Franchise operators must be proactive in confronting cybersecurity risk.

By Sam Sammataro

You’ve just finished another grueling 80-hour week. Your mind is racing with thoughts of staffing and personnel issues, ordering supplies, meeting payroll and keeping overhead as low as possible. In other words, your mind is occupied with all of the details that make for a successful franchise operator. The last thing you want to spend time worrying over is cybersecurity. After all, you think, much bigger fish are in the sea, right? Surely, you think, the criminals are taking aim at pockets much deeper than yours.

You might want to think again, particularly given the threat cyber criminals pose to smaller and medium-sized businesses. The risk of a cyberattack is ever-present, and the consequences can be catastrophic. However, armed with knowledge and a plan of action, franchise operators can face the challenge head-on and minimize the cybersecurity risks confronting their organizations.

The Verizon 2015 Data Breach Investigations Report listed 79,790 security incidents and 2,122 confirmed data breaches. In addition, the forecasted average loss for a breach of 1,000 records is between $52,000 and $87,000. Although most breaches noted in the news are from large or even national companies, a Travelers cyberinsurance professional told a 2015 industry conference that 62 percent of cyber-breach victims are small to mid-sized businesses.

Even confronted with statistics like these, the National Cybersecurity Institute reports that while 81 percent of small businesses are concerned about cybersecurity, only 42 percent have invested in protections against cyberattacks in the last year, and a much smaller percentage, 5 percent, have invested in cyberinsurance.

Infrastructure and Training

With the ever-increasing threat of big data breaches and the litigation that often follows (think Target, Sony, the list goes on … ), big business has upped the ante by investing heavily in sophisticated cybersecurity infrastructure and training. Unfortunately, the same cannot be said for smaller businesses that are often understaffed in the IT department and lack the funds to implement enhanced cybersecurity measures.

Add to this the perception that small businesses are too small or don’t have anything worth stealing, and they risk becoming easy targets for the cyber criminals looking to steal employee and customer information, back account and credit card numbers and a host of other types of commercially sensitive data.

As the adage goes, it’s no longer a matter of if a cyberattack will occur, but when. Nevertheless, 59 percent of U.S. small and medium-sized businesses don’t have a contingency plan in place for responding to and reporting data breach losses, according to a survey conducted by the National Cyber Security Alliance and Symantec. Given this very real (and expensive) threat, the U.S. Department of Homeland Security recommends that small businesses adopt these low-cost measures to improve data security:

• Assemble a cybersecurity team and, if necessary, obtain expert support.
• Assess possible weaknesses within your organization.
• Develop and routinely practice a data breach response plan.
• Establish a clear chain of command.
• Reevaluate insurance coverage, including the purchase of coverage specific to cybersecurity and data breach issues.
• Continuously monitor risks and best business practices.

Implementing these simple steps will keep cybersecurity issues front-of-mind and likely minimize the impact of a data breach in the event one occurs.

Ignore at Peril

Franchise operators who turn a blind eye to cybersecurity issues risk destroying the customer base, reputation and customer loyalty they may have spent years or even a lifetime building. They also might incur even greater expense in complying with mandatory notification requirements.

The cost of implementing adequate cybersecurity measures pales in comparison to the business loss, damage to reputation and business interruption costs of a significant data breach. Add to that the potential of hefty civil fines and penalties or jury awards, and it is clear that franchise operators cannot ignore cybersecurity.

Each year comes with a 20-percent chance that a business will get hacked and the high probability that, if a hack occurs, the business will close its doors within six months, according to the National Cyber Security Alliance. Along with the intangible losses to reputation and brand, the quantifiable losses can be devastating.

Research by the Ponemon Institute, which studies data security, indicates that for a company with fewer than 100 employees, the average cost of a hack is just over $1 million.

As of October 2015, 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted statutes that require private entities to notify individuals of security breaches that involve an unauthorized disclosure of personally identifiable information, according to the National Conference of State Legislatures. These laws typically spell out who must comply, what constitutes “personal information” (such as Social Security numbers, birth dates, account numbers and the like), what constitutes a breach, notice requirements and exemptions.

Some statutes also provide for a private right of action to allow the victims of data breaches to recover damages and attorneys’ fees. A patchwork of federal laws require notification in specific situations, but no overarching federal data breach statute exists. The proposed Data Security and Breach Notification Act of 2015 would provide uniform federal protections and notification requirements and would preempt state laws.

The risks and responses to the global cyber threat are complicated and ever-evolving. If nothing else, the successful franchise operator must be proactive in appreciating the risk and taking steps to counteract it.

Sam Sammataro is a shareholder in Turner Padget’s Columbia office and a member of the firm’s Cybersecurity practice. He counsels small and mid-sized businesses on cybersecurity prevention and litigation. He may be reached at 803-227-4253 or by email at ssammataro@turnerpadget.com.