What are the minimum requirements for the security incident plan that a Camp Margaritaville franchisee must maintain?
Camp_Margaritaville Franchise · 2025 FDDAnswer from 2025 FDD Document
Franchisee shall maintain a written, up-to-date information security incident plan that (i) has been approved by management; (ii) is communicated to Key Personnel; and (iii) has an owner to maintain and review the incident response management program.
The security incident plan shall include, at a minimum, processes for responding to a cybersecurity event, goals for the response plan, roles and responsibilities, internal and external communication plans, requirements for remediation, documentation and reporting related to incident response activities, and post-incident evaluation and policy revision activities.
The security incident plan shall address different types of cybersecurity events, including disruptive events such as ransomware incidents.
- (ii) Security Incident Notification. In the event of a Security Incident, Franchisee shall: (i) promptly inform Franchisor in writing of such Security Incident, but by no later than twenty-four (24) hours from the date Franchisee obtains actual or constructive knowledge of the Security Incident; (ii) promptly investigate, correct, mitigate, remediate, and otherwise handle the Security Incident, including by identifying Guest Profile Data or Confidential Information that may have been accessed, acquired, disclosed, or used as a result of the Security Incident and taking sufficient steps to prevent the continuation and recurrence of the Security Incident; and (iii) immediately provide information, including artifacts required for incident response and forensics investigations, and assistance, such as preservation and retention of logs and data relevant to the evaluation, requested by Franchisor.
Source: Item 23 — RECEIPTS (FDD pages 72–406)
What This Means (2025 FDD)
According to the 2025 Camp Margaritaville FDD, franchisees must maintain a written and up-to-date information security incident plan. This plan needs to be approved by management, communicated to key personnel, and have a designated owner responsible for maintaining and reviewing the incident response management program.
The security incident plan must include processes for responding to cybersecurity events, clearly defined goals, roles and responsibilities, and internal and external communication strategies. Additionally, it should outline requirements for remediation, thorough documentation and reporting of incident response activities, and procedures for post-incident evaluation and policy revisions. The plan needs to address various types of cybersecurity events, including disruptive incidents like ransomware attacks.
In the event of a security incident, Camp Margaritaville franchisees are required to promptly inform the franchisor in writing, no later than 24 hours after discovering the incident. They must also investigate, correct, mitigate, and remediate the incident, identifying any compromised Guest Profile Data or Confidential Information. Franchisees are obligated to provide immediate information and assistance to the franchisor, including artifacts for incident response and forensics investigations, as well as preserving relevant logs and data.