A recent
article about a data breach at a Marriott franchise highlights an emerging
cyber insurance issue for franchisors, and indeed all companies involved in
contractual relationships that expose them to liability for cyber risks over
which they may have little control.
The article reports that a Marriott franchisee had a
seven-month-long data breach relating to the food and beverage point-of-sale
(POS) system at ten of its hotels. Unfortunately, this kind of scenario
is becoming
commonplace - hackers exploiting weaknesses in POS security to obtain
credit card numbers, often focusing on heavy users of POS systems like restaurants.
But the franchise aspect of this incident clearly adds some
wrinkles worth considering. I reached out to my partner Shannon McCarthy, a
member of our franchise & distribution practice group and frequent contributor to our firm's blog on franchise issues -- ZorBlog -- for some thoughts.
Shannon first confirmed that in the event of a consumer
lawsuit over a data breach the franchisor will likely be sued along with the
franchisee. Franchisors are typically viewed as a "deep pocket"
and so the plaintiff may seek to hold the franchisor directly or indirectly
liable for the breach. A franchisor might be liable if it controlled the
consumer data, if it contractually required the franchisee to use a certain
system or provided the system itself, or exercised control over the way that the
franchisee collected or used the data. As examples, Shannon pointed me
to both this
FTC suit against Wyndham Hotel Group and the consumer class action
(and related FTC action) against the rent-to-own franchisor Aaron's, Inc.
In the Wyndham case the
FTC alleged that the hotelier, which operates through over 90
franchisees, itself was liable for data breaches at its franchise locations
because the franchisor had made representations on its own website about data
security, because it "allowed" franchisees to use improper software
and lax security practices, and because its own data systems did not encrypt
consumer information. Wyndham has pushed
back against the FTC's claims and has appealed an
early ruling that the FTC has jurisdiction to pursue the claims, and
recently defeated a
related derivative action in federal court.
In the Aaron's case, customers who rented laptops sued the
franchisees and the franchisor alleging that spyware on the laptops captured
keystrokes, browsing history, and screenshots, and took pictures of the customers using the computer's
built-in camera, invading the customers' privacy. (The customers' case
was recently reinstated by
the Third Circuit after having been dismissed on procedural grounds). The
customer suit follows on the heels of a consent
decree that Aaron's reached with the FTC in which the franchisor
essentially admitted that it not only knew about the practice but actively
participated in providing the software to its franchisees. (Given that
settlement it may be difficult for Aaron's to deflect responsibility to its
franchisees.)
Where does insurance fit into all of this? First,
franchisors (like all businesses) should assess whether they themselves are
adequately covered for cyber losses, including whether their traditional
insurance policies carry endorsements specifically excluding data-breach
liability or first-party losses, and whether they should purchase specific "cyber
insurance." In making this assessment franchisors should take into account all of the
potential risks that they face beyond just regulatory or class-action consumer
lawsuits; for example, credit-card issuers and banks may
file suit seeking to recover their costs for writing off fraudulent
charges and issuing new cards.
Second, franchisors should consider the requirements that
they impose on franchisees with regard to cyber-security practices. For
example, franchisors might incorporate into their franchise
agreements some of the security standards and "best practices"
being developed by cyber-security organizations. Of course this brings
into play the tension that has always existed between maintaining enough
separation from the franchisee such that liability could be avoided altogether,
wanting to protect the brand by ensuring that the franchise is run competently,
not imposing unreasonable burdens on franchisees, and business interests that
may require a certain amount of intermingling of operations. (For
example, one of the key advantages of owning a hotel franchise is the access to
the unified reservations and loyalty-reward programs operated by the
franchisor.)
Finally, because preventing data breaches or liability
claims may be impossible, franchisors should evaluate whether to require their franchisees to carry cyber
insurance,
and whether those insurance policies can provide protection to the franchisor.
Much as general contractors require subcontractors to carry insurance
providing "additional insured" protection if the general is sued
because of the subs' negligence, some cyber insurance programs purchased by a franchisee could be made to
assist a franchisor in the event of a data breach caused by a franchisee's
error. However, because cyber insurance is not being written on
standardized forms, it is not possible to simply specify in a franchise
contract that a specific ISO additional insured endorsement be used.
Instead, franchisors would be well served to work out requirements
language with their franchisees that takes into account evolving norms in the
insurance industry regarding language, sub-limits, and other aspects of cyber
insurance. What will likely be needed in this, as with almost all things
in the cyber insurance world, is a team approach involving counsel, insurance
broker, and business people.
