?

Answer: Many policies do, and many identity theft risk-management services include personal identity theft insurance as part of the service.

20) Will the franchise company's directors and officers face increased potential liability if they don't get cyber insurance?

Answer: Failure to obtain insurance against financial loss may be grounds for a management liability suit by shareholders. Yet, most D&O policies have an exclusion for a “failure to obtain insurance” claim.

Conclusion

Any franchise company that doesn't recognize the enormity of its potential exposure and liability to cybercrime is delusional. All franchise companies must, at a minimum, learn to search for and keep track of vulnerabilities; hold vendors responsible for supplying patches or fixes in a timely manner; check user access to software programs; and mandate the use of passwords by all authorized employees.

Most importantly, franchise companies must conduct penetration testing of all corporate networks and Internet-facing applications to see, among other things, if there have been penetrations, if there is any unapproved software installed on peer-to-peer file-sharing software, or if anything else can compromise the company's confidential data. These prophylactic reviews must be done regularly and done by security professionals. IT departments are usually well-informed about applications and networks, but in-house IT staff might not be as current about data protection and information security.

Franchise companies are well advised to start evaluating their technology risk as soon as possible before the hackers beat them to it. The Financial Impact of Cyber Risk report concluded, “An organization that is unprepared to avert or manage a data breach can suffer severe financial losses and irreparable damage to its reputation and customer base. Conversely, when an organization is prepared and responds skillfully to a cyber threat, the crisis can go down ' as an event that cements customer loyalty and a positive brand image.”

Henfree Chan and Bruce S. Schaeffer are co-founders of Franchise Technology Risk Management (http://www.ftrm.biz/), a unit of Franchise Valuations, Ltd. in New York City. Chan is a senior information security professional, formerly with Deutsche Bank and Goldman Sachs. Schaeffer is a franchise attorney specializing in valuations, damages, and tax issues of franchise operations. He can be reached at 212-689-0400 or [email protected].

The 21st century is clearly the age of cybercrime, and franchise companies should be especially concerned because, simplistically, there are only two types of computer systems: those that have been hacked, and those that will be hacked. Franchise companies are uniquely vulnerable in two areas because they possess massive collections of personally identifiable information (“PII”), and they have substantial asset bases of intangible property. Both the PII and the intangible assets can be easily copied without leaving the premises. Any transaction involving a card with a magnetic strip involves risk, and any franchise company's computer system designed to allow access to multiple users (such as franchisees, vendors, suppliers, etc.) poses an enormous risk of being penetrated. All companies using e-mail or the Internet are vulnerable; firewalls offer no protection once a hacker has infiltrated.

And things are going to get worse. Speaking to the BBC for a report on technology, Mikko Hypponen, chief research officer at F-Secure, an IT security firm based in Helsinki, Finland, said last year, “Crime tends to rise when you have more unemployment. If you look, in general, where the attacks are coming from you can find social reasons behind them.” Experts at the 2009 World Economic Forum in Davos, Switzerland, called for a new system to tackle well-organized gangs of cybercriminals, and they claimed that online theft costs $1 trillion a year, that the number of attacks is rising sharply, and that too many people do not know how to protect themselves.

Even if you can protect your system from outsiders, a franchise company can still be easily betrayed from within. “The damage that insiders can do should not be underestimated. It can take just a few minutes for an entire database that has taken years to build to be copied to a CD or USB stick,” said Adam Bosnian, a spokesman for Newton, MA-based Cyber-Ark, a developer of “digital vaults” for securing electronic information.

“With a faltering economy, companies need to be especially vigilant about protecting their most sensitive data against nervous or disgruntled employees,” Bosnian told the BBC. A prime example of this is the recent case of mortgage giant Fannie Mae, which narrowly avoided a software time bomb set to destroy all data on its computers. Federal authorities allege that a disgruntled contractor embedded a malicious code in Fannie's system, set to go into effect on all 4,000 of the company's servers months after he was gone. The code was tucked at the end of a legitimate software program scheduled to run each morning and was discovered only by chance by another Fannie technician.

According to the Identity Theft Resource Center, based in San Diego, breaches were up more than 25% in 2008 and affected more than 35.7 million people. “This may be reflective of the economy, or the fact that there are more organized crime rings going after company information using insiders,” said Linda Foley, the Center's co-founder. “As companies become more stringent with protecting against hackers, insider theft is becoming more prevalent.”

Accordingly, a franchise company must evaluate its risk to determine and implement appropriate policies and procedures. The authors have formulated a “Chan Scale of Cyber In-Security',” which can provide franchise companies a framework for considering the potential harm that can be caused:

1 Chan ' Low risk. Hacker has gained entry to system, but minimally. Minor risk of business disruption, but access can aid attackers in gathering information and planning future attacks.

2 Chans ' Medium. “Malware” has been implanted in the company's network that could cause malfunctions and mischief. Significant risk of a business disruption that could result in financial loss and/or damage of good-will.

3 Chans ' Medium-to-high. Using sniffers or other equipment, hackers have obtained PII from point-of-sale systems. Significant risk of business disruption that could create financial loss and/or damage of goodwill.

4 Chans ' High. Often an inside job in which data are stolen by a disgruntled employee. Serious risk of business disruption that would result in financial loss and damage of goodwill; customers' PII may be vulnerable, as well as company's confidential information and financial information.

5 Chans ' Critical. Hackers have breached system and can access PII as well as the company's financial information and confidential information. Severe risk of business disruption, financial loss, and damage of goodwill. System, applications, and database have been compromised.

In light of such exposure, franchise companies may have to reach out to members of the organization with diverse areas of expertise, including legal, technical, risk management, finance, and crisis management. Here are 20 questions about cybersecurity that need to be answered. (For an exhaustive review of this subject, see The Financial Impact of Cyber Risk, published jointly in 2008 by the American National Standards Institute and the Internet Security Alliance. The report provided the basis for many of the questions herein.)

General

1) What is the definition of cyber security?

Answer: The protection of any computer system, software program, and data against unauthorized disclosure, transfer, modification, or destruction, whether accidental or intentional. Cyber-attacks can come from internal networks, the Internet, or other private or public systems.

2) Is cybercrime on the rise?

Answer: On average, there has been a reported cybersecurity event every single day since 2006. Thefts of PII have been reported regularly in the media, but other types of attacks against public and private entities, though much less often reported, have resulted in data destruction, down time, etc.

3) What financial exposure attaches to cybercrimes?

Answer: Major liability may be incurred from individual litigation, class litigation, regulatory investigation, contract dispute, loss of customers, reputation damage, data theft, denial of service, cyber terrorism, cyber extortion, and fraud.

Questions for the Company's Lawyer

4) Has the company's cyber liability been analyzed?

Answer: Potential liabilities may relate to the information kept by the company, its vendors, or third parties.

5) Has cyber protection been built into contracts with vendors?

Answer: Wherever possible, vendors (especially applications vendors) should be required to warrant that company data are appropriately protected and should be required to indemnify the company for losses arising from cybersecurity breaches that are the fault of the vendor. Furthermore, contracts should require that vendors have network security insurance, which shifts the financial burden for losses to the insurer. The other benefit of insurance is,
typically, it indicates that a third party (the insurer) has thoroughly evaluated the vendor's cybersecurity systems.

6) Has the cyber risk to trade secrets and other IP been assessed?

Answer: Confidential operating manuals, trade secrets, and other intellectual property are the mainstays of franchise systems. Because these usually are held in electronic or digital form, they are easily subject to misappropriation through a cyber attack. Unlike the theft of physical assets, a theft of digital assets leaves the stolen asset behind ' which makes the theft much more difficult to discover ' so that without penetration testing and proper monitoring, a franchise company may not even know it's been compromised.

7) What can be done to mitigate cyber risk, and how often should a franchise company conduct a cyber analysis or cyber audit?

Answer: Performing comprehensive reviews of all systems and system logs at least quarterly is essential. Franchise companies also must perform a legal audit of all applicable regulations, vendor contracts, internal procedures, and policies to deal with potential thefts of PII. In the event of a breach, the audit trail will help to keep the costs of litigation under control.

8) Has the company analyzed what regulations (federal, state, local, and global) exist with respect to cyber data, and whether or not the company is in compliance?

Answer: Some statutes addressing liability include:

• Communications Act of 1934, updated in 1996;
• Computer Fraud and Abuse Act of 1984;
• Computer Security Act of 1987;
• Economic Espionage Act of 1996;
• Electronic Communications Privacy Act of 1986;
• Federal Privacy Act of 1974;
• Health Insurance Portability and Accountability Act of 1996;
• National Information Infrastructure Protection Act of 1996; and
• U.S.A. Patriot Act of 2001.

In the 21st century, a company cannot expect to claim ignorance of applicable regulations and get away with it.

9) How is compliance monitored on an ongoing basis?

Answer: In the event of a security breach, a company must be able to demonstrate that it had reasonable processes in place to ensure compliance with regulations, including access controls and visible audit trails. Without these processes, a company's potential liability increases.

10) Does the company have policies in place with respect to data retention, data destruction, privacy policies, and disclaimers to customers?

Answer: If a security breach occurs, the company should expect a regulatory investigation. Unless the company is able to show that its policies were well documented, up-to-date, and observed, it will risk significant fines, agency oversight, or worse. The policies must be more than mere window dressing; failure to conform to a company's own stated, internal policies may be worse than having no policies at all.

Questions for the Technology Team

11) Is there a companywide compendium or directory of what regulated data the company has, where it exists, and what format it's in?

Answer: If there is, it must be regularly reviewed. If the directory doesn't exist, it must be created.

12) How vulnerable are the confidentiality, integrity, and availability of the company's data systems?

Answer: Confidential information includes anything a company wants to keep out of the hands of competitors and the public. Examples include recipes, operations manuals, customer lists, and personal data about executives and employees. There must be a plan in place to keep this information secure, and it is also important to maintain the integrity (i.e., the accuracy) of the company's records and the availability of systems to keep the business running (e.g., to avoid or contain a denial-of-service attack). The cost of downtime can be devastating.

13) Does the company have physical security controls at each of its sites (data center, home office, franchisees, or other sites)?

Answer: Physical security, which is relatively low-tech, can easily be overlooked in the process of protecting digital assets. Nonetheless, good cybersecurity practices must include appropriate barriers to the accidental or malicious access to vital systems by unauthorized persons, such as keeping them away from company computers.

14) How often does the company re-evaluate its technical exposure?

Answer: Although a security plan might be sufficient at any one point in time, new techniques for exploiting vulnerabilities are always being developed by hackers. In order to provide long-term protection, the franchise must have personnel and processes in place to maintain current about new types of threats and must engage in regular periodic internal penetration and security testing.

Questions for the Crisis Management Team

15) Has the company prepared incident response and business continuity plans based on a full understanding of the potential financial impact of a crisis? And has the company conducted “fire drills” to see if its plans work?

Answer: Unfortunately, there is no way to ensure protection against cyber attacks 100% of the time. This makes careful planning and flawless execution of a crisis management plan a necessity. The company should conduct mock drills on a regular basis, evaluate the performance of all components, and make adjustments to remedy any deficiencies.

16) If the company's computer system is penetrated, does the company's crisis communications plan include provisions to advise all necessary parties about the situation? If there's a cybersecurity event involving PII, does the company have an existing set of procedures to identify who must be notified and how to do it?

Answer: Many regulators demand prompt notification of individuals affected by a data security breach. The company must have protocols in place to communicate the required details to the regulators and the affected populations quickly and accurately.

17) Does the company have a budget and reserves to account for a cyber event? Is it reflected in the company's financials?

Answer: The expense of dealing with a cybersecurity event can come as a shock. According to some studies, the average cost of basic notification for a large data breach can be $1-$2 per customer record and may reach $3-$6 if call center services are required. According to research from the Ponemon Institute, a security research firm, the cost of data breaches in 2007 was $202 per compromised record.

Questions for the Franchise Executive in Charge of Insurance

18) Does the company have insurance to cover cyber events? Is there a provision regarding PII?

Answer: This must be carefully reviewed with the company's P&C carrier because most policies focus on damage to tangible assets only.

19) Does the policy cover identity theft?

Answer: Many policies do, and many identity theft risk-management services include personal identity theft insurance as part of the service.

20) Will the franchise company's directors and officers face increased potential liability if they don't get cyber insurance?

Answer: Failure to obtain insurance against financial loss may be grounds for a management liability suit by shareholders. Yet, most D&O policies have an exclusion for a “failure to obtain insurance” claim.

Conclusion

Any franchise company that doesn't recognize the enormity of its potential exposure and liability to cybercrime is delusional. All franchise companies must, at a minimum, learn to search for and keep track of vulnerabilities; hold vendors responsible for supplying patches or fixes in a timely manner; check user access to software programs; and mandate the use of passwords by all authorized employees.

Most importantly, franchise companies must conduct penetration testing of all corporate networks and Internet-facing applications to see, among other things, if there have been penetrations, if there is any unapproved software installed on peer-to-peer file-sharing software, or if anything else can compromise the company's confidential data. These prophylactic reviews must be done regularly and done by security professionals. IT departments are usually well-informed about applications and networks, but in-house IT staff might not be as current about data protection and information security.

Franchise companies are well advised to start evaluating their technology risk as soon as possible before the hackers beat them to it. The Financial Impact of Cyber Risk report concluded, “An organization that is unprepared to avert or manage a data breach can suffer severe financial losses and irreparable damage to its reputation and customer base. Conversely, when an organization is prepared and responds skillfully to a cyber threat, the crisis can go down ' as an event that cements customer loyalty and a positive brand image.”

Henfree Chan and Bruce S. Schaeffer are co-founders of Franchise Technology Risk Management (http://www.ftrm.biz/), a unit of Franchise Valuations, Ltd. in New York City. Chan is a senior information security professional, formerly with Deutsche Bank and Goldman Sachs. Schaeffer is a franchise attorney specializing in valuations, damages, and tax issues of franchise operations. He can be reached at 212-689-0400 or [email protected].