Data Breach Risk and Responsibility in Franchise Systems

Every franchise system uses common technology systems to ‎facilitate system-wide customer service standards and system ‎reporting. Problems with technology and IT systems are easily ‎foreseeable, including data breaches, viruses, service interruptions, ‎inconsistent databases, outdated data, end of term data transfers, ‎inappropriate uses of data and more, but are often not covered by ‎existing contractual provisions with franchisees. ‎When these problems arise, implied IT warranties, express ‎warranties, disclaimers, limitations on liability, exposures to and ‎limitations of consequential damages, system requirements related to ‎confidentiality and privacy, and many more IT-specific legal ‎provisions that are not customarily included in longer-term franchise ‎agreements all create ambiguity and risk the introduction of ‎unintended parole evidence that is inconsistent with the underlying ‎franchise relationship.

In one recent case, Federal Trade Commission v. Wyndham ‎Worldwide Corp., No. 14-3514 (3rd Cir. 2015), the U.S. Third ‎Circuit Court of Appeals confirmed that potential grounds for ‎liability in these types of cases could include governmental action ‎under the FTC Act related to the franchise system’s privacy policy. ‎FTC-related claims can also lead to state-based, “little FTC” claims ‎under state equivalent laws that may follow FTC precedents, with ‎resulting private actions and class actions.

The appellate decision in the Wyndham case was interlocutory ‎following a motion to dismiss. The facts, which remain to be ‎adjudicated, relate to application of a privacy policy to three data ‎breaches from 2008 and 2009, starting with the local, networked ‎third party property management system at a Phoenix, Arizona hotel.

The Wyndham case to date highlights the utility of separate IT ‎agreements to delineate responsibility for claims like these and other ‎technology system issues. At least some of the breaches at issue ‎arose at the individual business unit level, in franchisor-mandated, ‎but third party-supplied, systems. In the hotel industry, that often ‎includes property management systems, central reservation systems, ‎revenue management systems, customer wireless systems, and point ‎of sale systems.

Through brand standards and independent technology agreements, ‎franchisors often require that franchisees only use certified systems, ‎to ensure that reasonable efforts are carried throughout the system to ‎maintain data security, covering franchisee-provided hardware, ‎software, services, networks and systems, as well as franchisor-‎certified and franchisor-provided technology. Brand standards and ‎independent technology agreements also help to ensure that the ‎extensive implied and customary obligations related to technology ‎are not read-into a non-technology relationship in a manner ‎inconsistent with the franchise agreements. Franchise systems ‎represent an economic model built around the principle that the ‎franchise owner garners the operating profits and assumes all ‎responsibilities related to unit operations, while the franchisor ‎provides only the brand-unique aspects of the overall business ‎model. That model should not be inadvertently expanded when ‎facilitated by technology built around different assumptions.‎

Franchisors need to ensure their technology requirements do not ‎create unintended grounds to argue that the franchisor is a for-profit ‎technology provider or that the franchisor has assumed ‎representations, warranties, and other technology commitments ‎customarily related to provision or facilitation of technology. ‎Franchisors also need to ensure that data security problems when ‎they arise remain each unit’s responsibility, subject to the same ‎general assumptions that govern the franchise agreement, including ‎indemnities and responsibility for damages arising from operations.

These reasonably foreseeable technology problems highlight the need ‎for specific, rolling IT agreements with franchisees to cover ‎technology subject matters that are very detailed and constantly ‎changing, usually much faster than other aspects of the franchise ‎relationship. Franchise brand standards and owned and managed ‎unit operating standards dealing with data security and privacy are ‎also necessary, as well as periodic reviews of the standards to ensure ‎that they take into account legal, business, and technology ‎developments in this fast-changing data security field. IT agreements ‎between the franchisor and the franchisee and between certified third ‎party vendors and the franchisee should be included in franchise ‎disclosure documents to ensure that prospective franchisees are ‎aware of their respective responsibilities in regard to IT systems. ‎Finally, system vendor agreements (e.g., data center and call center ‎outsourcing, point of sale systems, property management systems, ‎central reservation systems, revenue management systems, and more) ‎should incorporate the internal system policies into the vendors’ ‎contractual compliance and reporting requirements, since the vendors ‎are backstopping the internal services and the external commitments ‎made to system customers.

Larkin Hoffman has extensive experience with franchise system ‎outsourcing agreements, information technology agreements, and ‎privacy and data security brand standards, as well as data breach ‎handling for franchise systems. To help in implementing standards, ‎agreements, and systems before problems occur, please contact ‎Chuck Modell, Joe Fittante, or Mark Robertson.‎