Data Breach at Jimmy John's Could Damage Franchisees

Photograph by David Sherman/Getty Images

Hackers stole credit-card data from 216 Jimmy John’s stores from June to September, the sandwich shop chain said in a statement issued on Sept. 24. Compared to large-scale hacks on Home Depot and Target, each of which gave thieves access to tens of millions of credit- and debit-card numbers, the scope of the Jimmy John’s breach will probably be small. But the fallout from the hack—as well as recent data thefts at Dairy Queen (the malware that hit Target), 51 UPS franchises, and additional chains—has an interesting implication for franchisees.

Franchise systems comprise many individual business owners. The amount of independence they have from the franchisor varies, depending on the chain. For many franchises, payments and data storage are the franchisee’s responsibility, says Lee Plave, a franchise lawyer in Reston, Va. Because of that, security standards differ. What franchises do share, says Plave, is brand exposure: “If I’m running a bad store, and my staff is surly, and the bathrooms are filthy, it affects everyone else in the franchise business,” he says.

Data breaches can be seen in the same light. If a single store makes headlines for getting hacked, others in the chain may suffer. That thinking may eventually lead some franchisors to insist that franchisees follow concrete cyber-security policies—a potentially touchy subject for store owners that bristle at corporate control. As retail hacks continue to make news, franchisees will probably clash with their corporate chains over the costs of new security systems.

Here’s the bright side: Franchisees make modest targets for hackers because one store’s customer data is unlikely to be stored centrally, with data from others in the chain. In the case of the Jimmy John’s breach, the hackers accessed card numbers by stealing log-in credentials from the company that provided point-of-sales systems to the infiltrated stores, according to security blogger Brian Krebs. For franchisees in other chains, there may be some benefit in being small.