Common use of Data Security Incident Clause in Contracts

Data Security Incident. a. Vendor will maintain, update and document an Incident Response Plan (“IRP”), and will manage, document, review, investigate and resolve all Security Incidents in accordance with the IRP. b. Vendor agrees to notify University of a Security Incident at ▇▇▇▇▇▇▇▇@▇▇▇▇▇▇▇.▇▇▇ as soon as reasonably practicable and without undue delay. Such notice must include (i) a description of the incident, including the type of incident (e.g., theft, loss, improper disclosure, unauthorized access), location of the incident (e.g., laptop, desktop, paper), how the incident occurred, the date the incident occurred, and the date the incident was discovered; (ii) a description of the type of University Data involved (e.g., user data, intellectual property, etc.); (iii) a description of the potentially impacted individuals; (iv) a description of the actions taken in response to the Security Incident (e.g., additional safeguards, mitigation, sanctions, policies, and procedures); and (v) all other information reasonably requested by University or necessary to provide notice to individuals and/or regulators, including a forensic report summarizing the findings of a forensic investigation. University acknowledges that certain information may not be immediately available and can be provided on a rolling basis as it is discovered (within 72 hours of discovery). c. In facilitating the investigation and remediation of a Security Incident, Vendor will cooperate fully with University. Vendor may not inform any third party of any Security Incident without first obtaining the University’s written consent, except as may be required by law. Vendor agrees to reimburse University for reasonable costs and expenses incurred (including legal fees) in responding to, remediating, and/or mitigating damages caused by a Security Incident or in following up a complaint by an individual or a regulator. Vendor will take all necessary and appropriate corrective actions, including as may be reasonably instructed by University, to remedy or mitigate any Security Incident.