Incident Response Program. (a) EVERTEC represents and warrants to BPPR that it has implemented, and hereby undertakes to maintain and update, a comprehensive response program that includes processes and procedures (including notification procedures to Affected Persons) designed to address incidents of unauthorized access involving BPPR Data or Cardholder information in accordance with applicable Legal Requirements and Industry Standards. (b) If EVERTEC becomes aware of an Incident, to the extent it is not prohibited by applicable Legal Requirements, EVERTEC agrees to: (i) notify BPPR as soon as practicable, and in any event within twenty-four (24) hours, following EVERTEC’s becoming aware of an Incident. The initial notification must be made to the BPPR Chief Information Security Officer, and must include based on then-available information: (i) the available facts; (ii) the status and results of the investigation including identifying the sources and underlying causes of the Incident; (iii) the estimated effects on BPPR, BPPR Data or Cardholder information and the ability of EVERTEC to perform its obligations under this Agreement; (iv) the steps already taken to mitigate, remedy and contain the Incident; (v) if applicable, the potential number of affected Merchants, Government-Merchants, customers, consumers, and/or employees affected (collectively “Affected Persons”); and (vi) the name and contact information of EVERTEC’s representative who will serve as BPPR’s primary contact; (ii) provide BPPR with prompt updates to any information referenced in clause (i) above; (iii) take all reasonable steps, at EVERTEC’s sole cost and expense (unless such Incident was caused by BPPR or any of its subsidiaries or any contractor or subcontractor thereof), in accordance with its Data Protection Program and Incident Response Program to immediately mitigate and/or remedy, at EVERTEC’s expense, such Incident and contain its further occurrence; (iv) reasonably coordinate and cooperate with BPPR representatives in any required investigation and provide periodic updates regarding the Incident, including: (i) providing access to the affected facilities and affected operations as necessary for the BPPR or its auditors to conduct investigations required to be conducted by BPPR by Legal Requirements and applicable Rules (provided that BPPR shall reimburse EVERTEC for any losses incurred by EVERTEC in connection with any unauthorized access or intrusion to EVERTEC’s Systems, or any Disabling Device introduced to EVERTEC’s Systems, as a result of a breach of this Agreement, failure to comply with reasonable security policies and procedures that are provided in writing to BPPR with reasonable advance notice by EVERTEC, gross negligence, fraud or willful misconduct of BPPR in connection with its access to EVERTEC’s Systems pursuant to this Section 5.3); (ii) facilitating interviews with EVERTEC’s Personnel with knowledge of the Incident; and (iii) making available all relevant records, logs, files, data reporting, forensics or audit reports and other materials required by BPPR to allow BPPR to comply with applicable Legal Requirements and Rules, provided that EVERTEC will not be required to provide BPPR with information belonging to, or compromising the security of, EVERTEC or its other customers; (v) provide reasonable cooperation to BPPR in any litigation, Association or Governmental Authority inquiries, or other third party action arising out of or resulting from the Incident and deemed necessary by BPPR to protect the BPPR Data or Cardholder information and comply with applicable Legal Requirements and Rules, at the expense of BPPR unless such Incident (A) was caused by EVERTEC’s or its Representatives’ gross negligence, fraud, willful misconduct or breach of this Agreement; or (B) involves NPPI obtained by or on behalf of EVERTEC from Merchants, transaction data, or Cardholder information; (vi) except as may be required by applicable Legal Requirements or Rules, not communicate with any third party other than EVERTEC’s Representatives, including the media, vendors, and Affected Persons, regarding the Incident (as it relates to BPPR) without BPPR’s consent and approval of the content of the communication. EVERTEC agrees that regarding the impact of the Incident on BPPR, EVERTEC will use Best Efforts to consult and coordinate with BPPR with respect to the following matters: (i) whether notice of the Incident is to be provided to any individual, Governmental Authority, law enforcement agency, consumer reporting agencies or others as required by applicable Legal Requirements or otherwise; (ii) the contents of such notice; and (iii) whether any type of remediation may be offered to Affected Persons (including any free credit monitoring service), and the nature and extent of any such remediation; (vii) report criminal acts as and to the extent required by applicable Legal Requirements and Governmental Authorities and notify BPPR as soon as practicable prior to such reporting; and (viii) maintain and preserve all relevant documents, records, and other data related to BPPR Data or Cardholder information.
Appears in 1 contract
Incident Response Program. (ai) Without limiting Section 5.2(a), EVERTEC represents and warrants to COMPANY and BPPR that it has implemented, and hereby undertakes to maintain and update, a comprehensive response program that includes processes and procedures (including notification procedures to Affected Persons) designed to address incidents of unauthorized access involving BPPR Personal Data or Cardholder information in accordance with applicable Legal Requirements and Industry Standards.
(bii) If EVERTEC becomes aware of an Incident, to the extent it is not prohibited by applicable Legal Requirements, EVERTEC agrees to:
(i1) notify COMPANY and BPPR as soon as practicable, and in any event within twenty-four (24) hours, following EVERTEC’s becoming aware of an Incident. The initial notification must be made to the BPPR Chief Information Security Officer, and must include based on then-available information: (i) the available facts; (ii) the status and results of the investigation including identifying the sources and underlying causes of the Incident; (iii) the estimated effects on COMPANY, BPPR, BPPR Data or Cardholder information and the ability of EVERTEC to perform its obligations under this AgreementServices; (iv) the steps already taken to mitigate, remedy and contain the Incident; (v) if applicable, the potential number of affected Merchants, Government-Merchants, customers, consumers, and/or employees affected (collectively “Affected Persons”); and (vi) the name and contact information of EVERTEC’s representative who will serve as COMPANY’s and BPPR’s primary contact;
(ii2) provide COMPANY and BPPR with prompt updates to any information referenced in clause (i1) above;
(iii3) take all reasonable steps, at EVERTEC’s sole cost and expense (unless such Incident was caused by BPPR or COMPANY, BPPR, any of its their subsidiaries or any contractor or subcontractor thereof), in accordance with its Data Protection Program and Incident Response Program to immediately mitigate and/or remedy, at EVERTEC’s expense, such Incident and contain its further occurrence;
(iv4) reasonably coordinate and cooperate with BPPR representatives in any required investigation and provide periodic updates regarding the Incident, including: (i) providing access to the affected facilities and affected operations as necessary for the BPPR or its auditors to conduct investigations required to be conducted by BPPR by Legal Requirements and applicable Rules (provided that BPPR shall reimburse EVERTEC for any losses incurred by EVERTEC in connection with any unauthorized access or intrusion to EVERTEC’s Systems, or any Disabling Device introduced to EVERTEC’s Systems, as a result of a breach of this Agreement, failure to comply with reasonable security policies and procedures that are provided in writing to BPPR with reasonable advance notice by EVERTEC, gross negligence, fraud or willful misconduct of BPPR in connection with its access to EVERTEC’s Systems pursuant to this Section 5.3); (ii) facilitating interviews with EVERTEC’s Personnel with knowledge of the Incident; and (iii) making available all relevant records, logs, files, data reporting, forensics or audit reports and other materials required by BPPR to allow BPPR to comply with applicable Legal Requirements and Rules, provided that EVERTEC will not be required to provide BPPR with information belonging to, or compromising the security of, EVERTEC or its other customers;
(v) provide reasonable cooperation to BPPR in any litigation, Association or Governmental Authority inquiries, or other third party action arising out of or resulting from if the Incident and deemed necessary by BPPR to protect the BPPR Data or Cardholder information and comply with applicable Legal Requirements and Rules, at the expense of BPPR unless such Incident (A) was caused by EVERTEC’s or its Representatives’ Representative’s breach of this Master Agreement or gross negligence, fraudfraud or willful misconduct, willful misconduct recover and reconstruct BPPR Data lost or breach of this Agreementcompromised in the Incident; or (B) involves NPPI obtained by or on behalf of EVERTEC from Merchants, transaction data, or Cardholder information;
(vi) except as may provided that costs incurred in connection with such recovery and reconstruction shall be required by applicable Legal Requirements or Rules, not communicate with any third party other than EVERTEC’s Representatives, including the media, vendors, and Affected Persons, regarding the Incident (as it relates to BPPR) without BPPR’s consent and approval of the content of the communication. EVERTEC agrees that regarding the impact of the Incident on BPPR, EVERTEC will use Best Efforts to consult and coordinate with BPPR with respect subject to the following matters: (i) whether notice of the Incident is to be provided to any individual, Governmental Authority, law enforcement agency, consumer reporting agencies or others as required by applicable Legal Requirements or otherwise; (ii) the contents of such notice; and (iii) whether any type of remediation may be offered to Affected Persons (including any free credit monitoring service), and the nature and extent of any such remediationData Cap;
(vii) report criminal acts as and to the extent required by applicable Legal Requirements and Governmental Authorities and notify BPPR as soon as practicable prior to such reporting; and
(viii) maintain and preserve all relevant documents, records, and other data related to BPPR Data or Cardholder information.
Appears in 1 contract
Incident Response Program. (ai) Without limiting Section 5.2(a), EVERTEC represents and warrants to COMPANY and BPPR that it has implemented, and hereby undertakes to maintain and update, a comprehensive response program that includes processes and procedures (including notification procedures to Affected Persons) designed to address incidents of unauthorized access involving BPPR Personal Data or Cardholder information in accordance with applicable Legal Requirements and Industry Standards.
(bii) If EVERTEC becomes aware of an Incident, to the extent it is not prohibited by applicable Legal Requirements, EVERTEC agrees to:
(i1) notify COMPANY and BPPR as soon as practicable, and in any event within twenty-four (24) hours, following EVERTEC’s becoming aware of an Incident. The initial notification must be made to the BPPR Chief Information Security Officer, and must include based on then-available information: (i) the available facts; (ii) the status and results of the investigation including identifying the sources and underlying causes of the Incident; (iii) the estimated effects on COMPANY, BPPR, BPPR Data or Cardholder information and the ability of EVERTEC to perform its obligations under this AgreementServices; (iv) the steps already taken to mitigate, remedy and contain the Incident; (v) if applicable, the potential number of affected Merchants, Government-Merchants, customers, consumers, and/or employees affected (collectively “Affected Persons”); and (vi) the name and contact information of EVERTEC’s representative who will serve as COMPANY’s and BPPR’s primary contact;
(ii2) provide COMPANY and BPPR with prompt updates to any information referenced in clause (i1) above;
(iii3) take all reasonable steps, at EVERTEC’s sole cost and expense (unless such Incident was caused by BPPR or COMPANY, BPPR, any of its their subsidiaries or any contractor or subcontractor thereof), in accordance with its Data Protection Program and Incident Response Program to immediately mitigate and/or remedy, at EVERTEC’s expense, such Incident and contain its further occurrence;
(iv4) if the Incident was caused by EVERTEC’s or its Representative’s breach of this Master Agreement or gross negligence, fraud or willful misconduct, recover and reconstruct BPPR Data lost or compromised in the Incident; provided that costs incurred in connection with such recovery and reconstruction shall be subject to the Data Cap;
(5) reasonably coordinate and cooperate with COMPANY and BPPR representatives in any required investigation and provide periodic updates regarding the Incident, including: (i) providing access to the affected facilities and affected operations as necessary for the BPPR Popular Parties or its their auditors to conduct investigations required to be conducted by BPPR the Popular Parties by Legal Requirements and applicable Rules (provided that BPPR subject to Section 4.5 COMPANY or BPPR, as applicable, shall reimburse EVERTEC for any losses Losses incurred by EVERTEC in connection with any unauthorized access or intrusion to EVERTEC’s Systems, or any Disabling Device introduced to EVERTEC’s Systems, as a result of a breach of this Master Agreement, failure to comply with reasonable security policies and procedures that are provided in writing to BPPR with reasonable advance notice by EVERTECapplicable EVERTEC Security Requirements, gross negligence, fraud or willful misconduct of COMPANY or BPPR in connection with its access to EVERTEC’s Systems pursuant to this Section 5.35.2(e)(ii)(5); (ii) facilitating interviews with EVERTEC’s Personnel with knowledge of the Incident; and (iii) making available all relevant records, logs, files, data reporting, forensics or audit reports and other materials required by COMPANY or BPPR to allow COMPANY and BPPR to comply with applicable Legal Requirements and RulesRequirements, provided that EVERTEC will not be required to provide COMPANY or BPPR with information belonging to, or compromising the security of, EVERTEC or its other customers;
(v6) provide reasonable cooperation to with COMPANY and BPPR in any litigation, Association or Governmental Authority inquiries, or other third party Third Party action arising out of or resulting from the Incident and deemed necessary by COMPANY or BPPR to protect the BPPR Data or Cardholder information and comply with applicable Legal Requirements and RulesRequirements, at the expense of COMPANY and BPPR unless such Incident (A) was caused by EVERTEC’s or its Representatives’ Representative’s gross negligence, fraud, willful misconduct or breach of this Master Agreement; or (B) involves NPPI obtained by or on behalf of EVERTEC from Merchants, transaction data, or Cardholder information;
(vi7) except as may be required by applicable Legal Requirements or RulesRequirements, not communicate with any third party Third Party other than EVERTEC’s Representatives, including the media, vendors, and Affected Persons, regarding the Incident (as it relates to COMPANY or BPPR) without COMPANY’s or BPPR’s express written consent and approval of the content of the communication. EVERTEC agrees that regarding the impact of the Incident on COMPANY or BPPR, EVERTEC COMPANY and BPPR will use Best Efforts have the sole right to consult and coordinate with BPPR with respect to the following mattersdetermine: (i) whether notice of the Incident is to be provided to any individual, Governmental Authority, law enforcement agency, consumer reporting agencies or others as required by applicable Legal Requirements or otherwise; (ii) the contents of such notice; and (iii) whether any type of remediation may be offered to Affected Persons (including any free credit monitoring service), and the nature and extent of any such remediation;
(vii) 8) report criminal acts as and to the extent required by applicable Legal Requirements and Governmental Authorities and notify COMPANY and BPPR as soon as practicable prior to such reporting; and
(viii9) maintain and preserve all relevant documents, records, and other data related to any Incident involving BPPR Data for the period required by COMPANY or Cardholder informationBPPR.
Appears in 1 contract