What is Camp Margaritaville required to do with Guest Information and Reservation Data it receives?

or the reasonable and documented costs incurred by Customer in connection with such incident, including,

but not limited to, the following items: (a) costs of any required forensic investigation to determine the cause of the data security breach, (b) providing notification of the security breach to applicable government and relevant industry self-regulatory agencies, to the media (if required by applicable Law) and to individuals whose personal information may have been accessed or acquired, (c) providing credit monitoring service (if required by applicable law or any enforcement order, decree or consent) to individuals whose personal information may have been accessed or acquired for a period of one year, and (d) operating a call center to respond to questions from individuals whose personal information may have been accessed or acquired for a period not to exceed one year.

• D. Customer acknowledges that CRS Supplier has set forth certain protections for Margaritaville with respect to Guest Information and Reservation Data in connection with the matters set forth in this Section 10 and in these CRS Terms of Use, and that Margaritaville has extended the same to Customer pursuant to this Section 10 on a passthrough basis. Notwithstanding the foregoing, Customer is not a third-party beneficiary of any commitment by or agreement with CRS Supplier, and only Margaritaville maintains privity with CRS Supplier for any matter set forth in these CRS Terms of Use. In no event shall Margaritaville be held liable to the extent a commitment or obligation of CRS Supplier has not been fulfilled through no fault of Margaritaville. Margaritaville will reasonably assist Customer with respect to any issues, questions or conflicts with the CRS Supplier arising under these CRS Terms of Use and the CRS Supplier Agreement, including, but not limited to, enforcing the CRS Supplier's obligations with respect to a data security breach affecting Customer.
• E. Customer's use of the CRS Services shall at all times be subject to the terms of the Branding Agreement. Notwithstanding the foregoing, when receiving or accessing Guest Information and Reservation Data, Customer agrees to: (i) collect, receive, transmit, store, dispose, use and disclose such Guest Information and Reservation Data in accordance with the terms of the Branding Agreement and all privacy and data protection laws, as well as all other applicable regulations, (ii) keep and maintain such Guest Information and Reservation Data in strict confidence, using such degree of care as is appropriate to avoid unauthorized access, use or disclosure and (iii) use and disclose such Guest Information and Reservation Data solely and exclusively for the purposes for which the Guest Information and Reservation Data, or access to it, is provided. Customer shall be responsible for, and remain liable to, Margaritaville for the actions and omissions of all employees, contractors or other representatives who are engaged by Customer concerning the treatment of Guest Information and Reservation Data as if they were Customer's s own actions and omissions. Customer shall notify Margaritaville of (i) any act or omission that compromises either the security, confidentiality or integrity of Guest Information and Reservation Data collected from end users in connection with these CRS Terms of Use or (ii) a breach or alleged breach of these CRS Terms of Use relating to the privacy practices of Customer in accordance with the terms of the Branding Agreement. Customer shall likewise promptly notify Margaritaville any suspicious or malicious activity, potential vulnerabilities, or security weaknesses of which it becomes aware by emailing

Margaritaville contact and in accordance with the terms of the Branding Agreement. Customer shall cooperate with Margaritaville as reasonably requested to investigate any security breach, and Customer shall use best efforts to remedy any security breach attributable to Customer as soon as commercially possible and prevent any further security breach at Customer's expense in accordance with applicable privacy rights, laws, regulations, and standards. In the event of any unauthorized access to and acquisition of Guest Information and Reservation Data by a third party while in the possession of Customer or in transit from Customer, which materially compromises the security, confidentiality or integrity of such Guest Information and Reservation Data ("Data Security Breach"), Customer shall promptly investigate the cause of such Data Security Breach and shall at its sole expense take all reasonable steps to: (i) mitigate any harm caused to affected individuals, (ii) prevent any future reoccurrence, and (iii) comply at its sole expense with applicable data breach notification laws.

• 11. Publicity.

Source: Item 23 — RECEIPTS (FDD pages 72–406)