Franchise Operations

Franchisee’s Cybersecurity Responsibility

Imagine you’re planning to open a franchise diaper service catering to busy new moms. Now imagine you could get the names and contact information of pregnant women in your neighborhood so that you could start marketing to them right away, before your competitors even think about it.

You could. That’s just one simple example of how much consumer data is being collected, and how easily it could be put to use in a business scenario.

The video below illustrates how easy it is to gather information from social media, where people share and sometimes overshare things they apparently don’t really want strangers to know. Consumer data collection often goes even further, aggregating data so that it’s easy to see the kinds of things people buy six months before they start buying diapers. Armed with that information and access to an individual’s purchase history, you could easily sort out a list of likely future customers.

A case recently in the courts is a bit more sinister. Franchisees for a rental service were collecting data from the computers they rented to consumers. The spy program counted keystrokes, took screenshots, and activated webcams.The software was created by Designerware LLC, and was apparently sold to the franchisees as a way to find the computers if customers took off with them.

Descriptions of the software being used sound similar to software used to monitor remote workers. The software allows employers to make sure that work is being conducted as agreed, and the employees whose work is being monitored are aware of the software and agreed to its use. In fact, they normally install the software themselves.

The invasive software in this case was installed on PCs and used without the consumers’ knowledge. Rather than providing keystroke logs and screen shots to help manage workers, the software took pictures which, according to testimony in the court case, included everything from the renters’ children to their bank account log-in information.

The rental service franchisees installed the invasive software on computers which they then rented out to customers who had no knowledge that it was being used. There is no question that these franchisees bought the software and did the installation, and they made that decision themselves. However, since the software was collecting data to the franchisor’s server and was accessed through the franchisor’s system, the court decided that the franchisor was also at fault, along with the software designer.

The story raises some interesting points. The software was sold to the franchisees as a security measure, and it is similar to software which is used appropriately for other purposes. It’s not clear that any of the franchisees intended to steal information from the consumers, or that they understood that doing so would be possible. The way in which the software was handled seemed to vary from store to store, and there was no requirement from the franchisor that consumers be told about the software. It’s not clear that the franchisor knew what was going on.

In fact, there were a number of comments in favor of the use of the software, including one from the owner of a company that rented computers for the use of their remote workers. “I have them lease computers from their local rental store,” the commenter says. “The reason I do this is because they have the ability to recover these laptops if they get stolen. They told me exactly what would be installed and I signed an agreement stating that I understood they could turn on the webcam and such if they had to in order to recover these laptops if they were stolen. Also every one of my employees acknowledges also as part of their employment contract.”

It’s clearly a complicated situation. Most of us don’t have much knowledge about cybersecurity or consumer data collection, so it’s hard to know how to handle these situations. However, the court decision in this case makes it clear that franchisees and franchisors alike will be held accountable for their actions in this area.

The ease of getting information — from social media, from purchase histories, or from security software — means that business owners are increasingly being held liable for how they use the information.

Pending Request