Common use of Security Breaches; Security Breach Reporting Clause in Contracts

Security Breaches; Security Breach Reporting. To the extent the Contractor or its subcontractors, affiliates or agents handles, collects, stores, disseminates or otherwise deals with State Data, the Contractor acknowledges that in the performance of its obligations under this Contract, it will be a “data collector” pursuant to Chapter 62 of Title 9 of the Vermont Statutes (9 V.S.A. §2430(3)). The Contractor shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In addition to the requirements set forth in any applicable Business Associate Agreement as may be attached to this Contract, in the event of any actual security breach or reasonable belief of an actual security breach the Contractor either suffers or learns of that either compromises or could compromise State Data (including, as applicable, PII, PHI or ePHI) in any format or media, whether encrypted or unencrypted (for example, but not limited to: physical trespass on a secure facility; intrusion or hacking or other brute force attack on any State environment; loss or theft of a PC, laptop, desktop, tablet, smartphone, removable data storage device or other portable device; loss or theft of printed materials; or failure of security policies) (collectively, a “Security Breach”), the Contractor shall immediately determine the nature and extent of the Security Breach, contain the incident by stopping the unauthorized practice, recover records, shut down the system that was breached, revoke access and/or correct weaknesses in physical security. Contractor shall analyze and document the incident and provide the required notices, as set forth below. In accordance with Section 9 V.S.A. §2435(b)(3), the Contractor shall notify the Office of the Attorney General, or in the case of a Security Breach by a data collector regulated by the Vermont Department of Financial Regulation (“DFR”), DFR, within fourteen (14) business days of the Contractor’s discovery of the Security Breach. The notice shall provide a preliminary description of the breach. The foregoing notice requirement shall be included in the subcontracts of any of Contractor’s subcontractors, affiliates or agents which may be “data collectors” hereunder. Except to the extent delayed upon request of law enforcement in accordance with 9 V.S.A. §2435(b)(4), within thirty days of the Security Breach or when the Contractor provides notice to consumers pursuant to this Contract, whichever is sooner, the Contractor shall report to the State: (i) the nature of the Security Breach; (ii) the State Data used or disclosed; (iii) who made the unauthorized use or received the unauthorized disclosure; (iv) what the Contractor has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure; and (v) what corrective action the Contractor has taken or shall take to prevent future similar unauthorized use or disclosure. The Contractor shall provide such other information, including a written report, as reasonably requested by the State. The Contractor agrees to comply with all applicable laws, as such laws may be amended from time to time (including, but not limited to, Chapter 62 of Title 9 of the Vermont Statutes and all applicable State and federal laws, rules or regulations) that require notification in the event of unauthorized release of personally-identifiable information or other event requiring notification. Further, the Contractor agrees to fully cooperate with the State, assume responsibility for such notice if the State determines it to be appropriate under the circumstances of any particular Security Breach, and assume all costs associated with a Security Breach, including but not limited to, notice, outside investigation and Services (including mailing, call center, forensics, counsel and/or crisis management), and/or credit monitoring, in the sole determination of the State. In addition to any other indemnification obligations in this Contract, the Contractor shall fully indemnify and save harmless the State from any costs, loss or damage to the State resulting from a Security Breach or the unauthorized disclosure of State Data by the Contractor, its officers, agents, employees, and subcontractors.

Security Breaches; Security Breach Reporting. To the extent the Contractor or its subcontractors, affiliates or agents handles, collects, stores, disseminates or otherwise deals with State Data, the Contractor acknowledges that in the performance of its obligations under this Contract, it will be a “data collector” pursuant to Chapter 62 of Title 9 of the Vermont Statutes (9 V.S.A. §2430(3)). The Contractor shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In addition to the requirements set forth in any applicable Business Associate Agreement as may be attached to this Contract, in the event of any actual security breach or reasonable belief of an actual security breach the Contractor either suffers or learns of that either compromises or could compromise State Data (including, as applicable, PII, PHI or ePHI) in any format or media, whether encrypted or unencrypted (for example, but not limited to: physical trespass on a secure facility; intrusion or hacking or other brute force attack on any State environment; loss or theft of a PC, laptop, desktop, tablet, smartphone, removable data storage device or other portable device; loss or theft of printed materials; or failure of security policies) (collectively, a “Security Breach”), the Contractor shall immediately determine the nature and extent of the Security Breach, contain the incident by stopping the unauthorized practice, recover records, shut down the system that was breached, revoke access and/or correct weaknesses in physical security. Contractor shall analyze and document the incident and provide the required notices, as set forth below. In accordance with Section 9 V.S.A. §2435(b)(3), the Contractor shall notify the Office of the Attorney General, or in the case of a Security Breach by a data collector regulated by the Vermont Department of Financial Regulation (“DFR”), DFR, within fourteen (14) business days of the Contractor’s discovery of the Security Breach. The notice shall provide a preliminary description of the breach. The foregoing notice requirement shall be included in the subcontracts of any of Contractor’s subcontractors, affiliates or agents which may be “data collectors” hereunder. Except to the extent delayed upon request of law enforcement in accordance with 9 V.S.A. §2435(b)(4), within thirty days of the Security Breach or when the Contractor provides notice to consumers pursuant to this Contract, whichever is sooner, the Contractor shall report to the State: (i) the nature of the Security Breach; (ii) the State Data used or disclosed; (iii) who made the unauthorized use or received the unauthorized disclosure; (iv) what the Contractor has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure; and (v) what corrective action the Contractor has taken or shall take to prevent future similar unauthorized use or disclosure. The Contractor shall provide such other information, including a written report, as reasonably requested by the State. The Contractor agrees to comply with all applicable laws, as such laws may be amended from time to time (including, but not limited to, Chapter 62 of Title 9 of the Vermont Statutes and all applicable State and federal laws, rules or regulations) that require notification in the event of unauthorized release of personally-identifiable information or other event requiring notification. Further, the Contractor agrees to fully cooperate with the State, assume responsibility for such notice if the State determines it to be appropriate under the circumstances of any particular Security Breach, and assume all costs associated with a Security Breach, including but not limited to, notice, outside investigation and Services (including mailing, call center, forensics, counsel and/or crisis management), and/or credit monitoring, in the sole determination of the State. In addition to any other indemnification obligations in this Contract, the Contractor shall fully indemnify and save harmless the State from any costs, loss or damage to the State resulting from a Security Breach or the unauthorized disclosure of State Data by the Contractor, its officers, agents, employees, and subcontractors.fourteen

Security Breaches; Security Breach Reporting. To the extent the Contractor or its subcontractors, affiliates or agents handles, collects, stores, disseminates or otherwise deals with State Data, the Contractor acknowledges that in the performance of its obligations under this Contract, it will be a “data collector” pursuant to Chapter 62 of Title 9 of the Vermont Statutes (9 V.S.A. §2430(3)). The Contractor shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In addition to the requirements set forth in any applicable Business Associate Agreement as may be attached to this Contract, in the event of any actual security breach or reasonable belief of an actual security breach the Contractor either suffers or learns of that either compromises or could compromise State Data (including, as applicable, PII, PHI or ePHI) in any format or media, whether encrypted or unencrypted (for example, but not limited to: physical trespass on a secure facility; intrusion or hacking or other brute force attack on any State environment; loss or theft of a PC, laptop, desktop, tablet, smartphone, removable data storage device or other portable device; loss or theft of printed materials; or failure of security policies) (collectively, a “Security Breach”), the Contractor shall immediately determine the nature and extent of the Security Breach, contain the incident by stopping the unauthorized practice, recover records, shut down the system that was breached, revoke access and/or correct weaknesses in physical security. Contractor shall analyze and document the incident and provide the required notices, as set forth below. In accordance with Section 9 V.S.A. §2435(b)(3), the Contractor shall notify the Office of the Attorney General, or in the case of a Security Breach by a data collector regulated by the Vermont Department of Financial Regulation (“DFR”), DFR, within fourteen (14) business days of the Contractor’s discovery of the Security Breach. The notice shall provide a preliminary description of the breach. The foregoing notice requirement shall be included in the subcontracts of any of Contractor’s subcontractors, affiliates or agents which may be “data collectors” hereunder. Except to the extent delayed upon request of law enforcement in accordance with 9 V.S.A. §2435(b)(4), within thirty days of the Security Breach or when the Contractor provides notice to consumers pursuant to this Contract, whichever is sooner, the Contractor shall report to the State: (i) the nature of the Security Breach; (ii) the State Data used or disclosed; (iii) who made the unauthorized use or received the unauthorized disclosure; (iv) what the Contractor has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure; and (v) what corrective action the Contractor has taken or shall take to prevent future similar unauthorized use or disclosure. The Contractor shall provide such other information, including a written report, as reasonably requested by the State. The Contractor agrees to comply with all applicable laws, as such laws may be amended from time to time (including, but not limited to, Chapter 62 of Title 9 of the Vermont Statutes and all applicable State and federal laws, rules or regulations) that require notification in the event of unauthorized release of personally-identifiable information or other event requiring notification. Further, the Contractor agrees to fully cooperate with the State, assume responsibility for such notice if the State determines it to be appropriate under the circumstances of any particular Security Breach, and assume all costs associated with a Security Breach, including but not limited to, notice, outside investigation and Services services (including mailing, call center, forensics, counsel and/or crisis management), and/or credit monitoring, in the sole determination of the State. In addition to any other indemnification obligations in this Contract, the Contractor shall fully indemnify and save harmless the State from any costs, loss or damage to the State resulting from a Security Breach or the unauthorized disclosure of State Data by the Contractor, its officers, agents, employees, and subcontractors.