Protecting your franchise system from data breaches and cyber-attacks
In the past year, large Australian companies such as Medibank Private and Optus have been the victims of online data breaches and cyber-attacks. These attacks have compromised the data of millions of Australians and forms the basis of proposed class action cases against these companies.
More recently, the consumer finance company, Latitude Financial, confirmed that cyber hackers have stolen the personal data and identification documents of its customers, which includes customers of the franchise system Harvey Norman.
The financial and reputational damage of a cyber-attack is significant, given the amount of customer data that is collected from loyalty programs and marketing campaigns.
Franchisors should work closely with cyber-security experts to minimise the risks of data breaches and cyber-attacks from occurring.
The franchise relationship creates additional challenges and risks. In a franchise model the franchisor typically specifies the business format or system under which franchisees will operate. The franchisor may specify what data is to be collected by franchisees and how it is to be stored and processed. The franchisor may be obliged to comply with Privacy Laws but franchisees may not have to. So the franchisor may be held liable for non-compliance with data protection and privacy laws by their franchisees. Apart from legal liability non-compliance with privacy laws by a franchisee can cause significant reputational damage to an entire franchise network, for which the franchisor is responsible.
It is therefore important that franchisors review their franchise model to:
- provide that only the franchisor will provide information technology services that they will host;
- provide that all data stored will become the franchisor’s property;
- include provisions in the Franchise Agreements that require franchisees to comply with Privacy Laws including the Privacy Act 1988 (Cth) even if it is not an entity to which the Act applies ;
- require franchisees to adhere to the Australian Privacy Principles;
- create a process for franchisees to report compromises to client data and a process for where a data breach or cyber-attack occurs; and
- require franchisees to undertake online cyber-security and data protection training as part of the initial and ongoing training and induction.
As technology continues to rapidly evolve, your franchise system and documentation should adapt and keep pace and to protect against digital threats.
If you have any further questions or require your franchise documents to be reviewed and updated to address privacy and data protection, please contact a member of our Franchising Team on +613 8540 0200 or as follows:
Carmen Wu: firstname.lastname@example.org