Is a Belocal franchisee required to publicly disclose a Security Breach?
Belocal Franchise · 2025 FDDAnswer from 2025 FDD Document
. Except to the extent required by applicable law, no public disclosure of any instance of such unauthorized access or breach shall be made by Franchisee unless Franchisor has authorized the provision of notice and the form of such notice in writing. Franchisee shall reimburse Franchisor for all reasonable Notification and Remediation Related Costs (as defined below) incurred by Franchisor arising out of or in connection with any such Security Breach that is directly or indirectly caused by Franchisee, its Principals, and its Independent Staff. "Notification and Remediation Related Costs" shall mean Franchisor's internal and external costs associated with addressing and responding to any Security Breach, including but not limited to: (i) preparation and mailing or other transmission of legally required notifications to affected individuals, regulators, and attorneys general; (ii) preparation and mailing or other transmission of such other communications to customers, agents, or others as Franchisor deems reasonably appropriate; (iii) establishment of a call center or other communications procedures in response to such Security Breach (e.g., customer service FAQs, talking points, and training); (iv) engagement of information technology consultants, public relations, and other similar crisis management services; (v) payment of legal and accounting fees and expenses associated with Franchisor's investigation of and response to such Security Breach; and (vi) payment of costs for commercially reasonable credit reporting services that are associated with legally required notifications or are advisable under the circumstances. Franchisee Indemnifying Parties agree to hold harmless, defend and indemnify Indemnitees from and against any and all losses, expenses, judgments, claims, attorney fees and damages arising out of or in connection with any claim or cause of action in which Indemnitees shall be a named defendant and which arises, directly or indirectly, out of the operation of, or in connection with a Security Breach or Franchisee Indemnifying Parties' violation of any Privacy Law, Data Protection and Security Policies, consumer protection-related law or regulation, email marketing and other marketing laws and regulations, and the PCI-DSS.
- (6) Personal Information Consent and Requests. Franchisee is responsible for obtaining any required consent to the collection, use, storage, processing, and sharing of Personal Information from all parties from which it is required to obtain consent under the Privacy Laws or Data Protection and Security Policies. Franchisee shall retain copies of all such consents and store them and share them with Franchisor in the manner Franchisor requires.
Source: Item 22 — CONTRACTS (FDD page 71)
What This Means (2025 FDD)
According to Belocal's 2025 Franchise Disclosure Document, a franchisee is generally restricted from publicly disclosing a security breach. The FDD states that unless required by applicable law, a Belocal franchisee cannot make any public disclosure of unauthorized access or breach without written authorization from Belocal, including the specific form of notice. This means Belocal maintains control over how and when security breaches are communicated to the public.
However, the franchisee is obligated to immediately notify Belocal of any actual or suspected security breach. This includes any unauthorized access, processing, loss, use, disclosure, alteration, destruction, transfer, or compromise of personal information, whether stored in paper or electronic form. It also covers any suspected intrusion into the franchisee's or Belocal's computer systems, networks, servers, IT resources, or paper files. The franchisee must then cooperate with Belocal to investigate and resolve the issue.
Furthermore, the franchisee may be financially responsible for costs incurred by Belocal related to the security breach. The franchisee is required to reimburse Belocal for all reasonable Notification and Remediation Related Costs arising from a security breach directly or indirectly caused by the franchisee, its principals, or its independent staff. These costs can include legal notifications, public relations, IT consulting, and legal and accounting fees.
In summary, while Belocal franchisees must report security breaches to Belocal, they are generally prohibited from making public disclosures themselves unless legally required or explicitly authorized by Belocal in writing. The franchisee also bears the responsibility for covering costs associated with addressing the breach, emphasizing the importance of robust data protection and security measures.