Common use of Cardholder Data Security Clause in Contracts

Cardholder Data Security. (A) Each Party acknowledges and agrees that this Amended Program Manager Agreement constitutes an agreement for Manager to perform services for ▇▇▇▇▇▇ Bank as contemplated in Title V of GLBA and the Privacy Regulations. Without limiting the generality of the terms of this Amended Program Manager Agreement, Manager and Processor each agree that they shall protect the privacy of Cardholder Data to at least the same extent that ▇▇▇▇▇▇ Bank must maintain that confidentiality under GLBA and the Privacy Regulations. Without limiting the generality of the foregoing sentence, except as otherwise provided in any Program Schedule, neither Manager nor Processor shall: (i) use any Cardholder Data except to perform its obligations under this Amended Program Manager Agreement (unless such Cardholder Data is used for Manager’s internal business purposes), or (ii) disclose any Cardholder Data other than to: (a) any Network or any other entity to which disclosure is necessary in connection with the processing a Transaction; (b) a Third Party Service Provider in connection with a permitted use of such Cardholder Data under this Section 8.1, provided that each such Third Party Service Provider agrees in writing to maintain all such Cardholder Data as strictly confidential in perpetuity and not to use or disclose such information to any person other than ▇▇▇▇▇▇ Bank, Manager or Processor, except as required by Applicable Law or any Regulatory Authority (after giving ▇▇▇▇▇▇ Bank, Manager or Processor, as applicable, prior notice and an opportunity to defend against such disclosure) or as permitted under ▇▇▇▇▇▇ Bank’s Privacy Policy; provided, further, that each such Third Party Service Provider maintains, and agrees in writing to maintain, an information security program that is designed to protect Cardholder Data and information related to Transactions, and which complies with the requirements under the Network Rules, including but not limited to the requirement for such Third Party Service Provider, upon termination of any of its associated Card Programs, to securely destroy all Cardholder Data in its possession associated with such Card Program as quickly as circumstances permit in accordance with best industry practices and provide a written notice to ▇▇▇▇▇▇ Bank that the destruction of the Cardholder Data has been completed; (c) its employees, consultants, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 8.1; provided that (1) any such person is bound by terms substantially similar to this Section 8.1 as a condition of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; and (2) such Party shall be responsible for the compliance by each such person with the terms of this Section 8.1; or (d) any Regulatory Authority (1) in connection with an examination of any Party; or (2) pursuant to a specific requirement to provide such Cardholder Data by such Regulatory Authority or pursuant to compulsory legal process; provided that such Party seeks the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (2), to the extent permitted by Applicable Law, such Party (x) provides at least [***] prior notice of such proposed disclosure to the other Parties if reasonably possible under the circumstances, and (y) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure. (B) During the Term of this Amended Program Manager Agreement, the Cardholder Data shall be owned by ▇▇▇▇▇▇ Bank and shall be subject to ▇▇▇▇▇▇ Bank’s privacy policy set forth in each Privacy Notice, and the manner in which such Cardholder Data may be used, shared and disclosed by the Parties during the Term shall be as set forth herein or as addressed in the Program Schedule for each particular Card Program, all in accordance with the Privacy Regulations and Applicable Law. ▇▇▇▇▇▇ Bank shall not, directly or indirectly, use, or sell or otherwise transfer any right in or to, the Cardholder Data other than as provided herein or as mutually agreed by the Parties in a Program Schedule. ▇▇▇▇▇▇ Bank shall ensure that its privacy policy and each Privacy Notice permits, subject to Applicable Law, (i) ▇▇▇▇▇▇ Bank to share Cardholder Data with Manager, Processor and their respective Third Party Service Providers, and (ii) Manager and Processor to use Cardholder Data in the manner described herein or as permitted by Applicable Law. (C) With respect to the sharing, use and disclosure of Cardholder Data following the expiration or termination of this Amended Program Manager Agreement in its entirety or any Program Schedule, Manager shall securely destroy all Cardholder Data in its possession associated with such terminated Program Schedule(s) as quickly as circumstances permit in accordance with best industry practices and provide a written notice to ▇▇▇▇▇▇ Bank that the destruction of the Cardholder Data has been completed. (D) Manager shall establish commercially reasonable administrative, technical and physical safeguards for Cardholder Data in its control or possession from time to time. Such safeguards shall be designed for the purpose of: (i) insuring the security of such records and information, (ii) protecting against any known threats or hazards to the security or integrity of such records and information; and (iii) protecting against unauthorized access to or use of such records and information that would result in substantial harm or inconvenience to any Cardholder; (iv) ensure against the proper disposal of Cardholder Data. Such safeguards shall be established in accordance with Applicable Law, including, without limitation, Section 501 of GLBA and the Interagency Guidelines Establishing Standards for Safeguarding Customer Information adopted pursuant to Section 501 of GLBA. (E) Subject to any obligations placed upon Manager or Processor by a law enforcement agency, such Party agrees to fully disclose to ▇▇▇▇▇▇ Bank any actual or suspected breach in security which results in unauthorized intrusions into such Party’s computer and other information systems that may materially affect ▇▇▇▇▇▇ Bank and the Cardholders or otherwise may involve the potential unauthorized disclosure, access to, acquisition of, or other loss or use of Cardholder Data, including “sensitive customer information.” As soon as such Party has reason to believe that it has a security breach, and in no event later than [***] after the discovery of any such breach, it shall notify ▇▇▇▇▇▇ Bank in writing and provide (to the extent Manager or Processor has the following information): (i) a description of the breach or loss, including the data it occurred, (ii) the number of individuals or accounts affected and their states of residence, (iii) the information accessed, acquired, lost, or misused; (iv) whether the breach or loss was computerized in nature or a paper loss, (v) whether such information was encrypted or unencrypted, (vi) whether encryption keys or passwords may have been compromised, and (vii) a description of the steps taken to investigate the incident, secure systems or recover lost information, and prevent the recurrence of further security breaches or losses of the same type. For purposes of this subsection (E), “Sensitive Customer Information” includes a consumer’s name, address, or telephone number in conjunction with the consumer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account, or any combination of components of customer information that would allow someone to log onto or access a customer’s account, such as a username and password, or password and account number. In addition, in the event of an actual or suspected breach in security of Manager’s or Processor’s computer or other information systems, such Party agrees to permit an independent qualified third party auditor to perform an investigation (including the installation of monitoring or diagnostic software or equipment) to locate the source and scope of the breach and provide ▇▇▇▇▇▇ Bank with any material ▇▇▇▇▇▇ Bank-related information that such independent auditor discovers with respect to the breach, all at the expense of Manager or Processor respectively. (F) Each Party has designed and implemented an information security program that is designed to protect Cardholder Data and information related to Transactions that complies with the requirements under the Network Rules. At all times during the term of the Amended Program Manager Agreement, each Party shall be in compliance with all information and data security requirements promulgated by the Network and applicable to card issuers (as set forth in the Network Rules) and the Interagency Guidelines Establishing Standards for Safeguarding Customer Information (collectively the “Information Security Requirements”), as the same may be revised from time to time. Each Party shall provide the other Parties with copies of all reports on compliance, quarterly and annual status forms and other reports filed by such Party with the Network in accordance with the Network Rules.

Cardholder Data Security. (A) Each Party acknowledges and agrees that this Amended Program Manager Agreement constitutes an agreement for Manager to perform services for ▇▇▇▇▇▇ Bank as contemplated in Title V of GLBA and the Privacy Regulations. Without limiting the generality of the terms of this Amended Program Manager Agreement, Manager and Processor each agree that they shall protect the privacy of Cardholder Data to at least the same extent that ▇▇▇▇▇▇ Bank must maintain that confidentiality under GLBA and the Privacy Regulations. .Without limiting the generality of the foregoing sentence, except as otherwise provided in any Program Schedule, neither Manager nor Processor shall: (i) use any Cardholder Data except to perform its obligations under this Amended Program Manager Agreement (unless such Cardholder Data is used for Manager’s internal business purposes), or (ii) disclose any Cardholder Data other than to: (a) any Network or any other entity to which disclosure is necessary in connection with the processing a Transaction; (b) a Third Party Service Provider in connection with a permitted use of such Cardholder Data under this Section 8.1, provided that each such Third Party Service Provider agrees in writing to maintain all such Cardholder Data as strictly confidential in perpetuity and not to use or disclose such information to any person other than ▇▇▇▇▇▇ Bank, Manager or Processor, except as required by Applicable Law or any Regulatory Authority (after giving ▇▇▇▇▇▇ Bank, Manager or Processor, as applicable, prior notice and an opportunity to defend against such disclosure) or as permitted under ▇▇▇▇▇▇ Bank’s Privacy Policy; provided, further, that each such Third Party Service Provider maintains, and agrees in writing to maintain, an information security program that is designed to protect Cardholder Data and information related to Transactions, and which complies with the requirements under the Network Rules, including but not limited to the requirement for such Third Party Service Provider, upon termination of any of its associated Card Programs, to securely destroy all Cardholder Data in its possession associated with such Card Program as quickly as circumstances permit in accordance with best industry practices and provide a written notice to ▇▇▇▇▇▇ Bank that the destruction of the Cardholder Data has been completed; (c) its employees, consultants, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 8.1; provided that (1) any such person is bound by terms substantially similar to this Section 8.1 as a condition of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; and (2) such Party shall be responsible for the compliance by each such person with the terms of this Section 8.1; or (d) any Regulatory Authority (1) in connection with an examination of any Party; or (2) pursuant to a specific requirement to provide such Cardholder Data by such Regulatory Authority or pursuant to compulsory legal process; provided that such Party seeks the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (2), to the extent permitted by Applicable Law, such Party (x) provides at least [********] prior notice of such proposed disclosure to the other Parties if reasonably possible under the circumstances, and (y) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure. (B) During the Term of this Amended Program Manager Agreement, the Cardholder Data shall be owned by ▇▇▇▇▇▇ Bank and shall be subject to ▇▇▇▇▇▇ Bank’s privacy policy set forth in each Privacy Notice, and the manner in which such Cardholder Data may be used, shared and disclosed by the Parties during the Term shall be as set forth herein or as addressed in the Program Schedule for each particular Card Program, all in accordance with the Privacy Regulations and Applicable Law. .▇▇▇▇▇▇ Bank shall not, directly or indirectly, use, or sell or otherwise transfer any right in or to, the Cardholder Data other than as provided herein or as mutually agreed by the Parties in a Program Schedule. .▇▇▇▇▇▇ Bank shall ensure that its privacy policy and each Privacy Notice permits, subject to Applicable Law, (i) ▇▇▇▇▇▇ Bank to share Cardholder Data with Manager, Processor Processor, and their respective Third Party Service Providers, and (ii) Manager and Processor to use Cardholder Data in the manner described herein or as permitted by Applicable Law. (C) With respect to the sharing, use and disclosure of Cardholder Data following the expiration or termination of this Amended Program Manager Agreement in its entirety or any Program Schedule, Manager shall securely destroy all Cardholder Data in its possession associated with such terminated Program Schedule(s) as quickly as circumstances permit in accordance with best industry practices and provide a written notice to ▇▇▇▇▇▇ Bank that the destruction of the Cardholder Data has been completed. (D) Manager shall establish commercially reasonable administrative, technical and physical safeguards for Cardholder Data in its control or possession from time to time. Such safeguards shall be designed for the purpose of: (i) insuring the security of such records and information, (ii) protecting against any known threats or hazards to the security or integrity of such records and information; and (iii) protecting against unauthorized access to or use of such records and information that would result in substantial harm or inconvenience to any Cardholder; (iv) ensure against ensuring the proper disposal of Cardholder Data. .Such safeguards shall be established in accordance with Applicable Law, including, without limitation, Section 501 of GLBA and the Interagency Guidelines Establishing Standards for Safeguarding Customer Information adopted pursuant to Section 501 of GLBA. (E) Subject to any obligations placed upon Manager or Processor by a law enforcement agency, such Party agrees to fully disclose to ▇▇▇▇▇▇ Bank any actual or suspected breach in security which results in unauthorized intrusions into such Party’s 's computer and other information systems that may materially affect ▇▇▇▇▇▇ Bank and the Cardholders or otherwise may involve the potential unauthorized disclosure, access to, acquisition of, or other loss or use of Cardholder Data, including “sensitive customer information.” As ”As soon as such Party has reason to believe that it has a security breach, and in no event later than [********] after the discovery of any such breach, it shall notify ▇▇▇▇▇▇ Bank in writing and provide (to the extent Manager or Processor has the following information): (iinformation):(i) a description of the breach or loss, including the data it occurred, (ii) the number of individuals or accounts affected and their states of residence, (iii) the information accessed, acquired, lost, or misused; (iv) whether the breach or loss was computerized in nature or a paper loss, (v) whether such information was encrypted or unencrypted, (vi) whether encryption keys or passwords may have been compromised, ,and (vii) a description of the steps taken to investigate the incident, secure systems or recover lost information, and prevent the recurrence of further security breaches or losses of the same type. .For purposes of this subsection (E), “Sensitive Customer Information” includes a consumer’s name, address, or telephone number in conjunction with the consumer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account, or any combination of components of customer information that would allow someone to log onto or access a customer’s account, such as a username and password, or password and account number. In ▇▇▇▇▇▇.▇▇ addition, in the event of an actual or suspected breach in security of Manager’s or Processor’s computer or other information systems, such Party agrees to permit an independent qualified third party auditor to perform an investigation (including the installation of monitoring or diagnostic software or equipment) to locate the source and scope of the breach and provide ▇▇▇▇▇▇ Bank with any material ▇▇▇▇▇▇ Bank-–related information that such independent auditor discovers with respect to the breach, all at the expense of Manager or Processor respectively. (F) Each Party has designed and implemented an information security program that is designed to protect Cardholder Data and information related to Transactions that complies with the requirements under the Network Rules. At ▇▇▇▇▇.▇▇ all times during the term of the Amended Program Manager Agreement, each Party shall be in compliance with all information and data security requirements promulgated by the Network and applicable to card issuers (as set forth in the Network Rules) and the Interagency Guidelines Establishing Standards for Safeguarding Customer Information (collectively the “Information Security Requirements”), as the same may be revised from time to time. .Each Party shall provide the other Parties with copies of all reports on compliance, quarterly and annual status forms and other reports filed by such Party with the Network in accordance with the Network Rules.

Cardholder Data Security. (A) Each Party acknowledges and agrees that this Amended Program Manager Agreement constitutes an agreement for Manager to perform services for ▇▇▇▇▇▇ Bank as contemplated in Title V of GLBA and the Privacy Regulations. Without limiting the generality of the terms of this Amended Program Manager Agreement, Manager and Processor each agree that they shall protect the privacy of Cardholder Data to at least the same extent that ▇▇▇▇▇▇ Bank must maintain that confidentiality under GLBA and the Privacy Regulations. Without limiting the generality of the foregoing sentence, except as otherwise provided in any Program Schedule, neither Manager nor Processor shall: (i) use any Cardholder Data except to perform its obligations under this Amended Program Manager Agreement (unless such Cardholder Data is used for Manager’s internal business purposes), or (ii) disclose any Cardholder Data other than to: (a) any Network or any other entity to which disclosure is necessary in connection with the processing a Transaction; (b) a Third Party Service Provider in connection with a permitted use of such Cardholder Data under this Section 8.1, provided that each such Third Party Service Provider agrees in writing to maintain all such Cardholder Data as strictly confidential in perpetuity and not to use or disclose such information to any person other than ▇▇▇▇▇▇ Bank, Manager or Processor, except as required by Applicable Law or any Regulatory Authority (after giving ▇▇▇▇▇▇ Bank, Manager or Processor, as applicable, prior notice and an opportunity to defend against such disclosure) or as permitted under ▇▇▇▇▇▇ Bank’s Privacy Policy; provided, further, that each such Third Party Service Provider maintains, and agrees in writing to maintain, an information security program that is designed to protect Cardholder Data and information related to Transactions, and which complies with the requirements under the Network Rules, including but not limited to the requirement for such Third Party Service Provider, upon termination of any of its associated Card Programs, to securely destroy all Cardholder Data in its possession associated with such Card Program as quickly as circumstances permit in accordance with best industry practices and provide a written notice to ▇▇▇▇▇▇ Bank that the destruction of the Cardholder Data has been completed; ; (c) its employees, consultants, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 8.1; provided that (1) any such person is bound by terms substantially similar to this Section 8.1 as a condition of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; and (2) such Party shall be responsible for the compliance by each such person with the terms of this Section 8.1; or (d) any Regulatory Authority (1) in connection with an examination of any Party; or (2) pursuant to a specific requirement to provide such Cardholder Data by such Regulatory Authority or pursuant to compulsory legal process; provided that such Party seeks the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (2), to the extent permitted by Applicable Law, such Party (x) provides at least [***] prior notice of such proposed disclosure to the other Parties if reasonably possible under the circumstances, and (y) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure. (B) During the Term of this Amended Program Manager Agreement, the Cardholder Data shall be owned by ▇▇▇▇▇▇ Bank and shall be subject to ▇▇▇▇▇▇ Bank’s privacy policy set forth in each Privacy Notice, and the manner in which such Cardholder Data may be used, shared and disclosed by the Parties during the Term shall be as set forth herein or as addressed in the Program Schedule for each particular Card Program, all in accordance with the Privacy Regulations and Applicable Law. ▇▇▇▇▇▇ Bank shall not, directly or indirectly, use, or sell or otherwise transfer any right in or to, the Cardholder Data other than as provided herein or as mutually agreed by the Parties in a Program Schedule. ▇▇▇▇▇▇ Bank shall ensure that its privacy policy and each Privacy Notice permits, subject to Applicable Law, (i) ▇▇▇▇▇▇ Bank to share Cardholder Data with Manager, Processor and their respective Third Party Service Providers, and (ii) Manager and Processor to use Cardholder Data in the manner described herein or as permitted by Applicable Law. (C) With respect to the sharing, use and disclosure of Cardholder Data following the expiration or termination of this Amended Program Manager Agreement in its entirety or any Program Schedule, Manager shall securely destroy all Cardholder Data in its possession associated with such terminated Program Schedule(s) as quickly as circumstances permit in accordance with best industry practices and provide a written notice to ▇▇▇▇▇▇ Bank that the destruction of the Cardholder Data has been completed. (D) Manager shall establish commercially reasonable administrative, technical and physical safeguards for Cardholder Data in its control or possession from time to time. Such safeguards shall be designed for the purpose of: (i) insuring the security of such records and information, (ii) protecting against any known threats or hazards to the security or integrity of such records and information; and (iii) protecting against unauthorized access to or use of such records and information that would result in substantial harm or inconvenience to any Cardholder; (iv) ensure against the proper disposal of Cardholder Data. Such safeguards shall be established in accordance with Applicable Law, including, without limitation, Section 501 of GLBA and the Interagency Guidelines Establishing Standards for Safeguarding Customer Information adopted pursuant to Section 501 of GLBA. (E) Subject to any obligations placed upon Manager or Processor by a law enforcement agency, such Party agrees to fully disclose to ▇▇▇▇▇▇ Bank any actual or suspected breach in security which results in unauthorized intrusions into such Party’s computer and other information systems that may materially affect ▇▇▇▇▇▇ Bank and the Cardholders or otherwise may involve the potential unauthorized disclosure, access to, acquisition of, or other loss or use of Cardholder Data, including “sensitive customer information.” As soon as such Party has reason to believe that it has a security breach, and in no event later than [***] after the discovery of any such breach, it shall notify ▇▇▇▇▇▇ Bank in writing and provide (to the extent Manager or Processor has the following information): (i) a description of the breach or loss, including the data it occurred, (ii) the number of individuals or accounts affected and their states of residence, (iii) the information accessed, acquired, lost, or misused; (iv) whether the breach or loss was computerized in nature or a paper loss, (v) whether such information was encrypted or unencrypted, (vi) whether encryption keys or passwords may have been compromised, and (vii) a description of the steps taken to investigate the incident, secure systems or recover lost information, and prevent the recurrence of further security breaches or losses of the same type. For purposes of this subsection (E), “Sensitive Customer Information” includes a consumer’s name, address, or telephone number in conjunction with the consumer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account, or any combination of components of customer information that would allow someone to log onto or access a customer’s account, such as a username and password, or password and account number. In addition, in the event of an actual or suspected breach in security of Manager’s or Processor’s computer or other information systems, such Party agrees to permit an independent qualified third party auditor to perform an investigation (including the installation of monitoring or diagnostic software or equipment) to locate the source and scope of the breach and provide ▇▇▇▇▇▇ Bank with any material ▇▇▇▇▇▇ Bank-related information that such independent auditor discovers with respect to the breach, all at the expense of Manager or Processor respectively. (F) Each Party has designed and implemented an information security program that is designed to protect Cardholder Data and information related to Transactions that complies with the requirements under the Network Rules. At all times during the term of the Amended Program Manager Agreement, each Party shall be in compliance with all information and data security requirements promulgated by the Network and applicable to card issuers (as set forth in the Network Rules) and the Interagency Guidelines Establishing Standards for Safeguarding Customer Information (collectively the “Information Security Requirements”), as the same may be revised from time to time. Each Party shall provide the other Parties with copies of all reports on compliance, quarterly and annual status forms and other reports filed by such Party with the Network in accordance with the Network Rules.