A recent article about a data breach at a Marriott franchise highlights an emerging cyber insurance issue for franchisors, and indeed all companies involved in contractual relationships that expose them to liability for cyber risks over which they may have little control.
The article reports that a Marriott franchisee had a seven-month-long data breach relating to the food and beverage point-of-sale (POS) system at ten of its hotels. Unfortunately, this kind of scenario is becoming commonplace – hackers exploiting weaknesses in POS security to obtain credit card numbers, often focusing on heavy users of POS systems like restaurants.
But the franchise aspect of this incident clearly adds some wrinkles worth considering. I reached out to my partner Shannon McCarthy, a member of our franchise & distribution practice group and frequent contributor to our firm’s blog on franchise issues — ZorBlog — for some thoughts.
Shannon first confirmed that in the event of a consumer lawsuit over a data breach the franchisor will likely be sued along with the franchisee. Franchisors are typically viewed as a “deep pocket” and so the plaintiff may seek to hold the franchisor directly or indirectly liable for the breach. A franchisor might be liable if it controlled the consumer data, if it contractually required the franchisee to use a certain system or provided the system itself, or exercised control over the way that the franchisee collected or used the data. As examples, Shannon pointed me to both this FTC suit against Wyndham Hotel Group and the consumer class action (and related FTC action) against the rent-to-own franchisor Aaron’s, Inc.
In the Wyndham case the FTC alleged that the hotelier, which operates through over 90 franchisees, itself was liable for data breaches at its franchise locations because the franchisor had made representations on its own website about data security, because it “allowed” franchisees to use improper software and lax security practices, and because its own data systems did not encrypt consumer information. Wyndham has pushed back against the FTC’s claims and has appealed an early ruling that the FTC has jurisdiction to pursue the claims, and recently defeated a related derivative action in federal court.
In the Aaron’s case, customers who rented laptops sued the franchisees and the franchisor alleging that spyware on the laptops captured keystrokes, browsing history, and screenshots, and took pictures of the customers using the computer’s built-in camera, invading the customers’ privacy. (The customers’ case was recently reinstated by the Third Circuit after having been dismissed on procedural grounds). The customer suit follows on the heels of a consent decree that Aaron’s reached with the FTC in which the franchisor essentially admitted that it not only knew about the practice but actively participated in providing the software to its franchisees. (Given that settlement it may be difficult for Aaron’s to deflect responsibility to its franchisees.)
Where does insurance fit into all of this? First, franchisors (like all businesses) should assess whether they themselves are adequately covered for cyber losses, including whether their traditional insurance policies carry endorsements specifically excluding data-breach liability or first-party losses, and whether they should purchase specific “cyber insurance.” In making this assessment franchisors should take into account all of the potential risks that they face beyond just regulatory or class-action consumer lawsuits; for example, credit-card issuers and banks may file suit seeking to recover their costs for writing off fraudulent charges and issuing new cards.
Second, franchisors should consider the requirements that they impose on franchisees with regard to cyber-security practices. For example, franchisors might incorporate into their franchise agreements some of the security standards and “best practices” being developed by cyber-security organizations. Of course this brings into play the tension that has always existed between maintaining enough separation from the franchisee such that liability could be avoided altogether, wanting to protect the brand by ensuring that the franchise is run competently, not imposing unreasonable burdens on franchisees, and business interests that may require a certain amount of intermingling of operations. (For example, one of the key advantages of owning a hotel franchise is the access to the unified reservations and loyalty-reward programs operated by the franchisor.)
Finally, because preventing data breaches or liability claims may be impossible, franchisors should evaluate whether to require their franchisees to carry cyber insurance, and whether those insurance policies can provide protection to the franchisor. Much as general contractors require subcontractors to carry insurance providing “additional insured” protection if the general is sued because of the subs’ negligence, some cyber insurance programs purchased by a franchisee could be made to assist a franchisor in the event of a data breach caused by a franchisee’s error. However, because cyber insurance is not being written on standardized forms, it is not possible to simply specify in a franchise contract that a specific ISO additional insured endorsement be used. Instead, franchisors would be well served to work out requirements language with their franchisees that takes into account evolving norms in the insurance industry regarding language, sub-limits, and other aspects of cyber insurance. What will likely be needed in this, as with almost all things in the cyber insurance world, is a team approach involving counsel, insurance broker, and business people.