Andrae Marrocco of law firm Dickinson Wright says cybersecurity and privacy compliance represent “risky climates” for franchisors, with the Aaron’s case being the first of its kind. Aaron’s was found guilty of knowingly assisting its franchisees in engaging in deceptive acts and practices, as it permitted and participated in the gathering of consumer information in a manner that resulted in significant risk of harm.
Specifically, the franchisees installed privacy-invasive software on computers rented out to consumers. This software collected confidential and personal information and sent it to the franchisees’ e-mail accounts. As a franchisor, Aaron’s had an obligation to oversee and monitor the franchisees’ consumer privacy practices, but in this case, it was directly responsible for the breach.
The FTC concluded the franchisor was aware its franchisees used the software and the corporate server stored the information. Moreover, the franchisor allowed the franchisees to access the software through its own network and was aware the information was sent to company-provided e-mail accounts. Aaron’s was even found guilty of providing technical support for the software.
Given a lack of court-issued guidance on how franchisors should develop information governance programs with consumer privacy in mind, Marrocco recommends the following steps to help avoid problems in the future:
- Investing in human capital—Identify people who are responsible for data management and privacy compliance and assemble a team to address information governance.
- Audit and risk assessment—Review existing policies and procedures with current practices and identify vulnerabilities and risks.
- Developing an information governance program—Incorporate the entire process for collecting, using and storing information to ensure its security.
- Training and monitoring—Determine an appropriate level of training, either internally or outsourced, while periodically monitoring and assessing the information governance program.
- Compliance—Include a provision requiring compliance and commitment to the program in the franchise agreement.
- Updating—Given rapid technical advances, be sure to review and update policies, procedures, hardware and software across the entire franchise system on a regular basis.