Lee Plave of Plave Koch PLC looks at the impact of the digital revolution on the franchise industry.
"The greatest change of the modern era – the digital revolution – presents an ever-evolving array of challenges for all players in society – companies, their counsel, their vendors, their customers and even their governments."
Heraclitus of Ephesus, a Greek philosopher who lived approximately 2,500 years ago, observed that “there is nothing permanent except change”. More recently, the science fiction writer Isaac Asimov famously repeated that thought with his expression that “the only constant is change”.
The greatest change of the modern era – the digital revolution – presents an ever-evolving array of challenges for all players in society – companies, their counsel, their vendors, their customers and even their governments. As citizens, every day we create dozens of “digital footprints”, each of which may reveal significant information about us. Taken together, those digital footprints can provide a third party or a government with a rather comprehensive view of our activity. Businesses that collect and maintain data have a duty to do so responsibly. Lawyers who work with those businesses are challenged to help them understand and meet their obligations with respect to customer, business, supply chain, and transactional data.
Data gathering and use can facilitate a closer and more focused relationship between a business and its customers. Indeed, a modern business may be unable to function – or simply unable to compete effectively – if it does not collect and use data from its customers. This data may include personally identifiable information (PII) gathered in a transaction, website entries, mobile applications, social media and social networking sites, or digital venues yet to be invented. But gathering, keeping, and using that data requires that businesses keep a keen eye on the vulnerability that data collection, use, and storage creates. Indeed, the loss of consumer data may very well represent one of the most existential challenges that businesses confront, perhaps only second to physical safety threats (such as the threat presented to foodservice businesses by foodborne illnesses).
Why should a franchisor be concerned with data safety – especially if the franchise concept seems to have nothing to do with data? For example, why should a restaurant or dry cleaner care about data? The answer is that in the 21st century, all businesses collect some personal data, even if the business is not a financial planning institution or bank. Most commonly, PII is transferred from a customer’s credit card when the customer pays for their meal or their dry cleaning. Consumers may be less inclined to patronise an establishment that has had credit card thefts or other data breaches. One franchisee’s bad reputation – whether through actual data breach or just a customer complaint of improper handling of personal information – will become widely known and potentially impact franchisees located far away. In effect, a data breach puts the brand’s reputation at risk.
Companies face real-world challenges from hackers – who constantly create more and more cunning versions of their malware (worms, Trojan horses, viruses and malicious codes). According to the Arizona Republic, in 2007 there were approximately 1 million malicious programmes written to steal information; by 2013, that number had risen to 130 million. On any given day, readers of this analysis will receive an e-mail ostensibly seeking help in moving a large sum of money across international borders. By now, those e-mails are recognised as “phishing”. But increasingly, we receive e-mails that look authentic and appear to come from a trusted address, a reliable source (such as a copier in the office) or a legitimate business. The links in those e-mails frequently lead to a small bit of malicious code. A single individual who clicks on that link may expose his or her entire organisation to the malware or attack from a third party.
Increasingly, cyber-challenges to businesses come from across a border, and can be mounted by parties – if not governments – anywhere around the globe. The president of the United States noted in his Executive Order on Improving Critical Infrastructure Cybersecurity: “The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront.” And the threat to businesses is not exclusively from hackers, either in the company’s home country or abroad. Disgruntled or former employees may simply take data when they leave. Well-intentioned employees may accidentally take down the company’s network by clicking on a link or an attachment in an innocuous-looking e-mail. One franchisee’s employee may do the same in an integrated network of franchisees and the franchisor. A mobile payment app can gather information that might have seemed useful but that is not essential, and that “spare” information – stored on a server somewhere in the company – can be reached as a result of a hack or an innocent click. Each such action may not only expose the company’s data to outside parties, creating vulnerability to the company and liability for the breach, but may also lead to negative publicity that could pose a fundamental threat to the brand. All of this suggests that the in-house and outside counsel must be informed, proactive and helpful to their clients in warding off and addressing these problems, which are an inevitable part of doing business.
In the United States, the European Union and elsewhere, the rules are changing with respect to the obligation of companies to protect the data that they collect. In the US, states have been far more active than the federal government. For example, in 1974, California citizens added a “right to privacy” to their state constitution via ballot initiative while Ronald Reagan served as governor. In 2002, California became the first state to adopt a data-breach notification law; in the decade since then, 46 states plus DC, Guam, Puerto Rico and the US Virgin Islands have also implemented data breach notification laws. Almost all of the states have adopted parallel legislation allowing individuals the right to place a security freeze on their credit reports in the event of a data breach. The State of Illinois adopted a PII data disposal law in 2012 and thus led the movement of 31 states that now require paper documents and electronic media containing PII to be destroyed so that personal information could not be practicably read or reconstructed. At the federal level, the Fair and Accurate Credit Transactions Act (FACT Act) passed in 2003. Congress has considered and adopted other privacy legislation at the federal level, including, for example, with respect to health-care data (the Health Insurance Portability and Accountability Act of 1996, known as HIPPA). The FTC is looking into data warehouses, which aggregate vast volumes of data on citizens from a variety of sources and make that data available to businesses. In the EU, the Data Protection Directive went into effect in 1998 and has had a profound impact on all businesses that transact with parties inside the EU.
Private parties are also active in protecting data and protecting against losses due to the theft of payment card data. Indeed, a consortium of global giants in the payment card industry (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc) launched an initiative to establish standards for the proper collection, safeguarding, and use of credit card and debit card information. That initiative – known as the PCI Security Standards Council – has implemented private requirements with virtually all merchants and vendors that accept payment cards from consumers. The PCI Data Security Standards may have even more far-reaching and immediate impact than governmental requirements.
For knowledgeable counsel, the mandate is to develop, maintain, and continually refine the proficiency needed to help clients stay abreast of the privacy risks in the ever-changing digital tools at their disposal.