Common use of Breach and Security Incident Responsibilities Clause in Contracts

Breach and Security Incident Responsibilities. 24 A. Notification to COUNTY of Breach or Security Incident: The CONTRACTOR shall notify 25 COUNTY immediately by telephone call plus email or fax upon the discovery of a breach (as defined in 26 this Exhibit), and within twenty-four (24) hours by email or fax of the discovery of any security incident 27 (as defined in this Exhibit), unless a law enforcement agency determines that the notification will 28 impede a criminal investigation, in which case the notification required by this section shall be made to 29 COUNTY immediately after the law enforcement agency determines that such notification will not 30 compromise the investigation. Notification shall be provided to the ADMINSITRATOR, 31 ADMINISTRATOR Privacy Officer, and ADMINISTRATOR Information Security Officer, using the 32 contact information listed in Section X.F., below. If the breach or security incident is discovered after 33 business hours or on a weekend or holiday and involves COUNTY PCI in electronic or computerized 34 form, notification to COUNTY shall be provided by calling ADMINISTRATOR Information Security 35 Office at the telephone numbers listed in Section X.F., below. For purposes of this Section, breaches 36 and security incidents shall be treated as discovered by CONTRACTOR as of the first day on which 37 such breach or security incident is known to the CONTRACTOR, or, by exercising reasonable diligence 1 would have been known to the CONTRACTOR. CONTRACTOR shall be deemed to have knowledge 2 of a breach if such breach is known, or by exercising reasonable diligence would have been known, to 3 any person, other than the person committing the breach, who is an employee or agent of the 4 CONTRACTOR. CONTRACTOR shall take: 5 1. prompt corrective action to mitigate any risks or damages involved with the breach or 6 security incident and to protect the operating environment; and 7 2. any action pertaining to a breach required by applicable federal and state laws, including, 8 specifically, California Civil Code section 1798.29. 9 B. Investigation of Breach and Security Incidents: CONTRACTOR shall immediately investigate 10 such breach or security incident. As soon as the information is known and subject to the legitimate needs 11 of law enforcement, CONTRACTOR shall inform ADMINISTRATOR, ADMINISTRATOR Privacy 12 Officer, and the ADMINISTRATOR Information Security Officer of: 13 1. what data elements were involved and the extent of the data disclosure or access involved 14 in the breach, including, specifically, the number of individuals whose personal information was

Breach and Security Incident Responsibilities. 24 A. Notification to COUNTY of Breach or Security Incident: The CONTRACTOR shall notify 25 COUNTY immediately by telephone call plus email or fax upon the discovery of a breach (as defined in 26 this Exhibit), and within twenty-four (24) hours by email or fax of the discovery of any security incident 27 (as defined in this Exhibit), unless a law enforcement agency determines that the notification will impede 28 impede a criminal investigation, in which case the notification required by this section shall be made to COUNTY 29 COUNTY immediately after the law enforcement agency determines that such notification will not 30 compromise the 30 investigation. Notification shall be provided to the ADMINSITRATOR, 31 ADMINISTRATOR Privacy 31 Officer, and ADMINISTRATOR Information Security Officer, using the 32 contact information listed in 32 Section X.F., below. If the breach or security incident is discovered after 33 business hours or on a weekend 33 or holiday and involves COUNTY PCI in electronic or computerized 34 form, notification to COUNTY shall 34 be provided by calling ADMINISTRATOR Information Security 35 Office at the telephone numbers listed 35 in Section X.F., below. For purposes of this Section, breaches 36 and security incidents shall be treated as 36 discovered by CONTRACTOR as of the first day on which 37 such breach or security incident is known to 37 the CONTRACTOR, or, by exercising reasonable diligence 1 would have been known to the 1 CONTRACTOR. CONTRACTOR shall be deemed to have knowledge 2 of a breach if such breach is 2 known, or by exercising reasonable diligence would have been known, to 3 any person, other than the person 3 committing the breach, who is an employee or agent of the 4 CONTRACTOR. CONTRACTOR shall take: 5 4 1. prompt Prompt corrective action to mitigate any risks or damages involved with the breach or 6 security 5 incident and to protect the operating environment; and 7 6 2. any Any action pertaining to a breach required by applicable federal and state laws, including, 8 7 specifically, California Civil Code section 1798.29. 9 8 B. Investigation of Breach and Security Incidents: CONTRACTOR shall immediately investigate 10 9 such breach or security incident. As soon as the information is known and subject to the legitimate needs 11 10 of law enforcement, CONTRACTOR shall inform ADMINISTRATOR, ADMINISTRATOR Privacy 12 11 Officer, and the ADMINISTRATOR Information Security Officer of: 13 12 1. what What data elements were involved and the extent of the data disclosure or access involved 14 in 13 the breach, including, specifically, the number of individuals whose personal information waswas breached; 14 2. A description of the unauthorized persons known or reasonably believed to have improperly 15 used the COUNTY PCI and/or a description of the unauthorized persons known or reasonably believed 16 to have improperly accessed or acquired the COUNTY PCI, or to whom it is known or reasonably believed 17 to have had the COUNTY PCI improperly disclosed to them; 18 3. A description of where the COUNTY PCI is believed to have been improperly used or 19 disclosed; 20 4. A description of the probable and proximate causes of the breach or security incident; and 21 5. Whether Civil Code section 1798.29 or any other federal or state laws requiring individual 22 notifications of breaches have been triggered. 23 C. Written Report: CONTRACTOR shall provide a written report of the investigation to the 24 ADMINISTRATOR, ADMINISTRATOR Privacy Officer, and ADMINISTRATOR Information 25 Security Officer as soon as practicable after the discovery of the breach or security incident. The report 26 shall include, but not be limited to, the information specified above, as well as a complete, detailed 27 corrective action plan, including information on measures that were taken to halt and/or contain the breach 28 or security incident, and measures to be taken to prevent the recurrence or further disclosure of data 29 regarding such breach or security incident.

Breach and Security Incident Responsibilities. 24 A. Notification to COUNTY of Breach or Security Incident: The CONTRACTOR shall notify 25 COUNTY immediately by telephone call plus email or fax upon the discovery of a breach (as defined in 26 this Exhibit), and within twenty-four (24) hours by email or fax of the discovery of any security incident 27 (as defined in this Exhibit), unless a law enforcement agency determines that the notification will 28 impede a criminal investigation, in which case the notification required by this section shall be made to 29 COUNTY immediately after the law enforcement agency determines that such notification will not 30 compromise the investigation. Notification shall be provided to the ADMINSITRATOR, 31 ADMINISTRATOR Privacy Officer, and ADMINISTRATOR Information Security Officer, using the 32 contact information listed in Section X.F., below. If the breach or security incident is discovered after 33 business hours or on a weekend or holiday and involves COUNTY PCI in electronic or computerized 34 form, notification to COUNTY shall be provided by calling ADMINISTRATOR Information Security 35 Office at the telephone numbers listed in Section X.F., below. For purposes of this Section, breaches 36 and security incidents shall be treated as discovered by CONTRACTOR as of the first day on which 37 such breach or security incident is known to the CONTRACTOR, or, by exercising reasonable diligence 1 would have been known to the CONTRACTOR. CONTRACTOR shall be deemed to have knowledge 2 of a breach if such breach is known, or by exercising reasonable diligence would have been known, to 3 any person, other than the person committing the breach, who is an employee or agent of the 4 CONTRACTOR. CONTRACTOR shall take: 5 1. prompt Prompt corrective action to mitigate any risks or damages involved with the breach or 6 security incident and to protect the operating environment; and 7 2. any Any action pertaining to a breach required by applicable federal and state laws, including, 8 specifically, California Civil Code section 1798.29. 9 B. Investigation of Breach and Security Incidents: CONTRACTOR shall immediately investigate 10 such breach or security incident. As soon as the information is known and subject to the legitimate needs 11 of law enforcement, CONTRACTOR shall inform ADMINISTRATOR, ADMINISTRATOR Privacy 12 Officer, and the ADMINISTRATOR Information Security Officer of: 13 1. what What data elements were involved and the extent of the data disclosure or access involved 14 in the breach, including, specifically, the number of individuals whose personal information was

Breach and Security Incident Responsibilities. 24 A. Notification to COUNTY of Breach or Security Incident: The CONTRACTOR shall notify 25 COUNTY immediately by telephone call plus email or fax upon the discovery of a breach (as defined in 26 this Exhibit), and within twenty-four (24) hours by email or fax of the discovery of any security incident 27 (as defined in this Exhibit), unless a law enforcement agency determines that the notification will 28 impede a criminal investigation, in which case the notification required by this section shall be made to 29 COUNTY immediately after the law enforcement agency determines that such notification will not 30 compromise the investigation. Notification shall be provided to the ADMINSITRATOR, 31 ADMINISTRATOR Privacy Officer, and ADMINISTRATOR Information Security Officer, using the 32 contact information listed in Section X.F., below. If the breach or security incident is discovered after 33 business hours or on a weekend or holiday and involves COUNTY PCI in electronic or computerized 34 form, notification to COUNTY shall be provided by calling ADMINISTRATOR Information Security 35 Office at the telephone numbers listed in Section X.F., below. For purposes of this Section, breaches 36 and security incidents shall be treated as discovered by CONTRACTOR as of the first day on which 37 such breach or security incident is known to the CONTRACTOR, or, by exercising reasonable diligence 1 would have been known to the CONTRACTOR. CONTRACTOR shall be deemed to have knowledge 2 of a breach if such breach is known, or by exercising reasonable diligence would have been known, to 3 any person, other than the person committing the breach, who is an employee or agent of the 4 CONTRACTOR. CONTRACTOR shall take: 5 1. prompt corrective action to mitigate any risks or damages involved with the breach or 6 security incident and to protect the operating environment; and 7 2. any action pertaining to a breach required by applicable federal and state laws, including, 8 specifically, California Civil Code section 1798.29. 9 B. Investigation of Breach and Security Incidents: CONTRACTOR shall immediately investigate 10 such breach or security incident. As soon as the information is known and subject to the legitimate needs 11 of law enforcement, CONTRACTOR shall inform ADMINISTRATOR, ADMINISTRATOR Privacy 12 Officer, and the ADMINISTRATOR Information Security Officer of: 13 1. what data elements were involved and the extent of the data disclosure or access involved in 14 in the breach, including, specifically, the number of individuals whose personal information waswas breached; 15 2. a description of the unauthorized persons known or reasonably believed to have improperly 16 used the COUNTY PCI and/or a description of the unauthorized persons known or reasonably believed 17 to have improperly accessed or acquired the COUNTY PCI, or to whom it is known or reasonably 18 believed to have had the COUNTY PCI improperly disclosed to them; 19 3. a description of where the COUNTY PCI is believed to have been improperly used or 20 disclosed; 21 4. a description of the probable and proximate causes of the breach or security incident; and 22 5. whether Civil Code section 1798.29 or any other federal or state laws requiring individual 23 notifications of breaches have been triggered. 24 C. Written Report: CONTRACTOR shall provide a written report of the investigation to the 25 ADMINISTRATOR, ADMINISTRATOR Privacy Officer, and ADMINISTRATOR Information 26 Security Officer as soon as practicable after the discovery of the breach or security incident. The report 27 shall include, but not be limited to, the information specified above, as well as a complete, detailed 28 corrective action plan, including information on measures that were taken to halt and/or contain the 29 breach or security incident, and measures to be taken to prevent the recurrence or further disclosure of 30 data regarding such breach or security incident.

Breach and Security Incident Responsibilities. 24 A. Notification to COUNTY of Breach or Security Incident: The CONTRACTOR shall notify 25 COUNTY immediately by telephone call plus email or fax upon the discovery of a breach (as defined in 26 this Exhibit), and within twenty-four (24) hours by email or fax of the discovery of any security incident 27 (as defined in this Exhibit), unless a law enforcement agency determines that the notification will 28 impede a criminal investigation, in which case the notification required by this section shall be made to 29 COUNTY immediately after the law enforcement agency determines that such notification will not 30 compromise the investigation. Notification shall be provided to the ADMINSITRATORADMINISTRATOR, 31 ADMINISTRATOR Privacy Officer, and ADMINISTRATOR Information Security Officer, using the 32 contact information listed in Section X.F., below. If the breach or security incident is discovered after 33 business hours or on a weekend or holiday and involves COUNTY PCI in electronic or computerized 34 form, notification to COUNTY shall be provided by calling ADMINISTRATOR Information Security 35 Office at the telephone numbers listed in Section X.F., below. For purposes of this Section, breaches 36 and security incidents shall be treated as discovered by CONTRACTOR as of the first day on which 37 such breach or security incident is known to the CONTRACTOR, or, by exercising reasonable diligence 1 would have been known to the CONTRACTOR. CONTRACTOR shall be deemed to have knowledge 2 of a breach if such breach is known, or by exercising reasonable diligence would have been known, to 3 any person, other than the person committing the breach, who is an employee or agent of the 4 CONTRACTOR. CONTRACTOR shall take: 5 1. prompt corrective action to mitigate any risks or damages involved with the breach or 6 security incident and to protect the operating environment; and 7 2. any action pertaining to a breach required by applicable federal and state laws, including, 8 specifically, California Civil Code section 1798.29. 9 B. Investigation of Breach and Security Incidents: CONTRACTOR shall immediately investigate 10 such breach or security incident. As soon as the information is known and subject to the legitimate needs 11 of law enforcement, CONTRACTOR shall inform ADMINISTRATOR, ADMINISTRATOR Privacy 12 Officer, and the ADMINISTRATOR Information Security Officer of: 13 1. what data elements were involved and the extent of the data disclosure or access involved 14 in the breach, including, specifically, the number of individuals whose personal information was

Breach and Security Incident Responsibilities. 24 30 A. Notification to COUNTY of Breach or Security Incident: The CONTRACTOR shall notify 25 31 COUNTY immediately by telephone call plus email or fax upon the discovery of a breach (as defined in 26 32 this Exhibit), and within twenty-four (24) hours by email or fax of the discovery of any security incident 27 33 (as defined in this Exhibit), unless a law enforcement agency determines that the notification will 28 34 impede a criminal investigation, in which case the notification required by this section shall be made to 29 35 COUNTY immediately after the law enforcement agency determines that such notification will not 30 36 compromise the investigation. Notification shall be provided to the ADMINSITRATOR, 31 37 ADMINISTRATOR Privacy Officer, and ADMINISTRATOR Information Security Officer, using the 32 1 contact information listed in Section X.F., below. If the breach or security incident is discovered after 33 2 business hours or on a weekend or holiday and involves COUNTY PCI in electronic or computerized 34 3 form, notification to COUNTY shall be provided by calling ADMINISTRATOR Information Security 35 4 Office at the telephone numbers listed in Section X.F., below. For purposes of this Section, breaches 36 5 and security incidents shall be treated as discovered by CONTRACTOR as of the first day on which 37 6 such breach or security incident is known to the CONTRACTOR, or, by exercising reasonable diligence 1 7 would have been known to the CONTRACTOR. CONTRACTOR shall be deemed to have knowledge 2 8 of a breach if such breach is known, or by exercising reasonable diligence would have been known, to 3 9 any person, other than the person committing the breach, who is an employee or agent of the 4 10 CONTRACTOR. CONTRACTOR shall take: 5 11 1. prompt corrective action to mitigate any risks or damages involved with the breach or 6 12 security incident and to protect the operating environment; and 7 13 2. any action pertaining to a breach required by applicable federal and state laws, including, 8 14 specifically, California Civil Code section 1798.29. 9 15 B. Investigation of Breach and Security Incidents: CONTRACTOR shall immediately investigate 10 16 such breach or security incident. As soon as the information is known and subject to the legitimate needs 11 17 of law enforcement, CONTRACTOR shall inform ADMINISTRATOR, ADMINISTRATOR Privacy 12 18 Officer, and the ADMINISTRATOR Information Security Officer of: 13 19 1. what data elements were involved and the extent of the data disclosure or access involved 14 20 in the breach, including, specifically, the number of individuals whose personal information was

Breach and Security Incident Responsibilities. 24 26 A. Notification to COUNTY of Breach or Security Incident: The CONTRACTOR shall notify 25 27 COUNTY immediately by telephone call plus email or fax upon the discovery of a breach (as defined in 26 28 this Exhibit), and within twenty-four (24) hours by email or fax of the discovery of any security incident 27 29 (as defined in this Exhibit), unless a law enforcement agency determines that the notification will 28 impede 30 a criminal investigation, in which case the notification required by this section shall be made to 29 COUNTY 31 immediately after the law enforcement agency determines that such notification will not 30 compromise the 32 investigation. Notification shall be provided to the ADMINSITRATOR, 31 ADMINISTRATOR Privacy 33 Officer, and ADMINISTRATOR Information Security Officer, using the 32 contact information listed in 34 Section X.F., below. If the breach or security incident is discovered after 33 business hours or on a weekend 35 or holiday and involves COUNTY PCI in electronic or computerized 34 form, notification to COUNTY shall 36 be provided by calling ADMINISTRATOR Information Security 35 Office at the telephone numbers listed 37 in Section X.F., below. For purposes of this Section, breaches 36 and security incidents shall be treated as 1 discovered by CONTRACTOR as of the first day on which 37 such breach or security incident is known to 2 the CONTRACTOR, or, by exercising reasonable diligence 1 would have been known to the 3 CONTRACTOR. CONTRACTOR shall be deemed to have knowledge 2 of a breach if such breach is 4 known, or by exercising reasonable diligence would have been known, to 3 any person, other than the person 5 committing the breach, who is an employee or agent of the 4 CONTRACTOR. CONTRACTOR shall take: 5 6 1. prompt corrective action to mitigate any risks or damages involved with the breach or 6 security 7 incident and to protect the operating environment; and 7 8 2. any action pertaining to a breach required by applicable federal and state laws, including, 8 9 specifically, California Civil Code section 1798.29. 9 10 B. Investigation of Breach and Security Incidents: CONTRACTOR shall immediately investigate 10 11 such breach or security incident. As soon as the information is known and subject to the legitimate needs 11 12 of law enforcement, CONTRACTOR shall inform ADMINISTRATOR, ADMINISTRATOR Privacy 12 13 Officer, and the ADMINISTRATOR Information Security Officer of: 13 14 1. what data elements were involved and the extent of the data disclosure or access involved 14 in 15 the breach, including, specifically, the number of individuals whose personal information waswas breached; 16 2. a description of the unauthorized persons known or reasonably believed to have improperly 17 used the COUNTY PCI and/or a description of the unauthorized persons known or reasonably believed 18 to have improperly accessed or acquired the COUNTY PCI, or to whom it is known or reasonably believed 19 to have had the COUNTY PCI improperly disclosed to them; 20 3. a description of where the COUNTY PCI is believed to have been improperly used or

Breach and Security Incident Responsibilities. 24 A. Notification to COUNTY of Breach or Security Incident: The CONTRACTOR shall notify 25 20 COUNTY immediately by telephone call plus email or fax upon the discovery of a breach (as defined in 26 21 this Exhibit), and within twenty-four (24) hours by email or fax of the discovery of any security incident 27 22 (as defined in this Exhibit), unless a law enforcement agency determines that the notification will 28 23 impede a criminal investigation, in which case the notification required by this section shall be made to 29 24 COUNTY immediately after the law enforcement agency determines that such notification will not 30 25 compromise the investigation. Notification shall be provided to the ADMINSITRATOR, 31 26 ADMINISTRATOR Privacy Officer, and ADMINISTRATOR Information Security Officer, using the 32 27 contact information listed in Section X.F., below. If the breach or security incident is discovered after 33 28 business hours or on a weekend or holiday and involves COUNTY PCI in electronic or computerized 34 29 form, notification to COUNTY shall be provided by calling ADMINISTRATOR Information Security 35 30 Office at the telephone numbers listed in Section X.F., below. For purposes of this Section, breaches 36 31 and security incidents shall be treated as discovered by CONTRACTOR as of the first day on which 37 32 such breach or security incident is known to the CONTRACTOR, or, by exercising reasonable diligence 1 33 would have been known to the CONTRACTOR. CONTRACTOR shall be deemed to have knowledge 2 34 of a breach if such breach is known, or by exercising reasonable diligence would have been known, to 3 35 any person, other than the person committing the breach, who is an employee or agent of the 4 36 CONTRACTOR. CONTRACTOR shall take: 5 1: 37 // 4 of 9 EXHIBIT D ADVANCED MEDICAL MANAGEMENT, INC. prompt corrective action to mitigate any risks or damages involved with the breach or 6 security incident and to protect the operating environment; and 7 2. any action pertaining to a breach required by applicable federal and state laws, including, 8 specifically, California Civil Code section 1798.29. 9 B. Investigation of Breach and Security Incidents: CONTRACTOR shall immediately investigate 10 such breach or security incident. As soon as the information is known and subject to the legitimate needs 11 of law enforcement, CONTRACTOR shall inform ADMINISTRATOR, ADMINISTRATOR Privacy 12 Officer, and the ADMINISTRATOR Information Security Officer of: 13 1. what data elements were involved and the extent of the data disclosure or access involved 14 in the breach, including, specifically, the number of individuals whose personal information wasMA 042-24010971