Data Breach Risk and Responsibility in Franchise Systems
Every franchise system uses common technology systems to facilitate system-wide customer service standards and system reporting. Problems with technology and IT systems are easily foreseeable, including data breaches, viruses, service interruptions, inconsistent databases, outdated data, end of term data transfers, inappropriate uses of data and more, but are often not covered by existing contractual provisions with franchisees. When these problems arise, implied IT warranties, express warranties, disclaimers, limitations on liability, exposures to and limitations of consequential damages, system requirements related to confidentiality and privacy, and many more IT-specific legal provisions that are not customarily included in longer-term franchise agreements all create ambiguity and risk the introduction of unintended parole evidence that is inconsistent with the underlying franchise relationship.
In one recent case, Federal Trade Commission v. Wyndham Worldwide Corp., No. 14-3514 (3rd Cir. 2015), the U.S. Third Circuit Court of Appeals confirmed that potential grounds for liability in these types of cases could include governmental action under the FTC Act related to the franchise system’s privacy policy. FTC-related claims can also lead to state-based, “little FTC” claims under state equivalent laws that may follow FTC precedents, with resulting private actions and class actions.
The appellate decision in the Wyndham case was interlocutory following a motion to dismiss. The facts, which remain to be adjudicated, relate to application of a privacy policy to three data breaches from 2008 and 2009, starting with the local, networked third party property management system at a Phoenix, Arizona hotel.
The Wyndham case to date highlights the utility of separate IT agreements to delineate responsibility for claims like these and other technology system issues. At least some of the breaches at issue arose at the individual business unit level, in franchisor-mandated, but third party-supplied, systems. In the hotel industry, that often includes property management systems, central reservation systems, revenue management systems, customer wireless systems, and point of sale systems.
Through brand standards and independent technology agreements, franchisors often require that franchisees only use certified systems, to ensure that reasonable efforts are carried throughout the system to maintain data security, covering franchisee-provided hardware, software, services, networks and systems, as well as franchisor-certified and franchisor-provided technology. Brand standards and independent technology agreements also help to ensure that the extensive implied and customary obligations related to technology are not read-into a non-technology relationship in a manner inconsistent with the franchise agreements. Franchise systems represent an economic model built around the principle that the franchise owner garners the operating profits and assumes all responsibilities related to unit operations, while the franchisor provides only the brand-unique aspects of the overall business model. That model should not be inadvertently expanded when facilitated by technology built around different assumptions.
Franchisors need to ensure their technology requirements do not create unintended grounds to argue that the franchisor is a for-profit technology provider or that the franchisor has assumed representations, warranties, and other technology commitments customarily related to provision or facilitation of technology. Franchisors also need to ensure that data security problems when they arise remain each unit’s responsibility, subject to the same general assumptions that govern the franchise agreement, including indemnities and responsibility for damages arising from operations.
These reasonably foreseeable technology problems highlight the need for specific, rolling IT agreements with franchisees to cover technology subject matters that are very detailed and constantly changing, usually much faster than other aspects of the franchise relationship. Franchise brand standards and owned and managed unit operating standards dealing with data security and privacy are also necessary, as well as periodic reviews of the standards to ensure that they take into account legal, business, and technology developments in this fast-changing data security field. IT agreements between the franchisor and the franchisee and between certified third party vendors and the franchisee should be included in franchise disclosure documents to ensure that prospective franchisees are aware of their respective responsibilities in regard to IT systems. Finally, system vendor agreements (e.g., data center and call center outsourcing, point of sale systems, property management systems, central reservation systems, revenue management systems, and more) should incorporate the internal system policies into the vendors’ contractual compliance and reporting requirements, since the vendors are backstopping the internal services and the external commitments made to system customers.
Larkin Hoffman has extensive experience with franchise system outsourcing agreements, information technology agreements, and privacy and data security brand standards, as well as data breach handling for franchise systems. To help in implementing standards, agreements, and systems before problems occur, please contact Chuck Modell, Joe Fittante, or Mark Robertson.