Common use of Data Security and Unauthorized Data Release Clause in Contracts

Data Security and Unauthorized Data Release. i. The Requesting Institution and PI agree to notify CPCSSN of any unauthorized Data sharing, breaches of data security, or inadvertent Data releases that may compromise Data confidentiality within 24 hours of when the incident is identified. As permitted by law, notifications should include any known information regarding the incident and a general description of the activities or process in place to define and remediate the situation fully. Within 3 business days of CPCSSN notification, the Requesting Institution agrees to submit to CPCSSN a detailed written report including the date and nature of the event, actions taken or to be taken to remediate the issue(s), and plans or processes developed to prevent further problems, including specific information on timelines anticipated for action. The Requesting Institution agrees to provide documentation verifying that the remediation plans have been implemented. Repeated violations or unresponsiveness to CPCSSN requests may result in further compliance measures affecting the Requesting Institution. ii. Requesting Institution, Approved Users and their associates agree to support CPCSSN investigations arising from any breaches reported in accordance with section 7(i) above and provide information, within the limits of applicable laws and regulations. In addition, Requesting Institution and Approved Users agree to work with CPCSSN to assure that plans and procedures that are developed to address identified problems are mutually acceptable and consistent with applicable law.