Do Franchisor Cyber programs cover Franchisees?
There is a common misconception and a lot of confusion on the part of both Franchisor and Franchisee when it comes to who needs to have the insurance and how it will respond. The reality of it is that Franchisees are separate businesses that buy their own insurance in general, including property, GL, workers’ compensation and other things one would expect a small company to have. In many cases, the Franchisor actually sets the insurance requirements for the Franchisee in the “franchisor agreement”, the contract between the two parties that outlines what the franchisor is going to do on behalf of the franchisee (marketing, training, site sourcing, etc.) and what they are NOT going to do (hire employees, buy insurance coverage).
This seems fairly straightforward (though it isn’t) when it comes to several types of potential first party loss and third party liability because it is at least relatively easy to determine what physical property was damaged or where a person slipped and fell. The franchisee property policy or either the workers’ compensation or the GL coverage of the franchisee would be the policy that responds.
But when you look at the complex risks that involve potential damage to the overall brand, the lines get much more blurred. In cyber, this is particularly true because many franchisors want and need to control the technology that is deployed to the franchisees, not only for efficiency, cost, and quality control purposes but also so that there is continuity around security and breach response.
Franchisor cyber policies, for years now, have been able to cover under their “master” corporate program franchisee risk as it relates to privacy and even business interruption losses. However what is largely misunderstood is that in reality this coverage ONLY covers the franchisor for losses arising out of its owned or controlled computer system (or that of a vendor that it mandates and pushes out to franchisees). The corporate program does not cover stand-alone franchisee losses. And why should it? After all, the franchisees buy their own insurance for other types of losses, right?
Litigation results thus for have mixed, as highlighted in the July 2016 article in the ABA magazine entitled Cyber-Security Consideration for Franchisors.
I would venture to say that many franchisees do not understand this nuance and perhaps believe they have coverage where they do not.
“In my experience, one common misperception with franchisees is that they believe they have no real cyber liability exposure because they are protected through the franchisee agreement and/or the franchisor’s cyber liability policy.” Christina Terplan, Partner, Atheria Law PC
Moreover, franchisors may believe their corporate policy will respond to any and all breaches involving their brand, but they do not. And it is really important to bridge this gap because:
a) Franchisors have the bulk of the reputation harm that results from any location(s) being in the news for a negative reason (think food contamination).
b) Franchisors could be the deep pocket if they are held responsible by any regulator(s) around a compromise of personally identifiable information (PII).
c) Franchisees at the end of the day are small business owners with a lot on their plates. They are not going to know what to do and how to stay out of regulatory trouble if they suffer a breach or outage. They need the cyber insurance for the indemnity part of the policy but for them, having a turnkey breach response solution included in the insurance premium is huge!
MSR FranchiseGuard is a program designed to address all of the above issues. It is a franchisee program offered through sponsorship of the franchisor, with bespoke policy language and a turnkey vendor offering. The program does not have an aggregate, so franchisors can rest assured that each franchisee will get its own policy limits.
For more information on this and our other specialized cyber and technology offerings, please visit our website at www.msruw.com. Contact firstname.lastname@example.org or Managing Director, Mary Guzman at email@example.com.