Franchising Today - Summer 2016 - 11
mation, bank account and credit card
numbers and a host of other types of
commercially sensitive data.
As the adage goes, it's no longer a
matter of if a cyberattack will occur,
but when. Nevertheless, 59 percent
of U.S. small and medium-sized businesses don't have a contingency plan
in place for responding to and reporting data breach losses, according to a
survey conducted by the National Cyber Security Alliance and Symantec.
Given this very real (and expensive)
threat, the U.S. Department of Homeland Security recommends that small
businesses adopt these low-cost measures to improve data security:
Assemble a cybersecurity team
and, if necessary, obtain expert
support for them;
Assess possible weaknesses within your organization;
Develop and routinely practice a
data breach response plan;
Establish a clear chain of command within the business;
Reevaluate insurance coverage,
including the purchase of coverage specific to cybersecurity and
data breach issues; and
Continuously monitor risks and
best business practices.
Implementing these simple steps
will keep cybersecurity issues frontof-mind and likely minimize the impact of a data breach in the event one
occurs in a business.
Franchise operators who turn a blind
eye to cybersecurity issues risk destroying the customer base, reputation and customer loyalty they may
have spent years or even a lifetime
building. They also might incur even
greater expense in complying with
mandatory notification requirements.
A total of 59 percent of U.S. small and
medium-sized businesses don't have a
contingency plan for data breach losses.
The cost of implementing adequate
cybersecurity measures pales in comparison to the business loss, damage
to reputation and business interruption costs of a significant data breach.
Add to that the potential of hefty civil fines and penalties or jury awards,
and it is clear that franchise operators
cannot ignore cybersecurity.
Each year comes with a 20-percent
chance that a business will get hacked
and the high probability that, if a hack
occurs, the business will close its
doors within six months, according to
the National Cyber Security Alliance.
Along with the intangible losses to
reputation and brand, the quantifiable losses can be devastating.
Research by the Ponemon Institute, which studies data security, indicates that for a company with fewer
than 100 employees, the average cost
of a hack is just over $1 million.
As of October 2015, 47 states, the
District of Columbia, Guam, Puerto
Rico and the Virgin Islands have enacted statutes that require private
entities to notify individuals of security breaches that involve an unauthorized disclosure of personally
identifiable information, according to
the National Conference of State Leg-
islatures. These laws typically spell
out who must comply, what constitutes "personal information" (such as
Social Security numbers, birth dates,
account numbers and the like), what
constitutes a breach, notice requirements and exemptions.
Some statutes also provide for a
private right of action to allow the victims of data breaches to recover damages and attorneys' fees. A patchwork
of federal laws requires notification
in specific situations, but no overarching federal data breach statute exists. The proposed Data Security and
Breach Notification Act of 2015 would
provide uniform federal protections
and notification requirements and
would preempt state laws.
The risks and responses to the global cyber threat are complicated and
ever-evolving. If nothing else, the
successful franchise operator must be
proactive in appreciating the risk and
taking steps to counteract it.
Sam Sammataro is a shareholder in Turner
Padget's Columbia office and a member
of the firm's Cybersecurity practice. He
counsels small and mid-sized businesses on
cybersecurity prevention and litigation. He may be
reached at (803) 227-4253 or by email at ssammataro@