Common use of Encryption of Data Clause in Contracts

Encryption of Data. a. The Contractor, at its own expense, shall encrypt any and all electronically stored data now or hereafter in its possession or control located on non-State owned or managed devices that the State, in accordance with its existing state policies, classifies as confidential or restricted. The method of encryption shall be compliant with the State of Connecticut Enterprise Wide Technical Architecture ("EWTA") or such other method as deemed acceptable by the Agency. This shall be a continuing obligation for compliance with the EWTA standard as it may change from time to time. b. The Contractor and Contractor Parties shall notify the State, the Agency, and the Connecticut Office of the Attorney General as soon as practical, but no later than twenty-four (24) hours after they become aware of or suspect that any and all data which Contractor has come to possess or control under subsection 1 above have been subject to a "data breach". For the purpose of this Section, a "data breach" is an occurrence where (a) any or all of the data are misplaced, lost, stolen or in any way compromised; or (2) one or more third parties have had access to or taken control or possession of any or all of the data without prior written authorization from the Agency. c. In addition to the notification requirements of subsection 2, should a data breach occur, the Contractor shall, within three (3) business days after the notification, present to the State, the Agency and the Connecticut Office of the Attorney General, for review and approval, a credit monitoring or protection plan that the Contractor shall make available at its own cost and expense to all individuals affected by the data breach. Unless otherwise agreed to in writing by the Connecticut Office of the Attorney General, such a plan shall be offered to each such individual free of charge and shall consist of, at a minimum, the following: 1) Reimbursement for the cost of placing and lifting one (1) security freeze per credit file pursuant to Connecticut General Statute Section 36a-701a; 2) Credit monitoring services consisting of automatic daily monitoring of at least three (3) relevant credit bureaus reports; 3) Fraud resolution services, including writing dispute letters, initiating fraud alerts and security freezes, to assist affected individuals to bring matters to resolution; and 4) Identity theft insurance with at least $25,000 coverage. Such monitoring or protection plans shall cover a length of time commensurate with circumstances of the data breach, but under no circumstances shall the Contractor's credit monitoring and protection plan be for less than two (2) calendar years from the plan start date. The Contractor's costs and expenses for the credit monitoring and protection plan shall not be recoverable from the State or the Agency. d. The Contractor resolves and warrants that it shall obligate each Contractor Party in a written contract to all of the terms of this section just as if each Contractor Party had executed this Agreement as in original signatory and each were bound by this Section to the same extent that the Contract is bound. e. The Contractor's or Contractor Parties' failure to encrypt the data, provide notice, or to provide the credit monitoring or protection plan shall be deemed to be, without more, a material breach of this Agreement. The Contractor shall be responsible for any Contractor Parties' breach as if the Contractor itself had breached the Agreement. Consequently, and without otherwise limiting the rights of the State at law or in equity, the Contractor shall indemnify and hold harmless the State and the Agency, as appropriate, for any and all damages, costs and expenses associated directly or indirectly with Contractor's or Contractor Parties' breach. The damages, costs and expenses shall include, but not be limited to those resulting from any corresponding contracting for credit or identity protection services, or both, and from any subsequent non-State use of any data.

Encryption of Data. a. 1. The Contractor, at its own expense, shall encrypt any and all electronically stored data now or hereafter in its possession or control located on non-State owned or managed devices that the State, in accordance with its existing state policies, classifies as confidential or restricted. The method of encryption shall be compliant with the State of Connecticut Enterprise Wide Technical Architecture ("EWTA") or such other method as deemed acceptable by the Agency. This shall be a continuing obligation for compliance with the EWTA standard as it may change from time to time. b. 2. The Contractor and Contractor Parties shall notify the State, the Agency, and the Connecticut Office of the Attorney General as soon as practical, but no later than twenty-four (24) hours after they become aware of or suspect that any and all data which Contractor has come to possess or control under subsection 1 above have been subject to a "data breach". For the purpose of this Section, a "data breach" is an occurrence where (a) any or all of the data are misplaced, lost, stolen or in any way compromised; or (2) one or more third parties have had access to or taken control or possession of any or all of the data without prior written authorization from the Agency. c. 3. In addition to the notification requirements of subsection 2, should a data breach occur, the Contractor shall, within three (3) business days after the notification, present to the State, the Agency and the Connecticut Office of the Attorney General, for review and approval, a credit monitoring or protection plan that the Contractor shall make available at its own cost and expense to all individuals affected by the data breach. Unless otherwise agreed to in writing by the Connecticut Office of the Attorney General, such a plan shall be offered to each such individual free of charge and shall consist of, at a minimum, the following: 1) a. Reimbursement for the cost of placing and lifting one (1) security freeze per credit file pursuant to Connecticut General Statute Section 36a-701a; 2) b. Credit monitoring services consisting of automatic daily monitoring of at least three (3) relevant credit bureaus reports; 3) c. Fraud resolution services, including writing dispute letters, initiating fraud alerts and security freezes, to assist affected individuals to bring matters to resolution; and 4) d. Identity theft insurance with at least $25,000 coverage. Such monitoring or protection plans shall cover a length of time commensurate with circumstances of the data breach, but under no circumstances shall the Contractor's credit monitoring and protection plan be for less than two (2) calendar years from the plan start date. The Contractor's costs and expenses for the credit monitoring and protection plan shall not be recoverable from the State or the Agency. d. 4. The Contractor resolves and warrants that it shall obligate each Contractor Party in a written contract to all of the terms of this section just as if each Contractor Party had executed this Agreement as in original signatory and each were bound by this Section to the same extent that the Contract is bound. e. 5. The Contractor's or Contractor Parties' failure to encrypt the data, provide notice, or to provide the credit monitoring or protection plan shall be deemed to be, without more, a material breach of this Agreement. The Contractor shall be responsible for any Contractor Parties' breach as if the Contractor itself had breached the Agreement. Consequently, and without otherwise limiting the rights of the State at law or in equity, the Contractor shall indemnify and hold harmless the State and the Agency, as appropriate, for any and all damages, costs and expenses associated directly or indirectly with Contractor's or Contractor Parties' breach. The damages, costs and expenses shall include, but not be limited to those resulting from any corresponding contracting for credit or identity protection services, or both, and from any subsequent non-State use of any data.