What is the Camp Margaritaville franchisee's obligation to update the franchisor regarding a security incident?
Camp_Margaritaville Franchise · 2025 FDDAnswer from 2025 FDD Document
not physically transferred to, accessed by, or otherwise processed by any personnel or systems outside of the United States or any country or territory where the Resort is located. Franchisee shall ensure training of Franchisee's personnel includes cyber security awareness.
(f) Unauthorized Disclosure of Data.
- (i) Security Incident Management. Franchisee shall maintain a written, up-to-date information security incident plan that (i) has been approved by management; (ii) is communicated to Key Personnel; and (iii) has an owner to maintain and review the incident response management program. The security incident plan shall include, at a minimum, processes for responding to a cybersecurity event, goals for the response plan, roles and responsibilities, internal and external communication plans, requirements for remediation, documentation and reporting related to incident response activities, and post-incident evaluation and policy revision activities. The security incident plan shall address different types of cybersecurity events, including disruptive events such as ransomware incidents.
- (ii) Security Incident Notification. In the event of a Security Incident, Franchisee shall: (i) promptly inform Franchisor in writing of such Security Incident, but by no later than twenty-four (24) hours from the date Franchisee obtains actual or constructive knowledge of the Security Incident; (ii) promptly investigate, correct, mitigate, remediate, and otherwise handle the Security Incident, including by identifying Guest Profile Data or Confidential Information that may have been accessed, acquired, disclosed, or used as a result of the Security Incident and taking sufficient steps to prevent the continuation and recurrence of the Security Incident; and (iii) immediately provide information, including artifacts required for incident response and forensics investigations, and assistance, such as preservation and retention of logs and data relevant to the evaluation, requested by Franchisor.
Source: Item 23 — RECEIPTS (FDD pages 72–406)
What This Means (2025 FDD)
According to Camp Margaritaville's 2025 Franchise Disclosure Document, a franchisee has specific obligations regarding security incident notifications. If a security incident occurs, the franchisee must promptly inform Camp Margaritaville in writing no later than 24 hours from the date the franchisee gains actual or constructive knowledge of the incident. This initial notification is crucial for Camp Margaritaville to begin assessing the scope and potential impact of the breach.
Following the initial notification, the franchisee is obligated to investigate, correct, mitigate, remediate, and handle the security incident. This includes identifying any Guest Profile Data or Confidential Information that may have been accessed, acquired, disclosed, or used as a result of the incident. The franchisee must also take steps to prevent the continuation and recurrence of the security incident, ensuring that the vulnerabilities are addressed to avoid future breaches.
Furthermore, the franchisee must immediately provide Camp Margaritaville with any information and assistance requested, such as artifacts required for incident response and forensics investigations. This includes preserving and retaining logs and data relevant to the evaluation of the incident. The franchisee is also required to provide regular updates to Camp Margaritaville regarding the Security Incident and must promptly notify Camp Margaritaville as new information becomes known, until the Security Incident is fully remediated to Camp Margaritaville's reasonable satisfaction. This ongoing communication ensures that Camp Margaritaville is kept informed of the progress and any new developments in addressing the security incident.