Data Breaches at Franchisees Raise Cyber Insurance Issues

A recent article about a data breach at a Marriott franchise highlights an emerging cyber insurance issue for franchisors, and indeed all companies involved in contractual relationships that expose them to liability for cyber risks over which they may have little control.  

The article reports that a Marriott franchisee had a seven-month-long data breach relating to the food and beverage point-of-sale (POS) system at ten of its hotels.  Unfortunately, this kind of scenario is becoming commonplace - hackers exploiting weaknesses in POS security to obtain credit card numbers, often focusing on heavy users of POS systems like restaurants.  

But the franchise aspect of this incident clearly adds some wrinkles worth considering.  I reached out to my partner Shannon McCarthy, a member of our franchise & distribution practice group and frequent contributor to our firm's blog on franchise issues -- ZorBlog -- for some thoughts.

Shannon first confirmed that in the event of a consumer lawsuit over a data breach the franchisor will likely be sued along with the franchisee.  Franchisors are typically viewed as a "deep pocket" and so the plaintiff may seek to hold the franchisor directly or indirectly liable for the breach.  A franchisor might be liable if it controlled the consumer data, if it contractually required the franchisee to use a certain system or provided the system itself, or exercised control over the way that the franchisee collected or used the data.  As examples, Shannon pointed me to both this FTC suit against Wyndham Hotel Group and the consumer class action (and related FTC action) against the rent-to-own franchisor Aaron's, Inc.  

In the Wyndham case the FTC alleged that the hotelier, which operates through over 90 franchisees, itself was liable for data breaches at its franchise locations because the franchisor had made representations on its own website about data security, because it "allowed" franchisees to use improper software and lax security practices, and because its own data systems did not encrypt consumer information.  Wyndham has pushed back against the FTC's claims and has appealed an early ruling that the FTC has jurisdiction to pursue the claims, and recently defeated a related derivative action in federal court.  

In the Aaron's case, customers who rented laptops sued the franchisees and the franchisor alleging that spyware on the laptops captured keystrokes, browsing history, and screenshots, and took pictures of the customers using the computer's built-in camera, invading the customers' privacy.  (The customers' case was recently reinstated by the Third Circuit after having been dismissed on procedural grounds).  The customer suit follows on the heels of a consent decree that Aaron's reached with the FTC in which the franchisor essentially admitted that it not only knew about the practice but actively participated in providing the software to its franchisees.  (Given that settlement it may be difficult for Aaron's to deflect responsibility to its franchisees.)

Where does insurance fit into all of this?  First, franchisors (like all businesses) should assess whether they themselves are adequately covered for cyber losses, including whether their traditional insurance policies carry endorsements specifically excluding data-breach liability or first-party losses, and whether they should purchase specific "cyber insurance."  In making this assessment franchisors should take into account all of the potential risks that they face beyond just regulatory or class-action consumer lawsuits; for example, credit-card issuers and banks may file suit seeking to recover their costs for writing off fraudulent charges and issuing new cards.

Second, franchisors should consider the requirements that they impose on franchisees with regard to cyber-security practices.  For example, franchisors might incorporate into their franchise agreements some of the security standards and "best practices" being developed by cyber-security organizations.  Of course this brings into play the tension that has always existed between maintaining enough separation from the franchisee such that liability could be avoided altogether, wanting to protect the brand by ensuring that the franchise is run competently, not imposing unreasonable burdens on franchisees, and business interests that may require a certain amount of intermingling of operations.  (For example, one of the key advantages of owning a hotel franchise is the access to the unified reservations and loyalty-reward programs operated by the franchisor.)

Finally, because preventing data breaches or liability claims may be impossible, franchisors should evaluate whether to require their franchisees to carry cyber insurance, and whether those insurance policies can provide protection to the franchisor.  Much as general contractors require subcontractors to carry insurance providing "additional insured" protection if the general is sued because of the subs' negligence, some cyber insurance programs purchased by a franchisee could be made to assist a franchisor in the event of a data breach caused by a franchisee's error.  However, because cyber insurance is not being written on standardized forms, it is not possible to simply specify in a franchise contract that a specific ISO additional insured endorsement be used.  Instead, franchisors would be well served to work out requirements language with their franchisees that takes into account evolving norms in the insurance industry regarding language, sub-limits, and other aspects of cyber insurance.  What will likely be needed in this, as with almost all things in the cyber insurance world, is a team approach involving counsel, insurance broker, and business people.

Benefits of Involving Counsel In Choosing Your Insurance Program

All companies routinely review their insurance coverage programs, usually through risk management talking to a trusted insurance broker.  Today I came across this excellent "Sound Advice" podcast from Tonya Newman, a colleague at Neal Gerber & Eisenberg in Chicago, about the reasons that companies should involve counsel in discussions at renewal time.  It is of course fairly self-serving to say so, but insurance coverage counsel can provide a perspective on what insurance to buy that brokers often cannot.  If coverage counsel have recently represented the company in coverage disputes they may be more intimately familiar with how standard-form exclusions intersect with the company's products or business practices.  And because insurance procurement decisions should involve a good deal of candid self-assessment, and review of prior claims, it may be worth while to consider doing that kind of assessment inside the attorney-client privilege rather than having the conversations strictly with an insurance broker who may be subject to subpoena in a later claim.  The presentation is very well done and I commend it to other policyholder counsel, brokers, and risk managers.

Rely On "Certificates of Insurance" At Your Great Peril

I came across this new decision from the Ninth Circuit, on a Washington case (full disclosure: I learned of it courtesy of a national firm's "Lexology" article), and it reminded me of a point that I continually try to hammer home with clients and transactional lawyers, who deal in these things daily: a "certificate of insurance" is barely worth the paper that it is printed on, and is never a substitute for a thorough review of the insurance policy itself.

In this case a hospital contracted with a nursing staffing service to provide skilled nurses.  As part of the deal the hospital required that the nursing staffing service demonstrate that it had adequate liability insurance.  The staffing service provided a certificate of insurance, which the underwriter prepared, showing that it had $5m of insurance.  Great.  What the certificate didn't show was that there was a $1m self-insured retention (SIR), meaning that the staffing service was responsible for the first $1m of any loss.  A patient was injured and sued both the hospital and the staffing service; damages were slightly less than $1 million.  The hospital convinced the plaintiff to drop the claim against the hospital by showing plaintiff's lawyer the certificate indicating plenty of coverage.  Plaintiff dropped the hospital, but when it got a judgment against the staffing service within the SIR, the service could not pay, and declared bankruptcy.  The plaintiff succeeded in getting its claim against the hospital revived.  Hospital sued the insurance company and the underwriter claiming that the certificate was deceptive.  Problem: the certificate (a standard form) has no blank for SIR or deductible, despite the fact that that is absolutely critical information.  The Ninth Circuit agreed with the trial judge that the hospital had no claim.

Lesson: if you do not have a long-standing business relationship, don't just ask for the certificate of insurance when entering into any kind of contract where insurance matters (and there are few such contracts) - ask for the policy itself, with all declarations and endorsements, and have it reviewed by someone familiar with insurance policies and finding "holes" in coverage, like a large SIR.