Although painful for Target and their customers, there are good lessons for franchisors and franchisees that can be learned from the unfortunate data breach they recently experienced. It’s important to note, though, that data privacy issues are not just the concern of large retailers and/or credit card companies. The majority of losses today actually occur at small to mid-size firms largely because smaller firms are often easier targets because they don’t have the infrastructure and protocols in place that larger firms have. Franchise systems, in particular, are at risk due to all being tied together as part of a larger brand and risk financial loss should a loss of personal data occur at another franchise.
Here are the top things to learn from this:
- Data privacy issues are complex: This seems simple enough but there are far more layers to any potential loss of confidential data than most understand. For example, 46 states require notification to their citizens should there be a potential loss of their personal data, however, each of these states have different requirements of what constitutes personal data and/or what you can say in your notification letter. Understanding how to respond to a personal data incident is just as important as to how quickly you respond. Respond incorrectly, and your issues and liability (and the corresponding costs) could rise exponentially.
- Forensics are key: When a potential loss of customer data occurs, whether from a breach of your system, lost paper files, or a stolen laptop or smartphone, don’t assume you know the facts. Understanding what occurred, the amount of data affected and the time period it was affected is critical. Act quickly, but with a clear understanding of the facts, or you could suffer from unnecessary negative perception and loss of business.
- Storing data with a third party does not alleviate your burden: There is a misperception that if you store your client’s data with a third party, and ultimately in the cloud, that you don’t have any liability. This is not correct. While storing your client’s data elsewhere is a good risk mitigation strategy, you still own the data and hold the responsibility to protect it on behalf of your clients, employees and others. Check your agreement with your service provider. Do they carry data privacy/cyber liability insurance? What type of hold harmless language is in your agreements? In short, vet your vendors that deal with your clients and employees data. If you house your data in the cloud, understand where it is kept. While storing data offshore doesn’t necessarily mean bad things, it could. As we have stated above data privacy regulation is complex within the U.S. If your data is housed in a foreign jurisdiction with laws that differ from the U.S., you could have a conflict in the event of a breach of that data. The laws of the foreign jurisdiction could limit your ability to conduct your forensics in a timely fashion, which could present regulatory issues in the event of a breach.
- “Pre-arrange the funeral:” In other words put together an incident response plan on how you will handle a potential loss of personal data should it occur. Items included in the incident response plan should include internal roles and responsibilities, communication plan, key vendors needed and chain of command.
- Run a simulated exercise: As part of the above plan, it is a good idea to occasionally practice with your team what to do should a real situation arise. One of the keys to any crisis, such as a data privacy breach, is how calculated and coordinated your response is. Make sure your team is aware and on board with how to respond.
- Transfer the risk: You can transfer risk through contracts with others and through the data privacy or cyber liability insurance. It is important to note that general liability policies do not provide coverage for these claims. These policies provide coverage and dollars for many additional items, including:
- First-Party Losses: First-party losses are those costs not related to the defense and indemnification of the claim. These include forensics (investigation), PR, notification, credit monitoring, and many others.
- Third-Party Losses: These are dollars related to legal defense costs and actual indemnification should that judgment arise. The better you handle the first-party procedures the less exposure, and costs, you are likely to suffer from third-party losses.
As painful as this process has been for Target, we can all learn something from it.. Most important is to know this exposure is a real threat, whether you are a large, multi-billion dollar retailer or a small, one-location franchisee. The exposure is real and you need to assess your system, review your current procedures and put a plan (and insurance) in place to reduce this risk and provide coverage should a data privacy incident occur.
Image used under Creative Commons from Jay Reed.