Common use of Breach Responsibilities Clause in Contracts

Breach Responsibilities. This section only applies when a Data Breach occurs with respect to Personal Data within the possession or control of the Contractor and related to the service provided under the Master Agreement, Participating Addendum, or SLA. a. The Contractor, unless stipulated otherwise, shall immediately notify the appropriate Purchasing Entity identified contact by telephone in accordance with the agreed upon security plan or security procedures if it reasonably believes there has been a security incident. b. The Contractor, unless stipulated otherwise, shall promptly notify the appropriate Purchasing Entity identified contact within 24 hours or sooner by telephone, unless shorter time is required by applicable law, if it has confirmed that there is, or reasonably believes that there has been a data breach. The Contractor shall (1) cooperate with the Purchasing Entity as reasonably requested by the Purchasing Entity to investigate and resolve the Data Breach, (2) promptly implement necessary remedial measures, if necessary, and (3) document responsive actions taken related to the Data Breach, including any post-incident review of events and actions taken to make changes in business practices in providing the services, if necessary. c. Unless otherwise stipulated, if a Data Breach is a direct result of Contractor’s breach of its contractual obligation to encrypt Personal Data or otherwise prevent its release, the Contractor shall bear the costs associated with (1) the investigation and resolution of the data breach; (2) notifications to individuals, regulators or others required by federal and state laws or as otherwise agreed to; (3) a credit monitoring service required by state (or federal) law or as otherwise agreed to; (4) a website or a toll-free number and call center for affected individuals required by federal and state laws — all not to exceed the average per record per person cost calculated for data breaches in the United States (currently $217 per record/person) in the most recent Cost of Data Breach Study: Global Analysis published by the Ponemon Institute at the time of the data breach; and (5) complete all corrective actions as reasonably determined by Contractor based on root cause.

Breach Responsibilities. This section only applies when a Data Breach occurs with respect to Personal Data within the possession or control of the Contractor and related to the service provided under the Master Agreement, Participating Addendum, or SLAContractor. a. The Contractor, unless stipulated otherwise, shall immediately notify the appropriate Purchasing Entity identified contact by telephone in accordance with the agreed upon security plan or security procedures if it reasonably believes there has been a security incident. b. The Contractor, unless stipulated otherwise, shall promptly notify the appropriate Purchasing Entity identified contact within 24 hours or sooner by telephone, unless shorter time is required by applicable law, if it has confirmed that there is, or reasonably believes that there has been a data breach. The Contractor shall (1) cooperate with the Purchasing Entity as reasonably State of Utah Bid CH16012 requested by the Purchasing Entity to investigate and resolve the Data Breachdata breach, (2) promptly implement necessary remedial measures, if necessary, and (3) document responsive actions taken related to the Data Breachdata breach, including any post-incident review of events and actions taken to make changes in business practices in providing the services, if necessary. c. Unless otherwise stipulated, if a Data Breach is a direct result of Contractor’s breach of its contractual obligation to encrypt Personal Data or otherwise prevent its release, the Contractor shall bear the costs associated with (1) the investigation and resolution of the data breach; (2) notifications to individuals, regulators or others required by federal and state laws or as otherwise agreed to; (3) a credit monitoring service required by state (or federal) law or as otherwise agreed to; (4) a website or a toll-free number and call center for affected individuals required by federal and state laws — all not to exceed the average per record per person cost calculated for data breaches in the United States (currently $217 per record/person) in the most recent Cost of Data Breach Study: Global Analysis published by the Ponemon Institute at the time of the data breach; and (5) complete all corrective actions as reasonably determined by Contractor based on root cause.

Breach Responsibilities. This section only applies when a Data Breach occurs with respect to Personal Data within the possession or control of the Contractor and related to the service Services provided under the Master Agreement, Participating Addendum, or SLA. a. The Contractor, unless stipulated otherwise, shall immediately notify the appropriate Purchasing Entity identified contact by telephone in accordance with the agreed upon security plan or security procedures if it reasonably believes there has been a security incidentSecurity Incident. The Purchasing Entity shall provide to Contractor a list of the primary and alternate contacts. b. The Contractor, unless stipulated otherwise, shall promptly notify the appropriate Purchasing Entity identified contact within 24 hours hours, or sooner as otherwise agreed to between Contractor and Purchasing Entity, by telephone, unless shorter time is required by applicable law, if it has confirmed that there is, or reasonably believes that there has been a data breachData Breach. The Contractor shall (1) cooperate with the Purchasing Entity as reasonably requested by the Purchasing Entity to investigate and resolve the Data Breach, (2) promptly implement necessary remedial measures, if necessary, and (3) document responsive actions taken related to the Data Breach, including any post-incident review of events and actions taken to make changes in business practices in providing the services, if necessary. c. Unless otherwise stipulated, if If a Purchasing Entity retained Contractor to encrypt data in accordance with a Statement of Work and a Data Breach is a direct result of Contractor’s breach of its contractual obligation to encrypt Personal Data or otherwise prevent its releaseData, , the Contractor shall bear the costs associated with (1) the investigation and resolution of the data breach; (2) notifications to individuals, regulators or others required by federal and state laws or as otherwise agreed to; (3) a credit monitoring service to the extent required by applicable state (or federal) law or as otherwise agreed to; (4) to in a website or a toll-free number and call center for affected individuals required by federal and state laws — all not to exceed the average per record per person cost calculated for data breaches in the United States (currently $217 per record/person) in the most recent Cost Statement of Data Breach Study: Global Analysis published by the Ponemon Institute at the time of the data breach; and (5) complete all corrective actions as reasonably determined by Contractor based on root cause.Work;

Breach Responsibilities. This section only applies when a Data Breach occurs with respect to Personal Data within the possession or control of the Contractor and related to the service provided under the Master Agreement, Participating Addendum, or SLA. a. The Contractor, unless stipulated otherwise, shall immediately notify the appropriate Purchasing Entity identified contact by telephone in accordance with the agreed upon security plan or security procedures if it reasonably believes there has been a security incident. b. The Contractor, unless stipulated otherwise, shall promptly notify the appropriate Purchasing Entity identified contact within 24 hours or sooner by telephone, unless shorter time is required by applicable law, if it has confirmed that there is, or reasonably believes that there has been a data breach. The Contractor shall (1) cooperate with the Purchasing Entity as reasonably requested by the Purchasing Entity to investigate and resolve the Data Breach, (2) promptly implement necessary remedial measures, if necessary, and (3) document responsive actions taken related to the Data Breach, including any post-incident review of events and actions taken to make changes in business practices in providing the services, if necessary.. State of Utah Bid CH16012 c. Unless otherwise stipulated, if a Data Breach is a direct result of Contractor’s breach of its contractual obligation to encrypt Personal Data or otherwise prevent its release, the Contractor shall bear the costs associated with (1) the investigation and resolution of the data breach; (2) notifications to individuals, regulators or others required by federal and state laws or as otherwise agreed to; (3) a credit monitoring service required by state (or federal) law or as otherwise agreed to; (4) a website or a toll-free number and call center for affected individuals required by federal and state laws — all not to exceed the average per record per person cost calculated for data breaches in the United States (currently $217 per record/person) in the most recent Cost of Data Breach Study: Global Analysis published by the Ponemon Institute at the time of the data breach; and (5) complete all corrective actions as reasonably determined by Contractor based on root cause.

Breach Responsibilities. This section paragraph only applies when a Data Breach occurs with respect to Personal Data or Non-Public Data within the possession or control of the Contractor and related to the service provided under the Master Agreement, Participating Addendum, or SLAContractor. a. A. The Contractor, unless stipulated otherwise, shall immediately notify the appropriate Purchasing Entity identified contact City Identified Contact by telephone in accordance with the agreed upon security plan or security procedures if it reasonably believes there has been a security incidentSecurity Incident. b. B. The Contractor, unless stipulated otherwise, shall promptly notify the appropriate Purchasing Entity identified contact City Identified Contact within 24 hours or sooner by telephone, unless shorter time is required by applicable law, if it has confirmed confirms that there is, or reasonably believes that there has been a data breachData Breach. The Contractor shall (1) cooperate with the Purchasing Entity City as reasonably requested by the Purchasing Entity City to investigate and resolve the Data Breach, (2) promptly implement necessary remedial measures, if necessary, and (3) document responsive actions taken related to the Data Breach, including any post-incident review of events and actions taken to make changes in business practices in providing the services, if necessary. c. C. Unless otherwise stipulated, if a Data Breach is a direct result of the Contractor’s breach of its contractual Agreement obligation to encrypt Personal Data or Non-Public Data or otherwise prevent its release, the Contractor shall bear the costs associated with (1) the investigation and resolution of the data breachData Breach; (2) notifications to individuals, regulators or others required by federal and state laws or as otherwise agreed tolaw; (3) a credit monitoring service required by state (or federal) law or as otherwise agreed tolaw; (4) a website or a toll-free number and call center for affected individuals required by federal and state laws law — all not to exceed the average per record per person cost calculated for data breaches Data Breaches in the United States (currently $217 201 per record/person) in the most recent Cost of Data Breach Study: Global Analysis published by the Ponemon Institute at the time of the data breachData Breach; and (5) complete all corrective actions as reasonably determined by Contractor based on root cause; all [(1) through (5)] subject to this Agreement’s limitation of liability.

Breach Responsibilities. This section only applies when a Data Breach data breach occurs with respect to Personal Data personal data within the possession or control of the Contractor and related to the service provided under the Master Agreement, Participating Addendum, or SLAContractor. a. 7.3.7.1 The Contractor, unless stipulated otherwise, shall immediately notify the appropriate Purchasing Entity City identified contact by telephone in accordance with the agreed upon security plan or security procedures if it reasonably believes there has been a security incident. b. 7.3.7.2 The Contractor, unless stipulated otherwise, shall promptly notify the appropriate Purchasing Entity City identified contact within 24 hours or sooner by telephone, unless shorter time is required by applicable law, if it has confirmed confirms that there is, or reasonably believes that there has been a data breach. The Contractor shall (1) cooperate with the Purchasing Entity City as reasonably requested by the Purchasing Entity City to investigate and resolve the Data Breachdata breach, (2) promptly implement necessary remedial measures, if necessary, and (3) document responsive actions taken related to the Data Breachdata breach, including any post-incident review of events and actions taken to make changes in business practices in providing the services, if necessary. c. 7.3.7.3 Unless otherwise stipulated, if a Data Breach data breach is a direct result of the Contractor’s breach of its contractual contract obligation to encrypt Personal Data personal data or otherwise prevent its release, the Contractor shall bear the costs associated with (1) the investigation and resolution of the data breach; (2) notifications to individuals, regulators or others required by federal and state laws or as otherwise agreed tolaw; (3) a credit monitoring service required by state (or federal) law or as otherwise agreed tolaw; (4) establishing a website or a toll-free number and call center for affected individuals required by federal and state laws — law – all not to exceed the average per record per person cost calculated for data breaches in the United States (currently $217 201 per record/person) in the most recent Cost of Data Breach Study: Global Analysis published by the Ponemon Institute at the time of the data breach; and (5) complete all corrective actions as reasonably determined by Contractor based on root cause; all [(1) through (5)] subject to this contract’s limitation of liability.

Breach Responsibilities. This section paragraph only applies when a Data Breach occurs with respect to Personal Data or Non- Public Data within the possession or control of the Contractor and related to the service provided under the Master Agreement, Participating Addendum, or SLAContractor. a. A. The Contractor, unless stipulated otherwise, shall immediately notify the appropriate Purchasing Entity identified contact City Identified Contact by telephone in accordance with the agreed upon security plan or security procedures if it reasonably believes there has been a security incidentSecurity Incident. b. B. The Contractor, unless stipulated otherwise, shall promptly notify the appropriate Purchasing Entity identified contact City Identified Contact within 24 hours or sooner by telephone, unless shorter time is required by applicable law, if it has confirmed confirms that there is, or reasonably believes that there has been a data breachData Breach. The Contractor shall (1) cooperate with the Purchasing Entity City as reasonably requested by the Purchasing Entity City to investigate and resolve the Data Breach, (2) promptly implement necessary remedial measures, if necessary, and (3) document responsive actions taken related to the Data Breach, including any post-incident review of events and actions taken to make changes in business practices in providing the services, if necessary. c. C. Unless otherwise stipulated, if a Data Breach is a direct result of the Contractor’s breach of its contractual Agreement obligation to encrypt Personal Data or Non-Public Data or otherwise prevent its release, the Contractor shall bear the costs associated with (1) the investigation and resolution of the data breachData Breach; (2) notifications to individuals, regulators or others required by federal and state laws or as otherwise agreed tolaw; (3) a credit monitoring service required by state (or federal) law or as otherwise agreed tolaw; (4) a website or a toll-free number and call center for affected individuals required by federal and state laws law — all not to exceed the average per record per person cost calculated for data breaches Data Breaches in the United States (currently $217 242 per record/personperson - 2019) in the most recent Cost of Data Breach Study: Global Analysis published by the Ponemon Institute at the time of the data breachData Breach; and (5) complete all corrective actions as reasonably determined by Contractor based on root cause; all [(1) through (5)] subject to this Agreement’s limitation of liability.

Breach Responsibilities. This section only applies when a Data Breach occurs with respect to Personal Data within the possession or control of the Contractor and related to the service provided under the Master Agreement, Participating Addendum, or SLA. a. The Contractor, unless stipulated otherwise, shall immediately notify the appropriate Purchasing Entity identified contact by telephone in accordance with the agreed upon security plan or security procedures if it reasonably believes there has been a security incident. b. The Contractor, unless stipulated otherwise, shall promptly notify the appropriate Purchasing Entity identified contact within 24 hours or sooner by telephone, unless shorter time is required by applicable law, if it has confirmed that there is, or reasonably believes that there has been a data breach. The Contractor shall (1) cooperate with the Purchasing Entity as reasonably requested by the Purchasing Entity to investigate and resolve the Data Breach, (2) promptly implement necessary remedial measures, if necessary, and (3) document responsive actions taken related to the Data Breach, including any post-incident post‐incident review of events and actions taken to make changes in business practices in providing the services, if necessary. c. Unless otherwise stipulated, if a Data Breach is a direct result of Contractor’s breach of its contractual obligation to encrypt Personal Data or otherwise prevent its release, the Contractor shall bear the costs associated with (1) the investigation and resolution of the data breach; (2) notifications to individuals, regulators or others required by federal and state laws or as otherwise agreed to; (3) a credit monitoring service required by state (or federal) law or as otherwise agreed to; (4) a website or a toll-free toll‐free number and call center for affected individuals required by federal and state laws — all not to exceed the average per record per person cost calculated for data breaches in the United States (currently $217 per record/person) in the most recent Cost of Data Breach Study: Global Analysis published by the Ponemon Institute at the time of the data breach; and (5) complete all corrective actions as reasonably determined by Contractor based on root cause.

Breach Responsibilities. This section only applies when a Data Breach data breach occurs with respect to Personal Data personal data within the possession or control of the Contractor and related to the service provided under the Master Agreement, Participating Addendum, or SLAContractor. a. i. The Contractor, unless stipulated otherwise, shall immediately notify the appropriate Purchasing Entity City identified contact by telephone in accordance with the agreed upon security plan or security procedures if it reasonably believes there has been a security incident. b. ii. The Contractor, unless stipulated otherwise, shall promptly notify the appropriate Purchasing Entity City identified contact within 24 hours or sooner by telephone, unless shorter time is required by applicable law, if it has confirmed confirms that there is, or reasonably believes that there has been a data breach. The Contractor shall (1) cooperate with the Purchasing Entity City as reasonably requested by the Purchasing Entity City to investigate and resolve the Data Breachdata breach, (2) promptly implement necessary remedial measures, if necessary, and (3) document responsive actions taken related to the Data Breachdata breach, including any post-incident review of events and actions taken to make changes in business practices in providing the services, if necessary. c. iii. Unless otherwise stipulated, if a Data Breach data breach is a direct result of the Contractor’s breach of its contractual contract obligation to encrypt Personal Data personal data or otherwise prevent its release, the Contractor shall bear the costs associated with (1) the investigation and resolution of the data breach; (2) notifications to individuals, regulators or others required by federal and state laws or as otherwise agreed tolaw; (3) a credit monitoring service required by state (or federal) law or as otherwise agreed tolaw; (4) establishing a website or a toll-free number and call center for affected individuals required by federal and state laws — law – all not to exceed the average per record per person cost calculated for data breaches in the United States (currently $217 201 per record/person) in the most recent Cost of Data Breach Study: Global Analysis published by the Ponemon Institute at the time of the data breach; and (5) complete all corrective actions as reasonably determined by Contractor based on root cause; all [(1) through (5)] subject to this contract’s limitation of liability.

Breach Responsibilities. This section paragraph only applies when a Data Breach occurs with respect to Personal Data or Non- Public Data within the possession or control of the Contractor and related to the service provided under the Master Agreement, Participating Addendum, or SLAContractor. a. A. The Contractor, unless stipulated otherwise, shall immediately notify the appropriate Purchasing Entity identified contact City Identified Contact by telephone in accordance with the agreed upon security plan or security procedures if it reasonably believes there has been a security incidentSecurity Incident. b. B. The Contractor, unless stipulated otherwise, shall promptly notify the appropriate Purchasing Entity identified contact City Identified Contact within 24 hours or sooner by telephone, unless shorter time is required by applicable law, if it has confirmed confirms that there is, or reasonably believes that there has been a data breachData Breach. The Contractor shall (1) cooperate with the Purchasing Entity City as reasonably requested by the Purchasing Entity City to investigate and resolve the Data Breach, (2) promptly implement necessary remedial measures, if necessary, and (3) document responsive actions taken related to the Data Breach, including any post-incident review of events and actions taken to make changes in business practices in providing the services, if necessary. c. C. Unless otherwise stipulated, if a Data Breach is a direct result of the Contractor’s breach of its contractual Agreement obligation to encrypt Personal Data or Non-Public Data or otherwise prevent its release, the Contractor shall bear the reasonable costs associated with (1) the investigation and resolution of the data breachData Breach; (2) notifications to individuals, regulators or others required by federal and state laws or as otherwise agreed tolaw; (3) a credit monitoring service required by state (or federal) law or as otherwise agreed tolaw; (4) a website or a toll-free number and call center for affected individuals required by federal and state laws law — all not to exceed the average per record per person cost calculated for data breaches Data Breaches in the United States (currently $217 242 per record/personperson - 2019) in the most recent Cost of Data Breach Study: Global Analysis published by the Ponemon Institute at the time of the data breachData Breach; and (5) complete all corrective actions as reasonably determined by Contractor based on root cause; all [(1) through (5)] subject to this Agreement’s limitation of liability.

Breach Responsibilities. This section paragraph only applies when a Data Breach occurs with respect to Personal Data or Non- Public Data within the possession or control of the Contractor and related to the service provided under the Master Agreement, Participating Addendum, or SLAContractor. a. A. The Contractor, unless stipulated otherwise, shall immediately notify the appropriate Purchasing Entity identified contact City Identified Contact by telephone in accordance with the agreed upon security plan or security procedures if it reasonably believes there has been a security incidentSecurity Incident. b. B. The Contractor, unless stipulated otherwise, shall promptly notify the appropriate Purchasing Entity identified contact City Identified Contact within 24 hours or sooner by telephone, unless shorter time is required by applicable law, if it has confirmed confirms that there is, or reasonably believes that there has been a data breachData Breach. The Contractor shall (1) cooperate with the Purchasing Entity City as reasonably requested by the Purchasing Entity City to investigate and resolve the Data Breach, (2) promptly implement necessary remedial measures, if necessary, and (3) document responsive actions taken related to the Data Breach, including any post-incident review of events and actions taken to make changes in business practices in providing the services, if necessary. c. C. Unless otherwise stipulated, if a Data Breach is a direct result of the Contractor’s breach of its contractual Agreement obligation to encrypt Personal Data or Non-Public Data or otherwise prevent its release, the Contractor shall bear the costs associated with (1) the investigation and resolution of the data breachData Breach; (2) notifications to individuals, regulators or others required by federal and state laws or as otherwise agreed tolaw; (3) a credit monitoring service required by state (or federal) law or as otherwise agreed tolaw; (4) a website or a toll-free number and call center for affected individuals required by federal and state laws law — all not to exceed the average per record per person cost calculated for data breaches Data Breaches in the United States (currently $217 244 per record/personperson - 2017) in the most recent Cost of Data Breach Study: Global Analysis published by the Ponemon Institute at the time of the data breachData Breach; and (5) complete all corrective actions as reasonably determined by Contractor based on root cause; all [(1) through (5)] subject to this Agreement’s limitation of liability.