What is a Carvel franchisee required to do if they suspect a security breach?
Carvel Franchise · 2025 FDDAnswer from 2025 FDD Document
If you suspect or know of a security breach, you must immediately give us notice of such security breach and promptly identify and remediate the source of any compromise or security breach at your expense.
If you learn of an incident that may be a "breach of the security of the system" under Cal.
Civ.
Code § 1798.82 or any other data breach notification Law, you must immediately notify us of the facts that are known about the incident (a "Data Breach").
Although you are responsible for complying with all data breach notification Laws and standards applicable to your organization, we expect that you will coordinate with us regarding such incidents where notification to individuals is required before individuals are notified so that we can be aware of and be prepared to address issues that may affect the System and be in a position to support you where possible.
Source: Item 23 — Receipts (FDD pages 100–353)
What This Means (2025 FDD)
According to Carvel's 2025 Franchise Disclosure Document, if a franchisee suspects or knows of a security breach, they must immediately notify Carvel. The franchisee is also required to promptly identify and fix the source of the security breach at their own expense.
Furthermore, if the security breach is considered a "breach of the security of the system" under California Civil Code § 1798.82 or any other data breach notification law, the franchisee must immediately inform Carvel of all known facts about the incident, which is termed a "Data Breach".
While the franchisee is responsible for complying with all data breach notification laws and standards, Carvel expects the franchisee to coordinate with them regarding incidents requiring individual notification. This coordination is expected before individuals are notified, allowing Carvel to be aware of and prepared to address issues that may affect the entire Carvel system and to support the franchisee where possible. Carvel also has the right to investigate the incident and install hardware/software on the franchisee's systems to facilitate the investigation and remediation, with the franchisee's cooperation.