Common use of Data Privacy and Security Clause in Contracts

Data Privacy and Security. Contractor acknowledges that in the course of providing services under this Agreement, Contractor may receive information or be granted access to restricted University information including, but not limited to, personally-identifiable information, student records, protected health information or individual financial information (collectively, Protected Information) of the students, employees, customers and/or donors of the University. Protected Information can include any information that (i) identifies or can be used to identify an individual (including, without limitation, names, signatures, addresses, telephone numbers, e-mail addresses, images and other unique identifiers); or (ii) can be used to authenticate an individual (including, without limitation, employee identification numbers, government-issued identification numbers, passwords or PINs, financial account numbers, credit report information, biometric or health data, answers to security questions and other personal identifiers. Contractor represents and warrants that its collection, access, use, storage, disposal and disclosure of University Protected Information complies with all applicable federal and state legal and regulatory requirements including, but not limited to, the Family Educational Rights and Privacy Act ("FERPA") of 1974 (20 U.S.C. § 1232g; 34 CFR Part 99), the Xxxxx-Xxxxx-Xxxxxx Act ("GLBA") (15 U.S.C §§ 6801(b) and 6805(b)(2)), the Federal Trade Commission Safeguards Rule (16 CFR § 314), the Health Information Portability and Accountability Act ("HIPAA") (45 CFR Parts 160 and 164), Payment Card Industries Data Security Standard (PCI-DSS), Tennessee Data Breach Law (Tenn. Code Xxx. § 47–18–2107). Contractor agrees that any University Protected Information provided under the Agreement shall be used only and exclusively to support the service and service execution and not for any other purpose, unless such other use is subsequently specifically agreed to in writing by both parties. Contractor further agrees that it will take all reasonable steps to ensure that its employees or subcontractors who have access to University Protected Information shall not copy, disclose or transmit any of the Protected Information to any third party except as necessary to perform the services under this Agreement. Contractor agrees that it will protect the University Protected Information it receives according to commercially acceptable standards and no less rigorously than it protects its own confidential information. Specifically, the Contractor shall implement, maintain, and use appropriate administrative, technical, and physical security measures, which may include but not be limited to encryption techniques, to preserve the confidentially, integrity, and availability of all electronically managed Protected Information. Contractor shall ensure that such security measures are regularly reviewed and revised to address evolving threats and vulnerabilities. Contractor agrees that any and all University Protected Information will be stored, processed, and maintained solely on designated target servers and that no University Protected Information at any time will be processed on or transferred to any portable or laptop computing device or any portable storage medium, unless that storage medium is in use as part of the Contractor’s designated backup and recovery processes. Contractor agrees that any and all electronic transmission or exchange of University Protected Information shall be encrypted during transport. Any transmission, transport or storage of University Protected Information to data centers outside of the United States is prohibited without prior written authorization from the University. Contractor shall implement an Information Security Program throughout the term of this Agreement as required by 16 CFR § 314, for all University Protected Information obtained by or provided to Contractor pursuant to this Agreement, and provide details of said program upon University request. Contractor, upon request of the University, will provide the University with the Contractor’s most current SOC 2 report, or any other comparable information security assessment report for Contractor’s operations or the operations of any of the Contractor’s third party providers. For the purposes of this Agreement, a Security Incident shall be defined as any reasonably suspected unauthorized access to any system, server or database, or any other unauthorized access, acquisition, use, or disclosure of Protected Information occurring on systems under Contractor’s control. In the event that a Security Incident occurs, Contractor shall: