Who is responsible for financial losses resulting from a security breach involving Consumer Information at a Hardees franchise?
Hardees Franchise · 2025 FDDAnswer from 2025 FDD Document
HR owns all Consumer Information and may use the Consumer Information as it deems appropriate (subject to applicable law), including disclosing it to vendors or sharing it with its affiliates for crossmarketing or other purposes. Franchisee may only use Consumer Information for the purpose of operating the Franchised Restaurant to the extent permitted under this Agreement, including the OPM, during the term hereof and subject to such restrictions as HR may from time to time impose and in compliance with all data privacy, security and other applicable laws. Without limiting the foregoing, Franchisee agrees to comply with applicable law in connection with Franchisee's collection, processing, storage and use of such Consumer Information, including, if required under applicable law, obtaining consents from individuals for HR's and its affiliates' use of the Consumer Information. Franchisee must comply with all laws and regulations relating to data protection, privacy and security, including data breach response requirements ("Privacy Law(s)"), as well as data privacy and security policies, procedures and other requirements HR may periodically establish. Franchisee must maintain reasonable, appropriate, and effective security controls to preserve the security, integrity, availability, confidentiality, and resilience of Consumer Information. Franchisee must notify HR immediately of any suspected data breach at or in connection with the Franchised Restaurant or the business operated at the Franchised Restaurant. Franchisee must fully cooperate with HR and its counsel in determining the most effective way to meet HR's standards and policies pertaining to Privacy Laws, including those governing notification of a data breach. Franchisee is
responsible for any financial losses it incurs or remedial actions that it must take as a result of breach of security or unauthorized access to Consumer Information in Franchisee's control or possession.
Source: Item 22 — Contracts (FDD page 85)
What This Means (2025 FDD)
According to Hardees's 2025 Franchise Disclosure Document, the franchisee is responsible for financial losses or remedial actions resulting from a security breach or unauthorized access to consumer information if the information was in the franchisee's control or possession. This means that if a Hardees franchisee experiences a data breach due to their own security lapses, they will bear the costs associated with it. These costs could include legal fees, customer notification expenses, credit monitoring services for affected customers, and potential fines or penalties.
Hardees requires franchisees to maintain reasonable, appropriate, and effective security controls to protect consumer information. Franchisees must also comply with all applicable data protection, privacy, and security laws, including data breach response requirements. Furthermore, franchisees must immediately notify Hardees of any suspected data breach at their restaurant and fully cooperate with Hardees in determining the most effective way to meet the brand's standards and policies pertaining to privacy laws, including those governing data breach notification.
This allocation of responsibility highlights the importance of data security for Hardees franchisees. They must invest in robust security measures and ensure compliance with all relevant regulations to protect consumer information and avoid potential financial losses. Prospective franchisees should carefully consider the costs associated with data security when evaluating the Hardees franchise opportunity. They should also inquire about the specific security measures and training programs that Hardees provides to help franchisees protect consumer data.