Common use of Data Incident Response Clause in Contracts

Data Incident Response. Vendor shall maintain documented policies and procedures for Data Incident and breach reporting, notification, and mitigation. If Vendor becomes aware of any Data Incident, it shall notify Xxxxxxxx immediately and cooperate with Xxxxxxxx regarding recovery, remediation, and the necessity to involve law enforcement, as determined by Thornton. If there is a Data Incident impacting residents of Colorado or any other jurisdiction, Vendor shall cooperate with Thornton to satisfy notification requirements as currently defined in either federal, state, or local law. Unless Vendor can establish that neither Vendor nor any of its agents, employees, assigns or Subcontractors are the cause or source of the Data Incident, Vendor shall be responsible for the cost of notifying each person who may have been impacted by the Data Incident as required by law. After a Data Incident, Vendor shall take steps to reduce the risk of incurring a similar type of Data Incident in the future as directed by Xxxxxxxx, which may include, but is not limited to, developing and implementing a remediation plan that is approved by Xxxxxxxx at no additional cost to Xxxxxxxx. Vendor shall report, either orally or in writing, to Xxxxxxxx any Data Incident involving City Data, or circumstances that could have resulted in unauthorized access to, disclosure, or use of City Data, not authorized by this Agreement or in writing by Xxxxxxxx, including any reasonable belief that an unauthorized individual has accessed City Data. Vendor shall make the report to Xxxxxxxx immediately upon discovery of the unauthorized disclosure, but in no event more than forty-eight (48) hours after Vendor reasonably believes there has been such unauthorized use or disclosure. Oral reports by Vendor regarding Data Incidents will be reduced to writing and supplied to Xxxxxxxx as soon as reasonably practicable, but in no event more than forty-eight (48) hours after oral report. Immediately upon becoming aware of any such Data Incident, Vendor shall fully investigate the circumstances, extent and causes of the Data Incident, and report the results to Xxxxxxxx and continue to keep Xxxxxxxx informed daily of the progress of its investigation until the issue has been effectively resolved. Vendor’s report discussed herein shall identify: (i) the nature of the unauthorized use or disclosure, (ii) the data used or disclosed, (iii) who made the unauthorized use or received the unauthorized disclosure (if known), (iv) what Vendor has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure, and (v) what corrective action Vendor has taken or shall take to prevent future similar unauthorized use or disclosure. Within five (5) Calendar Days of the date the Vendor becomes aware of any such Data Incident, the Vendor shall have completed implementation of corrective actions to remedy the Data Incident, restore Xxxxxxxx’x access to the Services as directed by Xxxxxxxx, and prevent further similar unauthorized use or disclosure. Vendor, at its expense, shall cooperate fully with Xxxxxxxx’x investigation of and response to any such Data Incident. Except as otherwise required by law, Vendor will not disclose or otherwise provide notice of the incident directly to any person, regulatory agencies, or other entities, without prior written permission from Xxxxxxxx. Notwithstanding any other provision of this Agreement, and in addition to any other remedies available to Xxxxxxxx under law or equity, Vendor will promptly reimburse Xxxxxxxx in full for all costs incurred by Xxxxxxxx in any investigation, remediation or litigation resulting from any such Data Incident, including but not limited to, providing notification to Third Parties whose data were compromised and to regulatory bodies, law-enforcement agencies or other entities as required by law or contract; establish and monitor call center(s), and credit monitoring and/or identity restoration services to assist each person impacted by a Data Incident in such a fashion that, in Xxxxxxxx’x sole discretion, could lead to identity theft; and the payment of legal fees and expenses, audit costs, fines and penalties, and other fees imposed by regulatory agencies, courts of law, or contracting partners as a result of the Data Incident.