Why Franchisees and Particularly Franchisee Associations Need Information Security

If there’s a transaction that involves a card with a magnetic strip and a swipe – there’s a transaction that involves a risk.

Information security was once considered a technical problem but due to the combination of advanced technology and malicious intent, infosec is now everyone's problem. Did you know that the personal or financial data of more than 217 million Americans has been compromised since the beginning of 2005, according to the nonprofit Privacy Rights Clearinghouse?

Did you know that Deborah Platt Majoras, chairwoman of the Federal Trade Commission since 2004, was herself a victim of identity theft, and has championed initiatives to protect consumers from shoddy data protection practices?

Does your franchise system maintain its Confidential Operating Manual online? Are you doing enough to keep it confidential and protected from hackers? Is there a concern that competitors will get all your operating information?

If you think your franchise system’s confidential and proprietary data is secure, think again.  Here’s a nightmare scenario that was reported in the New York Times on April 16, 2008:

“Thousands of high-ranking executives across the country have been receiving e-mail messages this week that appear to be official subpoenas from the United States District Court in San Diego. Each message includes the executive’s name, company and phone number and commands the recipient to appear before a grand jury in a civil case.

A link embedded in the message purports to offer a copy of the entire subpoena. But a recipient who tries to view the document unwittingly downloads and installs software that secretly records keystrokes and sends the data to a remote computer over the Internet. This lets the criminals capture passwords and other personal or corporate information.”

When it comes to information security issues, too many executives claim lack of technical expertise and end up with their heads in the sand. But that’s not a safe attitude any longer. Consider just a few of the situations recently reported in the industry coverage of SC Magazine:

• Hackers used sophisticated methods to evade detection and place malware on nearly 300 Hannaford Bros. store servers to intercept payment information during the transaction transmission process, according to executives of the grocery store chain. As many as 4.2 million credit and debit card numbers may have been exposed in the attack. Ironically, Hannaford was notified of irregular credit card activity on the same day it was recertified as being Payment Card Industry Data Security Standard-compliant. Until being notified of the attack, executives “believed we had the highest standards in the retail industry applying to our data security.” (Details here.)
• The website of online retailer Geeks.com featured the “hacker safe” notification from McAfeeScanAlert.  Nevertheless a hacker accessed customer credit card numbers and other personal information.
• The personally identifiable information of several hundred thousand JC Penney customers was at risk after a data tape went missing from the storage vendor Iron Mountain.  Gordon Rapkin, president and chief executive of data security vendor Protegrity, told SCMagazineUS.com that JCPenney is ultimately responsible for making sure their customers' information is secured.
•  An executive’s laptop containing the personal information of more than 300,000 customers – including Social Security numbers – was stolen. The same week T.Rowe Price disclosed that thieves had acquired two laptops containing sensitive information for thousands of people enrolled in 401(k) retirement plans managed by the global investment firm. The hard drives on the two pilfered machines contained the names and Social Security numbers of 35,000 individuals, the company said.
• The FTC went after two companies for failing to provide reasonable and appropriate security for sensitive consumer information, leading to identity theft. The FTC forced a settlement containing bookkeeping and record-keeping provisions to allow the agency to monitor compliance with its orders. Under the terms of the settlement, the FTC ordered the two companies to hire third-party security auditors to assess their security programs on a biennial basis for the next 20 years. The FTC required the auditors to certify that the companies' security programs meet or exceed the requirements of the FTC's orders. The audit must also prove that the companies are providing "reasonable assurance that the security of consumers’ personal information is being protected.”
• A disgruntled employee, fearing she was about to be fired, deleted seven years' worth of her employer's data.

 In light of information security breaches such as these, the FTC is expected to enact an identity theft "red flags" rule that would force organizations to discover system holes that could lead to compromised information.

Whether the FTC forces the issue or not, franchise operators and associations would be well advised to address data security issues before they blow up in their faces. If the JC Penney scenario happened to your franchise system, could you afford to wait for notification by the vendor that handles your retail credit card operations?

If you don’t think you have a problem in this area – you’re delusional. If you think you might have a problem – our experts are security professionals with years of experience at Top 5 Global Banks. Give us a call to talk.

Written by Bruce S. Schaeffer and Henfree Chan, Franchise Technology Risk Management