Advice & TipsAsk an ExpertMay/June 2021Previous Issues

Q. What do franchisees need to know about cybersecurity and data protection risk mitigation?

Cybersecurity risks have increased in a variety of industries due to the diffuse, remote working conditions introduced by COVID-19 that have added additional security concerns that did not previously exist. Additional IT endpoints without sufficient security oversight have permitted an increased number of cybersecurity incidents to occur.

Franchised businesses, which were already vulnerable to cybersecurity incidents due to their own inherently diffuse nature, have proven to be no exception to this trend. Franchisees must be aware of their cybersecurity and data protection risks to maintain compliance with their franchise agreements and to decrease their potential liability for providing access to the franchise system’s larger IT infrastructure in the event of a cybersecurity breach.

Sources of cybersecurity and data protection compliance requirements

Cybersecurity and data protection compliance requirements for franchisees are mandated by two equally important sources: legislatively, as provided under the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”), and contractually, pursuant to the confidentiality and/or data protection provisions of their applicable franchise agreement.

Section 7 of PIPEDA requires a business that receives, processes, or uses personally identifiable information to use commercially reasonable methods to safeguard such data from loss, theft, or unauthorized use in a manner that is commensurate to its sensitivity. However, PIPEDA does not prescribe the safeguards required to comply with the business’ mandate to protect the personally identifiable information.

Similarly, in most instances the confidentiality and/or data protection provisions that are contained in a franchise agreement do not specify the safeguards that are required, only stating that “commercially reasonable measures” must be used by the franchisee.

Significant ambiguity occurs where a franchisee must determine whether their systems are providing adequate protection to meet their legislative and contractual commitments. Despite this, there are several solutions that can be used to enhance a franchisee’s cybersecurity infrastructure in a cost-effective manner.

Two-factor authentication

Two-factor authentication is one of the simplest ways to safeguard IT systems. It can be easily enabled through many operating systems without investing significant time or expense. By ensuring that a login attempt is verified through a secondary device, possession of the principal device is confirmed, and hackers can be prevented from accessing the IT system even if they have a single, stolen password.

Password policies

Complicated password policies are a simple, free, and effective way of adding additional security measures to an IT system. By mandating that passwords are sufficiently complicated (for instance, a minimum of eight characters including lowercase letters, uppercase letters, numbers, and special characters), coupled with a maximum number of login attempts prior to locking a user account, brute force attempts to guess passwords can be effectively thwarted. In addition, a reasonable schedule for updating passwords should be instituted to complement the password complexity policy. The password reconfiguration schedule should balance the need to update stale passwords with the need for employees to remember the updated password without writing it down or forgetting it.

Data protection agreements

Often, franchisees can be lured into entering contracts for IT services by the lowest bidder. The lowest price for ostensibly similar services can often be a wise business decision. However, significant care must be taken when using IT service providers and the back-end services they provide for cybersecurity and data protection. The lowest prices for IT services are routinely given by contractors without the highest level of sophistication in cybersecurity.

It is also common to see low-cost IT service providers impose the responsibility of remediating data breaches onto the client. It is very important to have any IT service contract reviewed by a lawyer with experience in both franchising and IT to ensure that a data protection provision is included. It also ensures the franchisee is not unintentionally underwriting the risk of cyber breaches for their IT service provider or the whole franchise system.

Cybersecurity insurance

Cybersecurity insurance is an increasingly affordable product. It can assist the policy holder in remediating data breaches, offsetting business disruption costs, and completing regular privacy audits. Many cybersecurity insurers will also provide clients with free training materials for employees that address emerging threats in a timely manner. Cybersecurity insurance products should be negotiated by a knowledgeable insurance broker to ensure that current risks are specifically insured against. This is particularly important for franchisees due to the insurance obligations that are routinely imposed by their franchisors.

While complying with cybersecurity and data protection requirements can seem overwhelming, there are several simple steps that can be leveraged to enhance your cybersecurity environment, including those outlined above. Experienced counsel can also assist with additional strategies and a determination of what your business needs to be compliant with the legislation and its applicable franchise agreement.

Andrew Johnson
Lawyer (Franchise, Technology, and Privacy Law)
McKenzie Lake Lawyers LLP
andrew.johnson@mckenzielake.com