Common use of Breach Notification and Recovery Clause in Contracts

Breach Notification and Recovery. The PROVIDER must notify the State of Delaware immediately of any incident resulting in the destruction, loss, unauthorized disclosure, or alteration of State of Delaware data. If data is not encrypted (see DU7, below), Delaware Code (6 Del. C. §12B-100 et seq.) requires public breach notification of any incident resulting in the loss or unauthorized disclosure of Delawareans’ Personally Identifiable Information (PII, as defined in Delaware’s Terms and Conditions Governing Cloud Services policy) by PROVIDER or its subcontractors. The PROVIDER will provide notification to persons whose information was breached without unreasonable delay but not later than 60 days after determination of the breach, except 1) when a shorter time is required under federal law; 2) when law enforcement requests a delay; 3) reasonable diligence did not identify certain residents, in which case notice will be delivered as soon as practicable. All such communication shall be coordinated with the State of Delaware. Should the PROVIDER or its contractors be liable for the breach, the PROVIDER shall bear all costs associated with investigation, response, and recovery from the breach. This includes, but is not limited to, credit monitoring services with a term of at least three (3) years, mailing costs, website, and toll-free telephone call center services. The State of Delaware shall not agree to any limitation on liability that relieves the PROVIDER or its subcontractors from its own negligence, or to the extent that it creates an obligation on the part of the State to hold a PROVIDER harmless. Contract/Agreement #/name , Appendix

Breach Notification and Recovery. The PROVIDER must notify the State of Delaware immediately of any incident resulting in the destruction, loss, unauthorized disclosure, or alteration of State of Delaware data. If data is not encrypted (see DU7CS3, below), Delaware Code (6 Del. C. §12B-100 et seq.) requires public breach notification of any incident resulting in the loss or unauthorized disclosure of Delawareans’ Personally Identifiable Information (PII, as defined in Delaware’s Terms and Conditions Governing Cloud Services policy) by PROVIDER or its subcontractors. The PROVIDER will provide notification to persons whose information was breached without unreasonable delay but not later than 60 days after determination of the breach, except 1) when a shorter time is required under federal law; 2) when law enforcement requests a delay; 3) reasonable diligence did not identify certain residents, in which case notice will be delivered as soon as practicable. All such communication shall be coordinated with the State of Delaware. Should the PROVIDER or its contractors be liable for the breach, the PROVIDER shall bear all costs associated with investigation, response, and recovery from the breach. This includes, but is not limited to, credit monitoring services with a term of at least three (3) years, mailing costs, website, and toll-free telephone call center services. The State of Delaware shall not agree to any limitation on liability that relieves the PROVIDER or its subcontractors from its own negligence, or to the extent that it creates an obligation on the part of the State to hold a PROVIDER harmless. Contract/Agreement #/name , Appendix.

Breach Notification and Recovery. The PROVIDER must notify the State of Delaware immediately of any incident resulting in the destruction, loss, unauthorized disclosure, or alteration of State of Delaware data. If data is not encrypted (see DU7CS3, below), Delaware Code (6 Del. C. §12B-100 et seq.) requires public breach notification of any incident resulting in the loss or unauthorized disclosure of Delawareans’ Personally Identifiable Information (PII, as defined in Delaware’s Terms and Conditions Governing Cloud Services policy) by PROVIDER or its subcontractors. The PROVIDER will provide notification to persons whose information was breached without unreasonable delay but not later than 60 days after determination of the breach, except 1) when a shorter time is required under federal law; 2) when law enforcement requests a delay; 3) reasonable diligence did not identify certain residents, in which case notice will be delivered as soon as practicable. All such communication shall be coordinated with the State of Delaware. Should the PROVIDER or its contractors be liable for the breach, the PROVIDER shall bear all costs associated with investigation, response, and recovery from the breach. This includes, but is not limited to, credit monitoring services with a term of at least three (3) years, mailing costs, website, and toll-free telephone call center services. The State of Delaware shall not agree to any limitation on liability that relieves the PROVIDER or its subcontractors from its own negligence, or to the extent that it creates an obligation on the part of the State to hold a PROVIDER harmless. Contract/Agreement #/name XaaS Contract # __ , AppendixAppendix _ between State of Delaware and dated _ Public Data Non Public Data Cloud Services (CS) Terms PROVIDER must satisfy Clause CS1-A OR Clauses CS1-B and CS1-C, AND Clause CS4 for all engagements involving non-public data. Clause CS2 is mandatory for all engagements involving non-public data. Clause CS3 is only mandatory for SaaS or PaaS engagements involving non-public data.

Breach Notification and Recovery. The PROVIDER must notify the State of Delaware immediately of any incident resulting in the destruction, loss, unauthorized disclosure, or alteration of State of Delaware data. If data is not encrypted (see DU7CS3, below), Delaware Code (6 Del. C. §12B-100 et seq.) requires public pubic breach notification of any incident resulting in the loss or unauthorized disclosure of Delawareans’ Personally Identifiable Information (PII, as defined in Delaware’s Terms and Conditions Governing Cloud Services policy) by PROVIDER or its subcontractors. The PROVIDER will provide notification to persons whose information was breached without unreasonable delay but not later than 60 days after determination of the breach, except 1) when a shorter time is required under federal law; 2) when law enforcement requests a delay; 3) reasonable diligence did not identify certain residents, in which case notice will be delivered as soon as practicable. All such communication shall be coordinated with the State of Delaware. Should the PROVIDER or its contractors be liable for the breach, the PROVIDER shall bear all costs associated with investigation, response, and recovery from the breach. This includes, but is not limited to, credit monitoring services with a term of at least three (3) years, mailing costs, website, and toll-free telephone call center services. The State of Delaware shall not agree to any limitation on liability that relieves the PROVIDER or its subcontractors from its own negligence, or to the extent that it creates an obligation on the part of the State to hold a PROVIDER harmless. Contract/Agreement #/name , Appendix.

Breach Notification and Recovery. The PROVIDER must notify the State of Delaware immediately of any incident resulting in the destruction, loss, unauthorized disclosure, or alteration of State of Delaware data. If data is not encrypted (see DU7CS 3, below), Delaware Code (6 Del. C. §12B-100 et seq.) requires public pubic breach notification of any incident resulting in the loss or unauthorized disclosure of Delawareans’ Personally Identifiable Information (PII, as defined in Delaware’s Terms and Conditions Governing Cloud Services policy) by PROVIDER or its subcontractors. The PROVIDER will provide notification to persons whose information was breached without unreasonable delay but not later than 60 days after determination of the breach, except 1) when a shorter time is required under federal law; 2) when law enforcement requests a delay; 3) reasonable diligence did not identify certain residents, in which case notice will be delivered as soon as practicable. All such communication shall be coordinated with the State of Delaware. Should the PROVIDER or its contractors be liable for the breach, the PROVIDER shall bear all costs associated with investigation, response, and recovery from the breach. This includes, but is not limited to, credit monitoring services with a term of at least three (3) years, mailing costs, website, and toll-free telephone call center services. The State of Delaware shall not agree to any limitation on liability that relieves the PROVIDER or its subcontractors from its own negligence, or to the extent that it creates an obligation on the part of the State to hold a PROVIDER harmless. Contract/Agreement #/name , Appendix

Breach Notification and Recovery. The PROVIDER must notify the State of Delaware immediately within seventy-two (72) hours of any incident resulting in the destruction, loss, unauthorized disclosure, or alteration of State of Delaware data. If data is not encrypted (see DU7, below), Delaware Code (6 Del. C. §12B-100 et seq.) requires public breach notification of any incident resulting in the loss or unauthorized disclosure of Delawareans’ Personally Identifiable Information (PII, as defined in Delaware’s Terms and Conditions Governing Cloud Services policy) by PROVIDER or its subcontractors. The PROVIDER will provide notification to persons whose information was breached without unreasonable delay but not later than 60 days after determination of the breach, except 1) when a shorter time is required under federal law; 2) when law enforcement requests a delay; 3) reasonable diligence did not identify certain residents, in which case notice will be delivered as soon as practicable. All such communication shall be coordinated with the State of Delaware. Should the PROVIDER or its contractors be liable for the breach, the PROVIDER shall bear all costs associated with investigation, response, and recovery from the breach. This includes, but is not limited to, credit monitoring services with a term of at least three (3) years, mailing costs, website, and toll-free telephone call center services. The State of Delaware shall not agree to any limitation on liability that relieves the PROVIDER or its subcontractors from its own negligence, or to the extent that it creates an obligation on the part of the State to hold a PROVIDER harmless. Contract/Agreement #/name , AppendixDocuSign Envelope ID: E3DE512C-D01A-4398-A3A1-9B346D4FF8F4

Breach Notification and Recovery. The PROVIDER must notify the State of Delaware immediately no later than seventy-two (72) hours of any incident resulting in the destruction, loss, unauthorized disclosure, or alteration of State of Delaware data. If data is not encrypted (see DU7CS3, below), Delaware Code (6 Del. C. §12B-100 et seq.) requires public breach notification of any incident resulting in the loss or unauthorized disclosure of Delawareans’ Personally Identifiable Information (PII, as defined in Delaware’s Terms and Conditions Governing Cloud Services policy) by PROVIDER or its subcontractors. The PROVIDER will provide notification to persons whose information was breached without unreasonable delay but not later than 60 days after determination of the breach, except 1) when a shorter time is required under federal law; 2) when law enforcement requests a delay; 3) reasonable diligence did not identify certain residents, in which case notice will be delivered as soon as practicable. All such communication shall be coordinated with the State of Delaware. Should the PROVIDER or its contractors be liable for the breach, the PROVIDER shall bear all costs associated with investigation, response, and recovery from the breach. This includes, but is not limited to, credit monitoring services with a term of at least three (3) years, mailing costs, website, and toll-free telephone call center services. The State of Delaware shall not agree to any limitation on liability that relieves the PROVIDER or its subcontractors from its own negligence, or to the extent that it creates an obligation on the part of the State to hold a PROVIDER harmless. Contract/Agreement #/name DocuSign Envelope ID: E3DE512C-D01A-4398-A3A1-9B346D4FF8F4 between State of Delaware and Cradlepoint, AppendixInc. Public Data Non Public Data Cloud Services (CS) Terms PROVIDER must satisfy Clause CS1-A OR Clauses CS1-B and CS1-C, AND Clause CS4 for all engagements involving non-public data. Clause CS2 is mandatory for all engagements involving non-public data. Clause CS3 is only mandatory for SaaS or PaaS engagements involving non-public data.

Breach Notification and Recovery. The PROVIDER must notify the State of Delaware at xXxxxxxxx@xxxxxxxx.xxx immediately or within 24 hours of any incident determination of the breach of security as defined in 6 Del. C. §12B-101(2) resulting in the destruction, loss, unauthorized disclosure, or alteration of State of Delaware data. The PROVIDER shall send a preliminary written report detailing the nature, extent, and root cause of any such data breach no later than two (2) business days following notice of such a breach. The PROVIDER will continue to send any and all reports subsequent to the preliminary written report. The PROVIDER shall meet and confer with representatives of DTI regarding required remedial action in relation to any such data breach without unreasonable delay. If data is not encrypted (see DU7CS3, below), Delaware Code (6 Del. C. §12B-100 et seq.) requires public breach notification of any incident resulting in the loss or unauthorized disclosure of Delawareans’ Personally Identifiable Information (PII, as defined in Delaware’s Terms and Conditions Governing Cloud Services policy) by PROVIDER or its subcontractors. The PROVIDER will assist and be responsible for all costs to provide notification to persons whose information was breached without unreasonable delay but not later than 60 sixty (60) days after determination of the breach, except 1) when a shorter time is required under federal law; 2) when law enforcement requests a delay; or 3) reasonable diligence did not identify certain residents, in which case notice will be delivered as soon as practicable. All such communication shall be coordinated with the State of Delaware. Should the PROVIDER or its contractors be liable for the breach, the PROVIDER shall bear all costs associated with investigation, response, and recovery from the breach. This includes, but is not limited to, credit monitoring services with a term of at least three (3) years, mailing costs, website, and toll-free telephone call center services. The State will retain all determining authority for breach accountability and responsibility. The State of Delaware shall not agree to any limitation on liability that relieves the PROVIDER or its subcontractors from its own negligence, or to the extent that it creates an obligation on the part of the State to hold a PROVIDER harmless. Contract/Agreement #/name , AppendixThe PROVIDER shall not issue a media notice without the approval of the State.

Breach Notification and Recovery. The PROVIDER must notify the State of Delaware at xXxxxxxxx@xxxxxxxx.xxx immediately or within 24 hours of any incident determination of the breach of security as defined in 6 Del. C. §12B-101(2) resulting in the destruction, loss, unauthorized disclosure, or alteration of State of Delaware data. The PROVIDER shall send a preliminary written report detailing the nature, extent, and root cause of any such data breach no later than two (2) business days following notice of such a breach. The PROVIDER will continue to send any and all reports subsequent to the preliminary written report. The PROVIDER shall meet and confer with representatives of DTI regarding required remedial action in relation to any such data breach without unreasonable delay. If data is not encrypted (see DU7CS3, below), Delaware Code (6 Del. C. §12B-100 et seq.) requires public breach notification of any incident resulting in the loss or unauthorized disclosure of Delawareans’ Personally Identifiable Information (PII, as defined in Delaware’s Terms and Conditions Governing Cloud Services policyand Data Usage Policy) by PROVIDER or its subcontractors. The PROVIDER will assist and be responsible for all costs to provide notification to persons whose information was breached without unreasonable delay but not later than 60 sixty (60) days after determination of the breach, except 1) when a shorter time is required under federal law; 2) when law enforcement requests a delay; or 3) reasonable diligence did not identify certain residents, in which case notice will be delivered as soon as practicable. All such communication shall be coordinated with the State of Delaware. Should the PROVIDER or its contractors be liable for the breach, the PROVIDER shall bear all costs associated with investigation, response, and recovery from the breach. This includes, but is not limited to, credit monitoring services with a term of at least three (3) years, mailing costs, website, and toll-free telephone call center services. The State will retain all determining authority for breach accountability and responsibility. The State of Delaware shall not agree to any limitation on liability that relieves the PROVIDER or its subcontractors from its own negligence, or to the extent that it creates an obligation on the part of the State to hold a PROVIDER harmless. Contract/Agreement #/name , AppendixThe PROVIDER shall not issue a media notice without the approval of the State.