Common use of Data Breach Notification and Mitigation Under Other Laws Clause in Contracts

Data Breach Notification and Mitigation Under Other Laws. In addition, Business Associate agrees to implement reasonable systems for the discovery and prompt reporting of any breach of individually identifiable information (including but not limited to PHI and referred to hereinafter as “Individually Identifiable Information”) and Sensitive Personal Information subject to Section 521.053 of the Texas Business and Commerce Code that, if misused, disclosed, lost or stolen, would trigger an obligation under one or more State data breach notification laws (each a “State Breach”) to notify the individuals who are the subject of the information. Business Associate agrees that in the event any Individually Identifiable Information and Sensitive Personal Information is lost, stolen, used or disclosed in violation of one or more State laws, Business Associate shall promptly: (i) notify the Covered Entity within 15 calendar days of such misuse, disclosure, loss or theft; (ii) cooperate and assist Covered Entity with any investigation into any State Breach or alleged State Breach; (iii) cooperate and assist Covered Entity with any investigation into any State Breach or alleged State Breach conducted by any State Attorney General or State Consumer Affairs Department (or their respective agents); (iv) cooperate with Covered Entity regarding the obligations of Covered Entity and Business Associate to mitigate to the extent practicable any potential harm to the individuals impacted by the State Breach; and (v) assist with the implementation of any decision by any State agency, including any State Attorney General or State Consumer Affairs Department (or their respective agents), to notify individuals impacted or potentially impacted by a State Breach. This requirement shall survive the expiration or termination of this Agreement and shall remain in effect for so long as Business Associate maintains PHI, Individually Identifiable Information, or Sensitive Personal Information.

Data Breach Notification and Mitigation Under Other Laws. In additionaddition to the requirements of Section 9.1, Business Associate Subcontractor agrees to implement reasonable systems for the discovery and prompt reporting of any breach of individually identifiable information (including but not limited to PHI and referred to hereinafter as “Individually Identifiable Information”) and Sensitive Personal Information subject to Section 521.053 of the Texas Business and Commerce Code that, if misused, disclosed, lost or stolen, would trigger an obligation under one or more State data breach notification laws (each a “State Breach”) to notify the individuals who are the subject of the information. Business Associate Subcontractor agrees that in the event any Individually Identifiable Information and Sensitive Personal Information is lost, stolen, used or disclosed in violation of one or more State data breach notification laws, Business Associate Subcontractor shall promptly: (i) notify the Covered Entity TokenEx within 15 calendar five (5) business days of such misuse, disclosure, loss or theftState Breach; (ii) if known to Subcontractor, identify in writing for TokenEx the individuals impacted by and scope of impact of any State Breach (e.g., individuals from which the Individually Identifiable Information that was subject to a State Breach originated and/or databases, instances, etc. impacted by the State Breach) no later than five (5) business days following such State Breach; (iii) cooperate and assist Covered Entity TokenEx with any investigation into any State Breach or alleged State Breach; (iiiiv) cooperate and assist Covered Entity TokenEx with any investigation into any State Breach or alleged State Breach conducted by any State Attorney General or State Consumer Affairs Department (or their respective agents); (ivv) cooperate with Covered Entity TokenEx regarding the respective obligations of Covered Entity TokenEx and Business Associate Subcontractor to mitigate to the extent practicable any potential harm to the individuals impacted by the State Breach; and (vvi) assist with the implementation of any decision by any State agency, including any State Attorney General or State Consumer Affairs Department (or their respective agents), to notify individuals impacted or potentially impacted by a State Breach. This requirement Section 9.2 shall survive the expiration or termination of this Agreement and shall remain in effect for so long as Business Associate Subcontractor maintains PHI, PHI or Individually Identifiable Information, or Sensitive Personal Information.