Common use of Breach Responsibilities Clause in Contracts

Breach Responsibilities. This section only applies when a Data Breach occurs with respect to Personal Data or Non-Public Data within the possession or control of Supplier. a. Supplier, unless stipulated otherwise, shall promptly notify the Customer identified contact within 2 hours or sooner, unless shorter time is required by applicable law, if it confirms that there is, or reasonably believes that there has been a Data Breach. Supplier shall (1) cooperate with Customer as reasonably requested by Customer to investigate and resolve the Data Breach, (2) promptly implement necessary remedial measures, if necessary, and (3) document responsive actions taken related to the Data Breach, including any post-incident review of events and actions taken to make changes in business practices in providing the services, if necessary. b. Unless otherwise stipulated, if a Data Breach is a direct result of Supplier’s breach of its obligation to encrypt Personal Data and Non-Public Data or otherwise prevent its release, Supplier shall bear the costs associated with (1) the investigation and resolution of the Data Breach; (2) notifications to individuals, regulators or others required by state law; (3) credit monitoring services required by state or federal law; (4) a website or toll-free numbers and call center for affected individuals required by state law – (2), (3) and (4) not to exceed the agency per record per person cost calculated for data breaches in the United States on the most recent Cost of Data Breach Study: Global Analysis published by the Ponemon Institute at the time of the Data Breach; and (5) complete all corrective actions as reasonably determined by Supplier based on root cause. c. If a Data Breach is a direct result of Supplier’s breach of its obligations to encrypt Personal Data and Non-Public Data or otherwise prevent its release, Supplier shall indemnify and hold harmless the Customer against all penalties assessed to indemnified parties by governmental authorities in connection with the Data Breach.

Breach Responsibilities. This section only applies when a Data Breach occurs with respect to Personal Data or Non-Public Data within the possession or control of Supplier. a. Supplier, unless stipulated otherwise, shall promptly notify the Customer identified contact within 2 hours or sooner, unless shorter time is required by applicable law, if it confirms that there is, or reasonably believes that there has been a Data Breach. Supplier shall (1) cooperate with Customer as reasonably requested by Customer to investigate and resolve the Data Breach, (2) promptly implement necessary remedial measures, if necessary, and (3) document responsive actions taken related to the Data Breach, including any post-incident review of events and actions taken to make changes in business practices in providing the services, if necessary. b. Unless otherwise stipulated, if a Data Breach is a direct result of Supplier’s breach of its obligation to encrypt Personal Data data and Non-Public Data or otherwise prevent its release, Supplier shall bear the costs associated with (1) the investigation and resolution of the Data Breach; (2) notifications to individuals, regulators or others required by state law; (3) credit monitoring services required by state or federal law; (4) a website or toll-free numbers and call center for affected individuals required by state law – (2), (3) and (4) all not to exceed the agency per record per person cost calculated for data breaches in the United States on the most recent Cost of Data Breach breach Study: Global Analysis published by the Ponemon Institute at the time of the Data Breachdata breach; and (5) complete all corrective actions as reasonably determined by Supplier based on root cause. c. If a Data Breach is a direct result of Supplier’s breach of its obligations to encrypt Personal Data and Non-Public Data or otherwise prevent its release, Supplier shall indemnify and hold harmless the Customer against all penalties assessed to indemnified parties Indemnified Parties by governmental authorities in connection with the Data Breach.

Breach Responsibilities. This section only applies when a Data Breach occurs with respect to Personal Data or Non-Public Data within the possession or control of SupplierVendor. a. SupplierVendor, unless stipulated otherwise, shall promptly notify the Customer identified contact within 2 hours or sooner, unless shorter time is required by applicable law, if it confirms that there is, or reasonably believes that there has been a Data Breach. Supplier Vendor shall (1) cooperate with Customer as reasonably requested by Customer to investigate and resolve the Data Breach, (2) promptly implement necessary remedial measures, if necessary, and (3) document responsive actions taken related to the Data Breach, including any post-incident review of events and actions taken to make changes in business practices in providing the services, if necessary. b. Unless otherwise stipulated, if a Data Breach is a direct result of SupplierVendor’s breach of its obligation to encrypt Personal Data data and Non-Public Data or otherwise prevent its release, Supplier Vendor shall bear the costs associated with (1) the investigation and resolution of the Data Breach; (2) notifications to individuals, regulators or others required by state law; (3) credit monitoring services required by state or federal law; (4) a website or toll-free numbers and call center for affected individuals required by state law – (2), (3) and (4) all not to exceed the agency per record per person cost calculated for data breaches in the United States on the most recent Cost of Data Breach breach Study: Global Analysis published by the Ponemon Institute at the time of the Data Breachdata breach; and (5) complete all corrective actions as reasonably determined by Supplier Vendor based on root cause. c. If a Data Breach is a direct result of SupplierVendor’s breach of its obligations to encrypt Personal Data and Non-Public Data or otherwise prevent its release, Supplier Vendor shall indemnify and hold harmless the Customer against all penalties assessed to indemnified parties Indemnified Parties by governmental authorities in connection with the Data Breach.

Breach Responsibilities. This section only applies when a Data Breach data breach occurs with respect to Personal Data or Non-Public Data personal data within the possession or control of Supplierthe Service Provider. a. SupplierThe Service Provider, unless stipulated otherwise, shall immediately notify the appropriate public jurisdiction identified contact by telephone in accordance with the agreed upon security plan or security procedures if it reasonably believes there has been a security incident. b. The Service Provider, unless stipulated otherwise, shall promptly notify the Customer appropriate public jurisdiction identified contact within 2 24 hours or soonersooner by telephone, unless shorter time is required by applicable law, if it confirms that there is, or reasonably believes that there has been a Data Breachdata breach. Supplier The Service Provider shall (1) cooperate with Customer the public jurisdiction as reasonably requested by Customer the public jurisdiction to investigate and resolve the Data Breachdata breach, (2) promptly implement necessary remedial measures, if necessary, and (3) document responsive actions taken related to the Data Breachdata breach, including any post-incident review of events and actions taken to make changes in business practices in providing the services, if necessary. b. c. Unless otherwise stipulated, if a Data Breach data breach is a direct result of Supplierthe Service Provider’s breach of its contract obligation to encrypt Personal Data and Non-Public Data personal data or otherwise prevent its release, Supplier the Service Provider shall bear the costs associated with (1) the investigation and resolution of the Data Breachdata breach; (2) notifications to individuals, regulators or others required by state law; (3) a credit monitoring services service required by state (or federal federal) law; (4) a website or toll-a toll- free numbers number and call center for affected individuals required by state law – (2), (3) and (4) — all not to exceed the agency average per record per person cost calculated for data breaches in the United States on (currently $201 per record/person) in the most recent Cost of Data Breach 7 Rev. 01/18/2024 Study: Global Analysis published by the Ponemon Institute at the time of the Data Breachdata breach; and (5) complete all corrective actions as reasonably reasonable determined by Supplier Service Provider based on root cause; all [(1) through (5)] subject to this contract’s limitation of liability. c. If a Data Breach is a direct result of Supplier’s breach of its obligations to encrypt Personal Data and Non-Public Data or otherwise prevent its release, Supplier shall indemnify and hold harmless the Customer against all penalties assessed to indemnified parties by governmental authorities in connection with the Data Breach.