“All stores are independently owned and operated.” It’s heard within the disclaimers at the end of commercials on both tv and radio. You’ll also find it at the bottom of print advertisements in magazines and newspapers. What does it mean?
In the case of Personally Identifiably Information (PII) and debit/credit payment details it likely means the data you provide when making a purchase is likely at risk of being stolen.
In 1932, Howard Deering Johnson established the first modern franchise as a means to let independent operators use the same name, food, supplies, logo and even building design as he had implemented at his own restaurant in exchange for a fee. Since then, franchising has become huge business, for Howard Johnson as the brand expanded to hotels, as well as countless others who have followed and become franchisors. Roughly 825,000 franchised businesses now generate over $2.1 trillion of economic output annually. Among these businesses, the majority of hotels in the United States are franchised.
Today’s consumer making the decision to travel and stay at a franchised hotel rarely thinks of their personal data being put at risk as they hand over the required detail to make a reservation – including their name, address and credit card details.
People book a room on the website of a famous hotel chain. As guests arrive to check in, the brand’s reassuring name is above the door. Its logo is everywhere: on the staff uniforms, the stationery, the carpets. But someone else who has taken out a franchise on the brand owns the hotel.
Its time those who care about their privacy start paying attention.
When booking rooms through so called brand.com websites (ex. howardjohnson.com or hojo.com for the Howard Johnson chain) consumers believe and expect the company they are doing business with will keep their information safe. This implied covenant between merchant and consumer is rarely upheld through the end-to-end transaction, and it is due to the stance franchisors have taken.
Companies such as Wyndham Hotel Group, current franchisors of the Howard Johnson brand, go through significant effort to ensure they are PCI compliant. This means they have met certain minimum requirements mandated by the Payment Card Industry ensuring they will be permitted to accept credit card payments in the course of their business transactions. Unfortunately, while franchisors may be PCI compliant, they are passing their guests’ data to the independently owned and operated franchised hotels in their portfolio that in most cases are not compliant with PCI requirements.
Franchisees receive little to no education and operational assistance from the master brands they work with. Regrettably, within today’s litigious society we see individuals and companies seek to protect themselves from liability as a priority over doing the right thing. As a result, we see positioning from the chains looking to “stay out of it” when it comes to driving security standards at franchised properties. The big brands (i.e. the franchisors) boldly proclaim that since they don’t own the properties, they cannot be required to uphold data security. It is in their view, the responsibility of the independently owned and operated property owner to do so.
While franchisors maintain strong standards and associated enforcement around the key elements they feel “define” the essence of their brand they have all refrained from making the preservation of guest security one of them. Stringent quality assurance checks ensure having the wrong items on the breakfast buffet or not having clean rooms can punitively impact franchisees; however, the brand conducted inspections look at no data security components. The result: while brands dictate systems and technology to be used at franchise locations, they take no responsibility for ensuring they are actually installed and maintained in a way that meets even the minimum data security requirements.
As guest data traverses from the compliant franchisor to their knowingly non-compliant franchisee the consumer is unknowingly being put at risk. Franchisees commonly neglect to acknowledge let alone implement the need to address security under the false impression it has already been provided for them. Reality is, these franchised locations fail to meet even the minimum-security standards required by PCI. Where they fail is troubling; among the shortfalls:
- - Computer networks accessible by the internet are not routinely scanned for vulnerabilities
- - Simple, common, and often even default passwords are used to access key systems
- - Lack of current anti-virus and malware detection software
- - Staff is not properly trained on best practices and procedures for handling guest data
Another, more basic, reason exists to explain why franchisors shy away from their expected obligation to require and enforce security amongst their franchisees: money. The fees collected by franchisees drive corporate revenues at franchisor organizations. These fees are commonly enabled, and increased, by the existence of technology links between the franchisor and franchisee entities. If compliance, or more importantly the lack thereof, at the franchise level led to the need of the franchisor to disconnect the interfaces that enable the flow of consumer data between them franchisor operations and their associated revenues would be dramatically impacted. As a result, consumers have been repeatedly put at risk.
As exhibited by Wyndham Hotel Group’s defense in a suit currently filed against them by the FTC, the desire of franchise organizations is to maintain a “don’t ask, don’t tell” approach as a means to manage (or not) franchised data security compliance as a means to protect corporate revenues because they feel it is not their responsibility. Franchisors strive to stay an arms length away from their perceived obligation to protect consumers’ data throughout their franchisee networks. As long as this remains the case, consumers should become aware of the risks being taken with their information as it could be exposed to the world when dealing with independently owned and operated locations.
Posted in: Hospitality