{"component": "clause", "props": {"groups": [{"snippet": "The Contractor must notify the State\u2019s Privacy Officer and Security Officer of any Security Incidents and Breaches immediately, at the email addresses provided in Section VI. The Contractor must further handle and report Incidents and Breaches involving PHI in accordance with the agency\u2019s documented Incident Handling and Breach Notification procedures and in accordance with 42 C.F.R. \u00a7\u00a7 431.300 - 306. In addition to, and notwithstanding, Contractor\u2019s compliance with all applicable obligations and procedures, Contractor\u2019s procedures must also address how the Contractor will:\n1. Identify Incidents;\n2. \u2587\u2587\u2587\u2587\u2587\u2587\u2587\u2587\u2587 if personally identifiable information is involved in Incidents;\n3. Report suspected or confirmed Incidents as required in this Exhibit or P-37;\n4. Identify and convene a core response group to determine the risk level of Incidents and determine risk-based responses to Incidents; and\n5. Determine whether Breach notification is required, and, if so, identify appropriate Breach notification methods, timing, source, and contents from among different options, and bear costs associated with the Breach notice as well as any mitigation measures. Incidents and/or Breaches that implicate PI must be addressed and reported, as applicable, in accordance with NH RSA 359-C:20.", "snippet_links": [{"key": "the-contractor-must", "type": "clause", "offset": [0, 19]}, {"key": "the-state", "type": "clause", "offset": [27, 36]}, {"key": "privacy-officer", "type": "definition", "offset": [39, 54]}, {"key": "security-officer", "type": "clause", "offset": [59, 75]}, {"key": "incidents-and-breaches", "type": "clause", "offset": [92, 114]}, {"key": "email-addresses", "type": "clause", "offset": [135, 150]}, {"key": "in-section-vi", "type": "clause", "offset": [160, 173]}, {"key": "in-accordance-with", "type": "definition", "offset": [258, 276]}, {"key": "the-agency", "type": "clause", "offset": [277, 287]}, {"key": "incident-handling", "type": "clause", "offset": [301, 318]}, {"key": "notification-procedures", "type": "clause", "offset": [330, 353]}, {"key": "in-addition-to", "type": "clause", "offset": [405, 419]}, {"key": "compliance-with", "type": "clause", "offset": [455, 470]}, {"key": "applicable-obligations", "type": "definition", "offset": [475, 497]}, {"key": "and-procedures", "type": "clause", "offset": [498, 512]}, {"key": "the-contractor-will", "type": "clause", "offset": [560, 579]}, {"key": "personally-identifiable-information", "type": "clause", "offset": [620, 655]}, {"key": "as-required", "type": "clause", "offset": [725, 736]}, {"key": "this-exhibit", "type": "definition", "offset": [740, 752]}, {"key": "risk-level", "type": "definition", "offset": [825, 835]}, {"key": "determine-whether", "type": "clause", "offset": [905, 922]}, {"key": "notification-methods", "type": "clause", "offset": [996, 1016]}, {"key": "associated-with", "type": "definition", "offset": [1092, 1107]}, {"key": "breach-notice", "type": "clause", "offset": [1112, 1125]}, {"key": "mitigation-measures", "type": "definition", "offset": [1141, 1160]}], "size": 42, "samples": [{"hash": "6h0foyJfKFp", "uri": "/contracts/6h0foyJfKFp#loss-reporting", "label": "Contract Agreement", "score": 34.0977554321, "published": true}, {"hash": "8cUjtSiqN2V", "uri": "/contracts/8cUjtSiqN2V#loss-reporting", "label": "Contract Agreement", "score": 33.7490577698, "published": true}, {"hash": "Q8bLPqRstJ", "uri": "/contracts/Q8bLPqRstJ#loss-reporting", "label": "Contract Agreement", "score": 33.7339630127, "published": true}], "hash": "ff8ada729027c384cbb69706071b8f99", "id": 1}, {"snippet": "The Principal has the responsibility to maintain proper custody of deposit certificates and the original authorized seal. Any losses or damages must be reported immediately to the Bank. Until the Bank receives a written report of the loss, the Bank shall not be held liable for honoring payment to any third party who presents forged documents or original authorized seal if the Bank has already exercised the due care of a good administrator.", "snippet_links": [{"key": "the-principal", "type": "definition", "offset": [0, 13]}, {"key": "responsibility-to-maintain", "type": "clause", "offset": [22, 48]}, {"key": "the-original", "type": "definition", "offset": [92, 104]}, {"key": "losses-or-damages", "type": "clause", "offset": [126, 143]}, {"key": "to-the-bank", "type": "clause", "offset": [173, 184]}, {"key": "report-of-the", "type": "clause", "offset": [220, 233]}, {"key": "the-bank-shall", "type": "clause", "offset": [240, 254]}, {"key": "payment-to", "type": "clause", "offset": [287, 297]}, {"key": "third-party", "type": "clause", "offset": [302, 313]}, {"key": "due-care", "type": "definition", "offset": [410, 418]}], "size": 11, "samples": [{"hash": "1GNideCQFNc", "uri": "/contracts/1GNideCQFNc#loss-reporting", "label": "General Agreement for Account Opening", "score": 35.0896110535, "published": true}, {"hash": "ezN8G6lc46W", "uri": "/contracts/ezN8G6lc46W#loss-reporting", "label": "General Agreement for Account Opening", "score": 28.1252574921, "published": true}, {"hash": "1ET9S2dQcfE", "uri": "/contracts/1ET9S2dQcfE#loss-reporting", "label": "General Agreement for Account Opening", "score": 28.0978775024, "published": true}], "hash": "d41267a0f1be38fcade22f5a77922f84", "id": 2}, {"snippet": "If either SSA or OPM experiences an incident involving the loss or breach of PII provided by SSA or OPM under the terms of this agreement, that agency will follow the incident reporting guidelines issued by OMB. In the event of a reportable incident under OMB guidance involving PII, the agency experiencing the incident is responsible for following its established procedures, including notification to the proper organizations (e.g., United States Computer Emergency Readiness Team and the agency\u2019s privacy office). In addition, the agency experiencing the incident (e.g., electronic or paper) will notify the other agency\u2019s Systems Security Contact named in this agreement. If OPM is unable to speak with the SSA Systems Security Contact within one hour, or if for some other reason notifying the SSA Security Systems Contact is not practicable (e.g., it is outside of the normal business hours), OPM will call SSA\u2019s National Network Service Center toll free at \u2587-\u2587\u2587\u2587-\u2587\u2587\u2587-\u2587\u2587\u2587\u2587. Within one hour of becoming aware of a possible incident involving OPM provided PII, SSA will contact OPM IT Security Operations: \u2587\u2587\u2587\u2587\u2587\u2587\u2587\u2587\u2587\u2587\u2587\u2587\u2587\u2587@\u2587\u2587\u2587.\u2587\u2587\u2587; \u2587\u2587\u2587-\u2587\u2587\u2587-\u2587\u2587\u2587\u2587.", "snippet_links": [{"key": "breach-of", "type": "clause", "offset": [67, 76]}, {"key": "terms-of-this-agreement", "type": "clause", "offset": [114, 137]}, {"key": "agency-will", "type": "clause", "offset": [144, 155]}, {"key": "reporting-guidelines", "type": "definition", "offset": [176, 196]}, {"key": "issued-by", "type": "clause", "offset": [197, 206]}, {"key": "in-the-event-of-a", "type": "clause", "offset": [212, 229]}, {"key": "reportable-incident", "type": "definition", "offset": [230, 249]}, {"key": "the-agency", "type": "clause", "offset": [284, 294]}, {"key": "responsible-for", "type": "clause", "offset": [324, 339]}, {"key": "established-procedures", "type": "clause", "offset": [354, 376]}, {"key": "notification-to", "type": "clause", "offset": [388, 403]}, {"key": "united-states", "type": "definition", "offset": [436, 449]}, {"key": "privacy-office", "type": "definition", "offset": [501, 515]}, {"key": "in-addition", "type": "clause", "offset": [518, 529]}, {"key": "notify-the", "type": "clause", "offset": [601, 611]}, {"key": "other-agency", "type": "clause", "offset": [612, 624]}, {"key": "systems-security-contact", "type": "clause", "offset": [627, 651]}, {"key": "in-this-agreement", "type": "definition", "offset": [658, 675]}, {"key": "one-hour", "type": "definition", "offset": [748, 756]}, {"key": "other-reason", "type": "clause", "offset": [773, 785]}, {"key": "security-systems", "type": "clause", "offset": [804, 820]}, {"key": "normal-business-hours", "type": "clause", "offset": [876, 897]}, {"key": "service-center", "type": "clause", "offset": [937, 951]}, {"key": "toll-free", "type": "definition", "offset": [952, 961]}, {"key": "security-operations", "type": "clause", "offset": [1090, 1109]}], "size": 9, "samples": [{"hash": "iFe4yPLrKB6", "uri": "/contracts/iFe4yPLrKB6#loss-reporting", "label": "Computer Matching Agreement", "score": 26.0102672577, "published": true}, {"hash": "2y2FqnmM6h0", "uri": "/contracts/2y2FqnmM6h0#loss-reporting", "label": "Computer Matching Agreement", "score": 24.7549629211, "published": true}], "hash": "0cc2b8cf13a15e662b5415152588e6cc", "id": 3}, {"snippet": "The Broker must submit a Claim and loss summary report annually to the Department\u2019s Contract Manager. The Department reserves the right to request loss runs at any time during the policy period.", "snippet_links": [{"key": "the-broker-must", "type": "clause", "offset": [0, 15]}, {"key": "summary-report", "type": "definition", "offset": [40, 54]}, {"key": "the-department", "type": "clause", "offset": [67, 81]}, {"key": "contract-manager", "type": "clause", "offset": [84, 100]}, {"key": "right-to-request", "type": "clause", "offset": [130, 146]}, {"key": "at-any-time", "type": "clause", "offset": [157, 168]}, {"key": "policy-period", "type": "clause", "offset": [180, 193]}], "size": 8, "samples": [{"hash": "jDAJb1cNH9k", "uri": "/contracts/jDAJb1cNH9k#loss-reporting", "label": "Government Crime Insurance Contract", "score": 26.7686500549, "published": true}, {"hash": "73MuweQiBJU", "uri": "/contracts/73MuweQiBJU#loss-reporting", "label": "Commercial Automobile Insurance Contract", "score": 26.4648017883, "published": true}, {"hash": "dkuCBcXxZN9", "uri": "/contracts/dkuCBcXxZN9#loss-reporting", "label": "Contract for Commercial Automobile Insurance", "score": 26.3529090881, "published": true}], "hash": "dde57d875e4c0754c8f0d97f5a0f09df", "id": 4}, {"snippet": "If either SSA or VA experiences an incident involving the loss or breach of PII provided by SSA or VA under the terms of this agreement, they will follow the incident reporting guidelines issued by OMB. In the event of a reportable incident under OMB guidance involving PII, the agency experiencing the incident is responsible for following its established procedures, including notification to the proper organizations (e.g., United States Computer Emergency Readiness Team and the agency\u2019s privacy office). In addition, the agency experiencing the incident (e.g., electronic or paper) will notify the other agency\u2019s Information Security Contact named in this agreement. If VA is unable to speak with the SSA Information Security Contact within one hour or if for some other reason notifying the SSA Information Security Contact is not practicable (e.g., it is outside of the normal business hours), VA will call SSA\u2019s National Network Service Center toll free at \u2587-\u2587\u2587\u2587-\u2587\u2587\u2587-\u2587\u2587\u2587\u2587. If SSA is unable to speak with VA\u2019s Information Security Contact within one hour, SSA will contact the VA Network and Security Operations Center at \u2587-\u2587\u2587\u2587-\u2587\u2587\u2587-\u2587\u2587\u2587\u2587, Option 6 then Option 4.", "snippet_links": [{"key": "breach-of", "type": "clause", "offset": [66, 75]}, {"key": "terms-of-this-agreement", "type": "clause", "offset": [112, 135]}, {"key": "reporting-guidelines", "type": "definition", "offset": [167, 187]}, {"key": "issued-by", "type": "clause", "offset": [188, 197]}, {"key": "in-the-event-of-a", "type": "clause", "offset": [203, 220]}, {"key": "reportable-incident", "type": "definition", "offset": [221, 240]}, {"key": "the-agency", "type": "clause", "offset": [275, 285]}, {"key": "responsible-for", "type": "clause", "offset": [315, 330]}, {"key": "established-procedures", "type": "clause", "offset": [345, 367]}, {"key": "notification-to", "type": "clause", "offset": [379, 394]}, {"key": "united-states", "type": "definition", "offset": [427, 440]}, {"key": "privacy-office", "type": "definition", "offset": [492, 506]}, {"key": "in-addition", "type": "clause", "offset": [509, 520]}, {"key": "notify-the", "type": "clause", "offset": [592, 602]}, {"key": "other-agency", "type": "clause", "offset": [603, 615]}, {"key": "information-security-contact", "type": "clause", "offset": [618, 646]}, {"key": "in-this-agreement", "type": "definition", "offset": [653, 670]}, {"key": "one-hour", "type": "definition", "offset": [746, 754]}, {"key": "other-reason", "type": "clause", "offset": [770, 782]}, {"key": "normal-business-hours", "type": "clause", "offset": [877, 898]}, {"key": "va-will", "type": "clause", "offset": [901, 908]}, {"key": "service-center", "type": "clause", "offset": [937, 951]}, {"key": "toll-free", "type": "definition", "offset": [952, 961]}, {"key": "security-operations-center", "type": "clause", "offset": [1099, 1125]}, {"key": "option-6", "type": "definition", "offset": [1145, 1153]}, {"key": "option-4", "type": "definition", "offset": [1159, 1167]}], "size": 6, "samples": [{"hash": "aCaePHuf6MZ", "uri": "/contracts/aCaePHuf6MZ#loss-reporting", "label": "Computer Matching Agreement", "score": 23.7926082611, "published": true}], "hash": "ea9efd08650234c5cd9d1b08688efc86", "id": 5}, {"snippet": "If either agency experiences a loss of PII provided by the other under the terms of this agreement, that agency will follow OMB loss reporting guidelines (OMB M-17-12 \"Preparing for and Responding to a Breach of Personally Identifiable Information\") and notify the United States Computer Emergency Readiness Team (US- CERT) within one (1) hour of discovering the incident. In addition, they will immediately notify the other agency's Information Security Programs Section (BOP: \u2587\u2587\u2587-\u2587\u2587\u2587-\u2587\u2587\u2587\u2587 or \u2587\u2587\u2587-\u2587\u2587\u2587-\u2587\u2587\u2587\u2587; VA contact person named in this agreement) in the event of any actual or suspected breach of such data (i.e., Loss of control, compromise, unauthorized disclosure, access for an unauthorized purpose, or other unauthorized access, whether physical or electronic). If within one (1) hour VA has been unable to make a report to the BOP contact(s) named herein, VA will call the DOJ Computer Emergency Readiness Team (DOJCERT) at 1-866-US4-CERT (1-866-874- 2378) and make the report. If within one (1) hour BOP has been unable to make a report to the VA contact named herein, BOP will call the VA Enterprise Service Desk at \u2587\u2587\u2587-\u2587\u2587\u2587-\u2587\u2587\u2587\u2587 and make the report.", "snippet_links": [{"key": "terms-of-this-agreement", "type": "clause", "offset": [75, 98]}, {"key": "agency-will", "type": "clause", "offset": [105, 116]}, {"key": "reporting-guidelines", "type": "definition", "offset": [133, 153]}, {"key": "preparing-for", "type": "definition", "offset": [168, 181]}, {"key": "responding-to", "type": "clause", "offset": [186, 199]}, {"key": "breach-of-personally-identifiable-information", "type": "clause", "offset": [202, 247]}, {"key": "the-united-states", "type": "definition", "offset": [261, 278]}, {"key": "in-addition", "type": "clause", "offset": [373, 384]}, {"key": "other-agency", "type": "clause", "offset": [419, 431]}, {"key": "security-programs", "type": "definition", "offset": [446, 463]}, {"key": "contact-person", "type": "clause", "offset": [511, 525]}, {"key": "in-this-agreement", "type": "definition", "offset": [532, 549]}, {"key": "in-the-event-of", "type": "definition", "offset": [551, 566]}, {"key": "suspected-breach", "type": "definition", "offset": [581, 597]}, {"key": "loss-of-control", "type": "definition", "offset": [618, 633]}, {"key": "unauthorized-disclosure", "type": "definition", "offset": [647, 670]}, {"key": "unauthorized-purpose", "type": "definition", "offset": [686, 706]}, {"key": "unauthorized-access", "type": "clause", "offset": [717, 736]}, {"key": "report-to", "type": "clause", "offset": [823, 832]}, {"key": "va-will", "type": "clause", "offset": [866, 873]}, {"key": "the-report", "type": "clause", "offset": [976, 986]}, {"key": "service-desk", "type": "clause", "offset": [1112, 1124]}], "size": 5, "samples": [{"hash": "bwc60uFJ4Pl", "uri": "/contracts/bwc60uFJ4Pl#loss-reporting", "label": "Computer Matching Agreement", "score": 24.4715938568, "published": true}, {"hash": "gIhRN5l0b6y", "uri": "/contracts/gIhRN5l0b6y#loss-reporting", "label": "Computer Matching Agreement", "score": 24.3223819733, "published": true}], "hash": "81b78962bf47af5d5bddf95c23e70f0a", "id": 6}, {"snippet": "If either SSA or VA/VHA experiences an incident involving the loss or breach of PII provided by SSA or VA/VHA under the terms of this agreement, they will follow the incident reporting guidelines issued by OMB. In the event of a reportable incident under OMB guidance involving PII, the agency experiencing the incident is responsible for following its established procedures, including notification to the proper organizations (e.g., United States Computer Emergency Readiness Team, the agency\u2019s privacy office). In addition, the agency experiencing the incident (e.g., electronic or paper) will notify the other agency\u2019s Systems Security Contact named in this agreement. If VA/VHA is unable to speak with the SSA Systems Security Contact within one hour or if for some other reason notifying the SSA Systems Security Contact is not practicable (e.g., it is outside of the normal business hours), VA/VHA will call SSA\u2019s National Network Service Center toll free at \u2587-\u2587\u2587\u2587-\u2587\u2587\u2587-\u2587\u2587\u2587\u2587. If SSA is unable to speak with VA/VHA\u2019s Systems Security Contact within one hour, SSA will contact the VA/VHA Situation Room at (\u2587\u2587\u2587) \u2587\u2587\u2587-\u2587\u2587\u2587\u2587.", "snippet_links": [{"key": "breach-of", "type": "clause", "offset": [70, 79]}, {"key": "terms-of-this-agreement", "type": "clause", "offset": [120, 143]}, {"key": "reporting-guidelines", "type": "definition", "offset": [175, 195]}, {"key": "issued-by", "type": "clause", "offset": [196, 205]}, {"key": "in-the-event-of-a", "type": "clause", "offset": [211, 228]}, {"key": "reportable-incident", "type": "definition", "offset": [229, 248]}, {"key": "the-agency", "type": "clause", "offset": [283, 293]}, {"key": "responsible-for", "type": "clause", "offset": [323, 338]}, {"key": "established-procedures", "type": "clause", "offset": [353, 375]}, {"key": "notification-to", "type": "clause", "offset": [387, 402]}, {"key": "united-states", "type": "definition", "offset": [435, 448]}, {"key": "privacy-office", "type": "definition", "offset": [497, 511]}, {"key": "in-addition", "type": "clause", "offset": [514, 525]}, {"key": "notify-the", "type": "clause", "offset": [597, 607]}, {"key": "other-agency", "type": "clause", "offset": [608, 620]}, {"key": "systems-security-contact", "type": "clause", "offset": [623, 647]}, {"key": "in-this-agreement", "type": "definition", "offset": [654, 671]}, {"key": "one-hour", "type": "definition", "offset": [747, 755]}, {"key": "other-reason", "type": "clause", "offset": [771, 783]}, {"key": "normal-business-hours", "type": "clause", "offset": [874, 895]}, {"key": "service-center", "type": "clause", "offset": [938, 952]}, {"key": "toll-free", "type": "definition", "offset": [953, 962]}], "size": 4, "samples": [{"hash": "75FabZ219Yq", "uri": "/contracts/75FabZ219Yq#loss-reporting", "label": "Computer Matching Agreement", "score": 24.4113616943, "published": true}, {"hash": "9ZvNrUvD2ly", "uri": "/contracts/9ZvNrUvD2ly#loss-reporting", "label": "Computer Matching Agreement", "score": 24.3237514496, "published": true}], "hash": "1d87f3c797a2770a5eb8aee679db8849", "id": 7}, {"snippet": "If either SSA or Fiscal Service experiences an incident involving the loss or breach of PII provided by SSA or Fiscal Service under the terms of this agreement, they will follow the incident reporting guidelines issued by OMB. In the event of a reportable incident under OMB guidance involving PII, the agency experiencing the incident is responsible for following its established procedures, including notification to the proper organizations (e.g., United States Computer Emergency Readiness Team and the agency\u2019s privacy office). In addition, the agency experiencing the incident (e.g., electronic or paper) will notify the other agency\u2019s Systems Security Contact named in this agreement. If Fiscal Service is unable to speak with the SSA Systems Security Contact within one hour or if for some other reason notifying the SSA Systems Security Contact is not practicable (e.g., it is outside of the normal business hours), Fiscal Service will call SSA\u2019s National Network Service Center toll free at \u2587-\u2587\u2587\u2587-\u2587\u2587\u2587-\u2587\u2587\u2587\u2587. If SSA is unable to speak with Fiscal Service\u2019s Systems Security Contact within one hour, SSA will contact Fiscal Service IT Service Desk at (\u2587\u2587\u2587) \u2587\u2587\u2587-\u2587\u2587\u2587\u2587.", "snippet_links": [{"key": "fiscal-service", "type": "definition", "offset": [17, 31]}, {"key": "breach-of", "type": "clause", "offset": [78, 87]}, {"key": "terms-of-this-agreement", "type": "clause", "offset": [136, 159]}, {"key": "reporting-guidelines", "type": "definition", "offset": [191, 211]}, {"key": "issued-by", "type": "clause", "offset": [212, 221]}, {"key": "in-the-event-of-a", "type": "clause", "offset": [227, 244]}, {"key": "reportable-incident", "type": "definition", "offset": [245, 264]}, {"key": "the-agency", "type": "clause", "offset": [299, 309]}, {"key": "responsible-for", "type": "clause", "offset": [339, 354]}, {"key": "established-procedures", "type": "clause", "offset": [369, 391]}, {"key": "notification-to", "type": "clause", "offset": [403, 418]}, {"key": "united-states", "type": "definition", "offset": [451, 464]}, {"key": "privacy-office", "type": "definition", "offset": [516, 530]}, {"key": "in-addition", "type": "clause", "offset": [533, 544]}, {"key": "notify-the", "type": "clause", "offset": [616, 626]}, {"key": "other-agency", "type": "clause", "offset": [627, 639]}, {"key": "systems-security-contact", "type": "clause", "offset": [642, 666]}, {"key": "in-this-agreement", "type": "definition", "offset": [673, 690]}, {"key": "one-hour", "type": "definition", "offset": [774, 782]}, {"key": "other-reason", "type": "clause", "offset": [798, 810]}, {"key": "normal-business-hours", "type": "clause", "offset": [901, 922]}, {"key": "service-center", "type": "clause", "offset": [973, 987]}, {"key": "toll-free", "type": "definition", "offset": [988, 997]}, {"key": "service-desk", "type": "clause", "offset": [1142, 1154]}], "size": 4, "samples": [{"hash": "9uaxbuoj7rJ", "uri": "/contracts/9uaxbuoj7rJ#loss-reporting", "label": "Computer Matching Agreement", "score": 32.1992034912, "published": true}, {"hash": "5zfGI11SKo0", "uri": "/contracts/5zfGI11SKo0#loss-reporting", "label": "Computer Matching Agreement", "score": 24.4989738464, "published": true}], "hash": "130d1b0db8e7502507298e4cb85a5bbf", "id": 8}, {"snippet": "ENTITY shall immediately notify DHHS Information Security and Program Manager, via the email addresses provided in this Agreement, of any information security events, Incidents, or Breaches this includes a confidential information breach, or suspected breach, which affects or includes any State of New Hampshire systems that connect to the State of New Hampshire network. ENTITY shall further handle and report incidents and breaches involving PHI in accordance with the agency\u2019s documented incident handling and breach notification procedures and in accordance with HIPAA, and 42 C.F.R. \u00a7\u00a7 431.300 - 306. In addition to, and notwithstanding, ENTITY\u2019s compliance with all applicable obligations and procedures. ENTITY\u2019s procedures shall also address how ENTITY shall: Identify Incidents; Determine if personally identifiable information is involved in any Incidents; Report suspected or confirmed Incidents as required by this Agreement and in the EUA; Identify and convene a core response group within ENTITY\u2019s organization to determine the risk level of Incidents and determine risk-based mitigation and responses to Incidents; Determine whether Breach notification is required, and, if so, identify appropriate Breach notification methods, timing, source, and contents from among different options, and bear costs associated with the Breach notice as well as any mitigation measures; and Address and report Incidents, and or breaches that implicate personal information to DHHS in accordance with timing provisions of NH RSA 359-C:20 and this Agreement. If a suspected or known incident, breach involves Social Security Administration (SSA) provided data, Internal Revenue Services (IRS) provided data, or Federal Tax Information (FTI), then ENTITY shall notify DHHS Information Security without delay. In the event of any security breach, ENTITY shall make efforts to investigate the causes of the breach, promptly take measures to prevent future breach, and minimize any damage or loss resulting from the breach. The State shall recover from ENTITY all costs of response and recovery from the breach, including but not limited to: credit monitoring services, mailing costs and costs associated with website and telephone call center services necessary due to the breach.", "snippet_links": [{"key": "security-and", "type": "clause", "offset": [49, 61]}, {"key": "program-manager", "type": "clause", "offset": [62, 77]}, {"key": "email-addresses", "type": "clause", "offset": [87, 102]}, {"key": "in-this-agreement", "type": "definition", "offset": [112, 129]}, {"key": "security-events", "type": "clause", "offset": [150, 165]}, {"key": "confidential-information-breach", "type": "definition", "offset": [206, 237]}, {"key": "suspected-breach", "type": "definition", "offset": [242, 258]}, {"key": "state-of", "type": "clause", "offset": [290, 298]}, {"key": "new-hampshire", "type": "definition", "offset": [299, 312]}, {"key": "incidents-and-breaches", "type": "clause", "offset": [412, 434]}, {"key": "in-accordance-with", "type": "definition", "offset": [449, 467]}, {"key": "the-agency", "type": "clause", "offset": [468, 478]}, {"key": "incident-handling", "type": "clause", "offset": [492, 509]}, {"key": "notification-procedures", "type": "clause", "offset": [521, 544]}, {"key": "in-addition-to", "type": "clause", "offset": [607, 621]}, {"key": "compliance-with", "type": "clause", "offset": [653, 668]}, {"key": "applicable-obligations", "type": "definition", "offset": [673, 695]}, {"key": "and-procedures", "type": "clause", "offset": [696, 710]}, {"key": "personally-identifiable-information", "type": "clause", "offset": [802, 837]}, {"key": "by-this-agreement", "type": "clause", "offset": [920, 937]}, {"key": "risk-level", "type": "definition", "offset": [1043, 1053]}, {"key": "determine-whether", "type": "clause", "offset": [1131, 1148]}, {"key": "notification-methods", "type": "clause", "offset": [1222, 1242]}, {"key": "associated-with", "type": "definition", "offset": [1318, 1333]}, {"key": "breach-notice", "type": "clause", "offset": [1338, 1351]}, {"key": "mitigation-measures", "type": "definition", "offset": [1367, 1386]}, {"key": "and-address", "type": "definition", "offset": [1388, 1399]}, {"key": "personal-information", "type": "definition", "offset": [1453, 1473]}, {"key": "provisions-of", "type": "clause", "offset": [1508, 1521]}, {"key": "social-security-administration", "type": "definition", "offset": [1608, 1638]}, {"key": "provided-data", "type": "definition", "offset": [1645, 1658]}, {"key": "internal-revenue", "type": "definition", "offset": [1660, 1676]}, {"key": "federal-tax-information", "type": "clause", "offset": [1710, 1733]}, {"key": "without-delay", "type": "definition", "offset": [1792, 1805]}, {"key": "in-the-event-of", "type": "definition", "offset": [1807, 1822]}, {"key": "security-breach", "type": "clause", "offset": [1827, 1842]}, {"key": "measures-to", "type": "clause", "offset": [1925, 1936]}, {"key": "damage-or-loss", "type": "definition", "offset": [1977, 1991]}, {"key": "resulting-from-the", "type": "clause", "offset": [1992, 2010]}, {"key": "the-state-shall", "type": "clause", "offset": [2019, 2034]}, {"key": "costs-of", "type": "definition", "offset": [2059, 2067]}, {"key": "not-limited", "type": "clause", "offset": [2121, 2132]}, {"key": "credit-monitoring-services", "type": "clause", "offset": [2137, 2163]}, {"key": "call-center-services", "type": "definition", "offset": [2227, 2247]}], "size": 3, "samples": [{"hash": "j0z8WCXwwZV", "uri": "/contracts/j0z8WCXwwZV#loss-reporting", "label": "Data Sharing Agreement", "score": 26.38945961, "published": true}], "hash": "032523401b9e8a31eb456ea4efb8eb65", "id": 9}, {"snippet": "The Parties must notify NH DoIT Help Desk, via the email provided in this MOU, and their respective Information Security Officers and Privacy Officers of any information security events, Computer Security Incidents, Incidents, or Breaches immediately once the Board has determined that the aforementioned has occurred and that Confidential Data may have been exposed or compromised. In addition to notifying NH-CIC, security incidents and/or Breaches that implicate PII must be addressed and reported, as applicable, in accordance with NH RSA 359-C:20. If a suspected or known information security event, Computer Security Incident, Incident or Breach involves Social Security Administration (SSA) provided data, Criminal Justice Information (CJI) or Internal Revenue Services (IRS) provided Federal Tax Information (FTI) then the Agency/Partner must notify DHH Information Security immediately (without delay) of any security breaches or loss of Confidential Data at the time that the Board learns of their occurrence.", "snippet_links": [{"key": "the-parties", "type": "definition", "offset": [0, 11]}, {"key": "help-desk", "type": "definition", "offset": [32, 41]}, {"key": "this-mou", "type": "definition", "offset": [69, 77]}, {"key": "security-officers", "type": "clause", "offset": [112, 129]}, {"key": "privacy-officers", "type": "definition", "offset": [134, 150]}, {"key": "security-events", "type": "clause", "offset": [170, 185]}, {"key": "security-incidents", "type": "clause", "offset": [196, 214]}, {"key": "the-board", "type": "clause", "offset": [256, 265]}, {"key": "confidential-data", "type": "clause", "offset": [327, 344]}, {"key": "in-addition-to", "type": "clause", "offset": [383, 397]}, {"key": "in-accordance-with", "type": "definition", "offset": [517, 535]}, {"key": "information-security-event", "type": "definition", "offset": [577, 603]}, {"key": "computer-security-incident", "type": "definition", "offset": [605, 631]}, {"key": "social-security-administration", "type": "definition", "offset": [661, 691]}, {"key": "provided-data", "type": "definition", "offset": [698, 711]}, {"key": "criminal-justice-information", "type": "clause", "offset": [713, 741]}, {"key": "internal-revenue", "type": "definition", "offset": [751, 767]}, {"key": "federal-tax-information", "type": "clause", "offset": [792, 815]}, {"key": "the-agency", "type": "clause", "offset": [827, 837]}, {"key": "without-delay", "type": "definition", "offset": [896, 909]}, {"key": "security-breaches", "type": "definition", "offset": [918, 935]}, {"key": "loss-of", "type": "clause", "offset": [939, 946]}, {"key": "at-the-time", "type": "clause", "offset": [965, 976]}], "size": 2, "samples": [{"hash": "8xPNRVBkaIr", "uri": "/contracts/8xPNRVBkaIr#loss-reporting", "label": "Memorandum of Understanding", "score": 33.6597595215, "published": true}, {"hash": "5nfrryvQ9vX", "uri": "/contracts/5nfrryvQ9vX#loss-reporting", "label": "Memorandum of Understanding", "score": 27.4928131104, "published": true}], "hash": "7bc10eaaddbb8ca200777c44e824ed58", "id": 10}], "next_curs": "ClcSUWoVc35sYXdpbnNpZGVyY29udHJhY3RzcjMLEhZDbGF1c2VTbmlwcGV0R3JvdXBfdjU2Ihdsb3NzLXJlcG9ydGluZyMwMDAwMDAwYQyiAQJlbhgAIAA=", "clause": {"parents": [["security-procedures", "Security Procedures"], ["contract-management", "Contract Management"], ["miscellaneous", "Miscellaneous"], ["procedures-for-security", "PROCEDURES FOR SECURITY"], ["justification-and-anticipated-results", "Justification and Anticipated Results"]], "title": "Loss Reporting", "children": [], "size": 133, "id": "loss-reporting", "related": [["progress-reporting", "Progress Reporting", "Progress Reporting"], ["monthly-reporting", "Monthly Reporting", "Monthly Reporting"], ["adverse-event-reporting", "Adverse Event Reporting", "Adverse Event Reporting"], ["sales-reporting", "Sales Reporting", "Sales Reporting"], ["status-reports", "Status Reports", "Status Reports"]], "related_snippets": [], "updated": "2025-07-23T06:00:56+00:00"}, "json": true, "cursor": ""}}