What is the Camp Margaritaville franchisee's responsibility regarding the investigation of a security incident?
Camp_Margaritaville Franchise · 2025 FDDAnswer from 2025 FDD Document
bilities, internal and external communication plans, requirements for remediation, documentation and reporting related to incident response activities, and post-incident evaluation and policy revision activities. The security incident plan shall address different types of cybersecurity events, including disruptive events such as ransomware incidents.
(ii) Security Incident Notification. In the event of a Security Incident, Franchisee shall: (i) promptly inform Franchisor in writing of such Security Incident, but by no later than twenty-four (24) hours from the date Franchisee obtains actual or constructive knowledge of the Security Incident; (ii) promptly investigate, correct, mitigate, remediate, and otherwise handle the Security Incident, including by identifying Guest Profile Data or Confidential Information that may have been accessed, acquired, disclosed, or used as a result of the Security Incident and taking sufficient steps to prevent the continuation and recurrence of the Security Incident; and (iii) immediately provide information, including artifacts required for incident response and forensics investigations, and assistance, such as preservation and retention of logs and data relevant to the evaluation, requested by Franchisor.
(iii) The written notice to the Franchisor required in the previous sentence must be sent to legal@margaritaville.com and shall include, at a minimum (if known, and to Franchisee's knowledge as of the time of the notice): (i) the type of Guest Profile Data or Confidential Information that may have been accessed, acquired, disclosed, or used as a result of the Security Incident, (ii) if any Personal Data may have been accessed, acquired, disclosed, or used, the type of personally identifiable data and the names and contact information of all individuals whose personally identifiable data may have been impacted by the Security Incident, (iii) Franchisee's plan for corrective actions to respond to the Security Incident; and (iv) steps taken to secure Guest Profile Data or Confidential Information and preserve information for any necessary investigation. Franchisee shall not unreasonably delay its notification to Franchisor. Additionally, Franchisee shall provide regular updates to Franchisor regarding the Security Incident and shall notify Franchisor promptly as new information becomes known, until the Security Incident is fully remediated to Franchisor's reasonable satisfaction.
(iv) All information relating to the Security Incident must be retained by Franchisee until Franchisor has consented in writing to its destruction. If requested by Franchisor and subject to Franchisor's confidentiality obligations, Franchisee shall permit Franchisor and its agents to access Franchisee's facilities and/or the affected hardware or software, as applicable, to conduct a forensic analysis of such Security Incident. Depending upon the type and scope of the Security Incident, Franchisor personnel may participate in: (i) interviews with Franchisee's employees and subcontractors involved in the Security Incident; and (ii) review of all relevant records, logs, files, reporting data, systems, Franchisee devices, and other materials as otherwise required by Franchisor. Franchisee shall obtain cyber security insurance in the amounts required by Franchisor and provide a Certificate of Insurance from the insurer to Franchisor, naming Franchisor as an additional insured of Franchisee. Further, Franchisee shall follow industry accepted practices surrounding the patching of system vulnerabilities. Franchisee shall install anti-virus and spyware software on Franchisee's computer systems and ensure such software and Franchisee's computer systems are updated with the current version at all times.
(v) Notification. Although Franchisee is solely responsible for compliance with all data breach notification requirements under Data Protection Laws, Franchisee: (1) will not inform any third party of a Security Incident without first notifying Franchisor;
Source: Item 23 — RECEIPTS (FDD pages 72–406)
What This Means (2025 FDD)
According to Camp Margaritaville's 2025 Franchise Disclosure Document, the franchisee has several responsibilities in the event of a security incident. The franchisee must promptly inform Camp Margaritaville in writing of the security incident, no later than 24 hours from when they become aware of it. They are also required to investigate, correct, mitigate, remediate, and handle the security incident, including identifying any Guest Profile Data or Confidential Information that may have been compromised. The franchisee must take steps to prevent the incident from continuing or happening again.
Furthermore, the Camp Margaritaville franchisee is obligated to immediately provide information and assistance requested by the franchisor. This includes artifacts needed for incident response and forensics investigations, as well as preserving and retaining logs and data relevant to the evaluation. The franchisee must also send written notice to legal@margaritaville.com that includes the type of Guest Profile Data or Confidential Information accessed, the type of personal data accessed, the names and contact information of individuals impacted, the franchisee's plan for corrective actions, and steps taken to secure data and preserve information for investigation.
The franchisee must provide regular updates to Camp Margaritaville regarding the security incident until it is fully resolved to the franchisor's satisfaction. All information related to the incident must be retained until Camp Margaritaville provides written consent for its destruction. If requested by Camp Margaritaville, the franchisee must allow the franchisor and its agents to access the franchisee's facilities and affected hardware or software to conduct a forensic analysis of the security incident. Camp Margaritaville personnel may also participate in interviews with the franchisee's employees and subcontractors and review relevant records and materials.
To prepare for such incidents, the franchisee is required to maintain a written, up-to-date information security incident plan approved by management, communicated to key personnel, and maintained by a designated owner. This plan should include processes for responding to cybersecurity events, goals, roles and responsibilities, communication plans, remediation requirements, documentation and reporting procedures, and post-incident evaluation and policy revision activities. The plan should address different types of cybersecurity events, including disruptive events like ransomware incidents.