Cybercrime in Franchise Companies

The 21st century is clearly the age of cybercrime, and franchise companies should be especially concerned because, simplistically, there are only two types of computer systems: those that have been hacked, and those that will be hacked. Franchise companies are uniquely vulnerable in two areas because they possess massive collections of personally identifiable information, and they have substantial asset bases of intangible property. Both the PII and the intangible assets can be easily copied without leaving the premises. Any transaction involving a card with a magnetic strip involves risk, and any franchise company’s computer system designed to allow access to multiple users (such as franchisees, vendors, suppliers, etc.) poses an enormous risk of being penetrated. All companies using e-mail or the Internet are vulnerable; firewalls offer no protection once a hacker has infiltrated.

And things are going to get worse. Speaking to the BBC for a report on technology, Mikko Hypponen, chief research officer at F-Secure, an IT security firm based in Helsinki, Finland, said last year, “Crime tends to rise when you have more unemployment. If you look, in general, where the attacks are coming from you can find social reasons behind them.” Experts at the 2009 World Economic Forum in Davos, Switzerland, called for a new system to tackle well-organized gangs of cybercriminals, and they claimed that online theft costs $1 trillion a year, that the number of attacks is rising sharply, and that too many people do not know how to protect themselves.

Even if you can protect your system from outsiders, a franchise company can still be easily betrayed from within. “The damage that insiders can do should not be underestimated. It can take just a few minutes for an entire database that has taken years to build to be copied to a CD or USB stick,” said Adam Bosnian, a spokesman for Newton, MA-based Cyber-Ark, a developer of “digital vaults” for securing electronic information.

“With a faltering economy, companies need to be especially vigilant about protecting their most sensitive data against nervous or disgruntled employees,” Bosnian told the BBC. A prime example of this is the recent case of mortgage giant Fannie Mae, which narrowly avoided a software time bomb set to destroy all data on its computers. Federal authorities allege that a disgruntled contractor embedded a malicious code in Fannie’s system, set to go into effect on all 4,000 of the company’s servers months after he was gone. The code was tucked at the end of a legitimate software program scheduled to run each morning and was discovered only by chance by another Fannie technician.

According to the Identity Theft Resource Center, based in San Diego, breaches were up more than 25% in 2008 and affected more than 35.7 million people. “This may be reflective of the economy, or the fact that there are more organized crime rings going after company information using insiders,” said Linda Foley, the Center’s co-founder. “As companies become more stringent with protecting against hackers, insider theft is becoming more prevalent.”

Accordingly, a franchise company must evaluate its risk to determine and implement appropriate policies and procedures. The authors have formulated a “Chan Scale of Cyber In-Security,” which can provide franchise companies a framework for considering the potential harm that can be caused:

1 Chan — Low risk. Hacker has gained entry to system, but minimally. Minor risk of business disruption, but access can aid attackers in gathering information and planning future attacks.

2 Chan — Medium. “Malware” has been implanted in the company’s network that could cause malfunctions and mischief. Significant risk of a business disruption that could result in financial loss and/or damage of goodwill.

3 Chan — Medium-to-high. Using sniffers or other equipment, hackers have obtained PII from point-of-sale systems. Significant risk of business disruption that could create financial loss and/or damage of goodwill.

4 Chan — High. Often an inside job in which data are stolen by a disgruntled employee. Serious risk of business disruption that would result in financial loss and damage of goodwill; customers’ PII may be vulnerable, as well as company’s confidential information and financial information.

5 Chan — Critical. Hackers have breached system and can access PII as well as the company’s financial information and confidential information. Severe risk of business disruption, financial loss and damage of goodwill. System, applications and database have been compromised.

In light of such exposure, franchise companies may have to reach out to members of the organization with diverse areas of expertise, including legal, technical, risk management, finance, and crisis management. Here are 20 questions about cybersecurity that need to be answered. (For an exhaustive review of this subject, see “The Financial Impact of Cyber Risk,” published jointly in 2008 by the American National Standards Institute and the Internet Security Alliance. The report provided the basis for many of the questions herein.)

GENERAL

1) What is the definition of cybersecurity?

Answer: The protection of any computer system, software program, and data against unauthorized disclosure, transfer, modification, or destruction, whether accidental or intentional. Cyber-attacks can come from internal networks, the Internet, or other private or public systems.

2) Is cybercrime on the rise?

Answer: On average, there has been a reported cybersecurity event every single day since 2006. Thefts of PII have been reported regularly in the media, but other types of attacks against public and private entities, though much less often reported, have resulted in data destruction, down time, etc.

3) What financial exposure attaches to cybercrimes?

Answer: Major liability may be incurred from individual litigation, class litigation, regulatory investigation, contract dispute, loss of customers, reputation damage, data theft, denial of service, cyberterrorism, cyberextortion and fraud.

QUESTIONS FOR THE COMPANY’S LAWYER

4) Has the company’s cyberliability been analyzed?

Answer: Potential liabilities may relate to the information kept by the company, its vendors, or third parties.

5) Has cyberprotection been built into contracts with vendors?

Answer: Wherever possible, vendors (especially applications vendors) should be required to warrant that company data are appropriately protected and should be required to indemnify the company for losses arising from cybersecurity breaches that are the fault of the vendor. Furthermore, contracts should require that vendors have network security insurance, which shifts the financial burden for losses to the insurer. The other benefit of insurance is, typically, it indicates that a third party (the insurer) has thoroughly evaluated the vendor’s cybersecurity systems.

6) Has the cyberrisk to trade secrets and other IP been assessed?

Answer: Confidential operating manuals, trade secrets, and other intellectual property are the mainstays of franchise systems. Because these usually are held in electronic or digital form, they are easily subject to misappropriation through a cyber-attack. Unlike the theft of physical assets, a theft of digital assets leaves the stolen asset behind — which makes the theft much more difficult to discover — so that without penetration testing and proper monitoring, a franchise company may not even know it’s been compromised.

7) What can be done to mitigate cyberrisk, and how often should a franchise company conduct a cyber-analysis or cyber-audit?

Answer: Performing comprehensive reviews of all systems and system logs at least quarterly is essential. Franchise companies also must perform a legal audit of all applicable regulations, vendor contracts, internal procedures, and policies to deal with potential thefts of PII. In the event of a breach, the audit trail will help to keep the costs of litigation under control.

8) Has the company analyzed what regulations (federal, state, local, and global) exist with respect to cyberdata, and whether or not the company is in compliance?

Answer: Some statutes addressing liability include:

• Communications Act of 1934, updated in 1996;

• Computer Fraud and Abuse Act of 1984;

• Computer Security Act of 1987;

• Economic Espionage Act of 1996;

• Electronic Communications Privacy Act of 1986;

• Federal Privacy Act of 1974;

• Health Insurance Portability and Accountability Act of 1996;

• National Information Infrastructure Protection Act of 1996; and

• U.S.A. Patriot Act of 2001.