What is a 'Compromised Data Event' or 'Data Security Event' in the context of a Crowne Plaza agreement?
Crowne_Plaza Franchise · 2025 FDDAnswer from 2025 FDD Document
You are responsible for all Chargebacks, Third Party Based Fees, Servicers Fees, and other amounts arising from fraudulent activity processed through your Merchant Systems and/or your Merchant Account (regardless of any AVS response that you receive).
- 4.8 Costs. If you or a Merchant Provider (or other Third Party used by you) are determined by any Card Organization, regardless of any forensic analysis or report, to be the likely source of any loss, disclosure, theft or compromise of Cardholder data or Card transaction information or are determined to have caused Cardholder data to be put at risk (together, "Compromised Data Events") and regardless of your belief that you have complied with the Card Organization Rules or any other security precautions and are not responsible for the Compromised Data Event, you must promptly pay us for all related expenses, claims, assessments, fines, losses, costs, penalties, and Issuer reimbursements imposed by the Card Organizations against us (together, "Data Compromise Losses").
In addition to the foregoing, you must also pay us promptly for all expenses and claims made by Issuers against us alleging your responsibility for the Compromised Data Event, apart from any claim procedures administered by the Card Organizations.
We agree not to pass through to you any amounts imposed upon us by the Card Organizations in connection with our Data Security Event.
Source: Item 23 — Receipts (FDD pages 100–424)
What This Means (2025 FDD)
According to Crowne Plaza's 2025 Franchise Disclosure Document, a "Compromised Data Event" occurs when any Card Organization determines that the franchisee or a Merchant Provider used by the franchisee is the likely source of any loss, disclosure, theft, or compromise of cardholder data or card transaction information, or has caused cardholder data to be put at risk. This determination applies regardless of any forensic analysis or report, or the franchisee's belief that they have complied with Card Organization Rules or other security precautions. If a Compromised Data Event occurs, the franchisee is responsible for promptly paying Crowne Plaza for all related expenses, claims, assessments, fines, losses, costs, penalties, and issuer reimbursements imposed by the Card Organizations. The franchisee must also pay for all expenses and claims made by Issuers against Crowne Plaza alleging the franchisee's responsibility for the event, even apart from claim procedures administered by the Card Organizations.
A "Data Security Event," on the other hand, applies to Crowne Plaza itself. It is defined as a situation where a Card Organization determines that Crowne Plaza has breached its data security obligations under applicable law or Card Organization Rules, resulting solely from Crowne Plaza's independent acts or omissions. This breach must lead to the actual, unauthorized disclosure of personally identifiable consumer information, including cardholder data submitted by the franchisee. In the event of a Data Security Event caused by Crowne Plaza, Crowne Plaza will be responsible for performing investigations and remedial actions. Crowne Plaza agrees not to pass through to the franchisee any amounts imposed upon them by the Card Organizations in connection with Crowne Plaza's Data Security Event.
For a prospective Crowne Plaza franchisee, understanding these definitions is crucial because they delineate the financial responsibilities in case of a data breach. The franchisee bears significant financial risk in the event of a Compromised Data Event linked to their systems or providers, regardless of their perceived compliance with security standards. Conversely, Crowne Plaza assumes responsibility for Data Security Events stemming directly from their own actions or omissions. This distinction highlights the importance of robust data security measures and careful selection of Merchant Providers by the franchisee to minimize the risk of incurring substantial Data Compromise Losses.