What are the consequences of a Data Security Event for Crowne Plaza or a Compromised Data Event for the franchisee?
Crowne_Plaza Franchise · 2025 FDDAnswer from 2025 FDD Document
strict you from accepting Cards, if it is determined that you are not compliant with the applicable data security requirements. Subject to Section 4.3, we may in our sole reasonable discretion suspend certain or all Services under the Agreement if we reasonably believe in good faith and based on evidence that an actual or suspected data security compromise has occurred, provided that we will use reasonable efforts to provide you advance written notice of such suspension, unless such notice is prohibited by Applicable Law or Card Organizations Rules. We will use commercially reasonable efforts to implement a workaround that allows you to continue receiving Card processing services from us during the suspension and we will remove the suspension and restore Services promptly after the threat has been resolved. If we reasonably believe in good faith and based on evidence that actual data security compromise has occurred which creates liability exposure for us, we may terminate the Agreement upon written notice to you.
- (c) We Must Comply with PCI DSS. We, and the systems and service providers we use, also must comply with PCI DSS and any additional Card Organization Rules applicable to our Services.
- 4.2 Compliance Audits. Each party may be subject to ongoing validation of its compliance with PCI DSS standards. Furthermore, if we suspect a breach of your compliance obligations under the Agreement, we retain the right to conduct an audit at your expense, performed by us or a Third Party designated by us to verify your compliance, or that of your
agents or Merchant Providers.
- 4.3 Immediate Notice Required. If Transaction Data is known or suspected of having been accessed or retrieved by any unauthorized Third Party, you must contact us immediately and in no event more than 24 hours after becoming aware of such activity. If we become aware of any unauthorized access to the Transaction Data, we will contact you promptly after becoming aware of such activity, unless otherwise prohibited by Applicable Law or Card Organizations Rules.
- 4.4 Your Compromised Data Event. If a Compromised Data Event (as defined in Section 4.8) occurs or is suspected to have occurred, you must, at your own expense: (a) perform or cause to be performed an independent investigation, including a forensics analysis performed by a certified forensic vendor acceptable to us and the Card Organizations in accordance with Card Organization standards, of any data security breach of Cardholder data or Transaction Data; (b) provide a copy of the certified forensic vendor's final report regarding the incident to us and the Card Organizations; (c) perform or cause to be performed any remedial actions recommended by any such investigation; and (d) cooperate with us in the investigation and resolution of any security breach. Notwithstanding the foregoing, if required by a Card Organization, we will engage a forensic vendor approved by a Card Organization at your expense. You must cooperate with the forensic vendor so that it may immediately conduct an examination of your equipment and other Merchant Systems, and your and Merchant Providers' procedures and records, and so that it may issue a written report of its findings.
Source: Item 23 — Receipts (FDD pages 100–424)
What This Means (2025 FDD)
According to Crowne Plaza's 2025 Franchise Disclosure Document, both the franchisee and franchisor have specific responsibilities and potential financial burdens in the event of a data security breach. If a franchisee experiences a 'Compromised Data Event,' they are obligated to conduct an independent investigation, including a forensic analysis by a certified vendor, provide a copy of the vendor's report to Crowne Plaza and relevant Card Organizations, perform recommended remedial actions, and cooperate with Crowne Plaza in resolving the breach. If required by a Card Organization, Crowne Plaza can engage a forensic vendor at the franchisee's expense. The franchisee is also responsible for promptly paying Crowne Plaza for all related expenses, claims, assessments, fines, losses, costs, penalties, and Issuer reimbursements imposed by the Card Organizations if the franchisee or their Merchant Provider is determined to be the likely source of the data compromise. These costs are referred to as 'Data Compromise Losses'.
Conversely, if Crowne Plaza experiences a 'Data Security Event' due to its independent acts or omissions, resulting in the unauthorized disclosure of personally identifiable consumer information, including Cardholder data submitted by the franchisee, Crowne Plaza is responsible for performing the actions outlined in subparts (a) and (c) of Section 4.4. These actions include performing an independent investigation, including a forensics analysis performed by a certified forensic vendor acceptable to us and the Card Organizations in accordance with Card Organization standards, and performing or causing to be performed any remedial actions recommended by any such investigation. Crowne Plaza also agrees not to pass through to the franchisee any amounts imposed upon them by the Card Organizations in connection with their Data Security Event.
Furthermore, the FDD stipulates that franchisees must provide immediate notice to Crowne Plaza, no more than 24 hours after becoming aware, if Transaction Data is known or suspected of having been accessed or retrieved by any unauthorized Third Party. Crowne Plaza, in turn, will contact the franchisee promptly after becoming aware of any unauthorized access to the Transaction Data, unless prohibited by Applicable Law or Card Organizations Rules. These provisions highlight the importance of data security and the potential financial and operational burdens placed on both the franchisor and franchisee in the event of a data breach, emphasizing the need for robust security measures and prompt communication.