What is a Cinnabon franchisee required to do if they suspect a security breach?
Cinnabon Franchise · 2025 FDDAnswer from 2025 FDD Document
If you suspect or know of a security breach, you must immediately give us notice of such security breach and promptly identify and remediate the source of any compromise or security breach at your expense.
You assume all responsibility for providing all notices of breach or compromise and all duties to monitor credit histories and transactions concerning customers of the Franchised Business.
- 12.3 Data Breach Notification.
If you learn of an incident that may be a "breach of the security of the system" under Cal.
Civ.
Code § 1798.82 or any other data breach notification Law, you must immediately notify us of the facts that are known about the incident (a "Data Breach").
Although you are responsible for complying with all data breach notification Laws and standards applicable to your organization, we expect that you will coordinate with us regarding such incidents where notification to individuals is required before individuals are notified so that we can be aware of and be prepared to address issues that may affect the System and be in a position to support you where possible.
In the event of an actual or suspected Data Breach, you grant us and our designees and agents the right, exercisable in our sole and absolute discretion, to conduct an investigation of the incident and to install, run, and maintain any hardware, software, or code on your Computer System or in your computer network necessary or advisable to facilitate the investigation and to contain and remediate the incident, and you agree to cooperate with us and to provide us with any access and information we may reasonably request for those purposes.
Nothing in the preceding sentence shall relieve you of your obligation to comply with applicable laws, regulations, rules, standards or any equivalent thereof concerning an actual or suspected Data Breach.
You are responsible for any costs or financial losses you incur or remedial actions that you must take as a result of an actual or suspected Data Breach.
Source: Item 23 — Receipts (FDD pages 114–399)
What This Means (2025 FDD)
According to Cinnabon's 2025 Franchise Disclosure Document, if a franchisee suspects or knows of a security breach, they must immediately notify Cinnabon of the breach. The franchisee is also required to promptly identify and fix the source of the security breach at their own expense. This includes responsibility for providing all notices of the breach, monitoring credit histories, and overseeing transactions related to customers of the franchised business.
Furthermore, if the incident qualifies as a "breach of the security of the system" under California Civil Code § 1798.82 or any other data breach notification law, the franchisee must immediately inform Cinnabon of all known facts about the incident, defined as a "Data Breach". While the franchisee is responsible for complying with all applicable data breach notification laws and standards, Cinnabon expects to coordinate with the franchisee, especially when notification to individuals is required. This coordination ensures Cinnabon is aware of potential issues affecting the entire system and can provide support where possible.
Cinnabon also has the right to conduct its own investigation of any actual or suspected data breach. Franchisees must allow Cinnabon and its agents to install and maintain any necessary hardware or software on their computer systems to facilitate the investigation, contain the incident, and remediate any damage. Franchisees are required to cooperate with Cinnabon and provide any requested access and information for these purposes. However, this does not relieve the franchisee of their obligation to comply with all applicable laws and regulations regarding data breaches. Ultimately, the franchisee is responsible for any costs or financial losses incurred due to an actual or suspected data breach, as well as any required remedial actions.