Identity Protection Law. Grantee must have and maintain a formal written information security program that provides safeguards to protect Confidential Information from loss, theft, and disclosure to unauthorized persons, as required by the Oregon Consumer Information Protection Act, ORS 646A.600-628. If Grantee or its agents discover or are notified of a potential or actual “Breach of Security”, as defined by ORS 646A.602(1)(a), or a failure to comply with the requirements of ORS 646A.600-628, (collectively, “Breach”) with respect to Confidential Information, Grantee must promptly but in any event within one calendar day (i) notify the Agency Grant Manager of such Breach and (ii) if the applicable Confidential Information was in the possession of Grantee or its agents at the time of such Breach, Grantee must (a) investigate and remedy the technical causes and technical effects of the Breach and (b) provide Agency with a written root cause analysis of the Breach and the specific steps Grantee will take to prevent the recurrence of the Breach or to ensure the potential Breach will not recur. For the avoidance of doubt, if Agency determines notice is required of any such Breach to any individual(s) or entity(ies), Agency will have sole control over the timing, content, and method of such notice, subject to Grantee’s obligations under applicable law. Subgrants/Contracts. Grantee must require any subgrantees, contractors or subcontractors under this Grant who are exposed to or acquire Confidential Information to treat and maintain such information in the same manner as is required of Grantee under subsections 10.1 and 10.2 of this Section.
Appears in 4 contracts
Samples: Grant Agreement, Oregon Grant Agreement, Oregon Grant Agreement
