Common use of BREACHES OF NYS CONFIDENTIAL INFORMATION Clause in Contracts

BREACHES OF NYS CONFIDENTIAL INFORMATION. a. Compliance with the NYS Information Security Breach and Notification Act (ISBNA). In accordance with the Information Security Breach and Notification Act (ISBNA) (NYS General Business Law, §889-aa and §889- bb; NYS Technology Law, §208), Contractor shall be responsible for complying with the provisions of the ISBNA and the following terms contained herein with respect to any Private Information (as defined in ISBNA) received by Contractor under the Contract that is within the control of the Contractor either on the State’s information technology systems or the Contractor’s information technology systems (System). In the event of a breach of the security of the System (as defined by ISBNA) Contractor shall immediately commence an investigation, in cooperation with the State, to determine the scope of the breach and restore the security of the System to prevent any further breaches. Contractor shall also notify the State of any breach of the security of the System immediately following discovery of such breach. Notice of such breach will be sent to: ITS: ITS General Counsel Empire State Plaza Swan Street Building, Core 0 Xxxxxx, Xxx Xxxx 00000 (518) 473-5115 xxx.xx.xxx@xxx.xx.xxx OTDA: OTDA General Counsel 00 Xxxxx Xxxxx Xxxxxx 00X Xxxxxx, Xxx Xxxx 00000 (518) 474-9502 Xxxx.xx.xxxxxxxxxxxxx@xxxx.xx.xxx Except as otherwise instructed by the State, Contractor shall, to the fullest extent possible, first consult with and receive authorization from ITS and OTDA prior to notifying any individuals, the Department of State (DOS), the NYS Division of State Police, the NYS Office of the Attorney General (OAG), or any consumer reporting agencies of a breach of the security of the System or concerning any determination to delay notification due to law enforcement investigations. Nothing herein shall in any way impair the authority of the OAG to bring an action against Contractor to enforce the provisions of ISBNA or limit Contractor’s liability for any violations of the ISBNA or any other applicable statutes, rules, or regulations. In the event that the Contractor is advised by a law enforcement agency pursuant to GBL §899-aa(4) to delay the notice under GBL §899-aa(3), the Contractor shall provide the notice under GBL §899-aa(3) to the State not more than twenty-four hours after the Contractor has been advised by the law enforcement agency that notice under GBL §899-aa(3) can be provided. In accordance with ISBNA, Contractor is responsible for complying with the following terms with respect to any Private Information (as defined in the ISBNA) received by or on behalf of the State under the Contract. Contractor: • Shall supply ITS with a copy of its breach notification policy, which shall be modified to be in compliance with this provision. • Must encrypt any database fields and backup tapes that contain Private Information, as set forth in the ISBNA. • Must ensure that the State's Private Information is encrypted in transit to/from Contractor's systems. • In general, Contractor must ensure that Private Information is not displayed to users on computer screens or in printed reports; however, specific users who are authorized to view the private data elements and who have been properly authenticated may view/receive such data. • Must monitor for breaches of security to any of its systems that store or process the State's Private Information. • Shall take all steps as set forth in ISBNA to ensure Private Information shall not be released without authorization from the State. • In the event a security breach occurs as defined by ISBNA, notify the ITS Chief Information Security Officer (CISO) by telephone within four (4) hours of becoming aware of the breach and commence an investigation in cooperation with the State to determine the scope and cause of the breach, and to prevent the future recurrence of such security breaches. • Coordinate all communication regarding the data breach with the ITS CISO and the State. • Take immediate and necessary steps needed to restore the information security system to prevent further breaches, and take corrective action in the timeframe required by the State. If Contractor is unable to complete the corrective action within the required timeframe, in addition to any other remedies available, the State may contract with a third-party to provide the required services until corrective actions and services resume in a manner acceptable to the State, or until the State has completed a new procurement for a replacement service system. The Contractor will be responsible for the cost of these services during this period. Contractor shall be responsible for providing all notices required by the ISBNA and for all costs associated with providing said notices. The State reserves the right to require commercially standard credit monitoring for any and all individuals affected by the data breach at the sole expense of the Contractor for a period to be determined by the State, but not less than twelve (12) months, which shall begin thirty (30) days following the notice of offer from the Contractor of such credit monitoring to those affected individuals, which shall be within a reasonable time following the identification of such affected individuals. The State reserves the right to require notice by regular or electronic mail.

BREACHES OF NYS CONFIDENTIAL INFORMATION. a. 55.1. Compliance with the NYS Information Security Breach and Notification Act (ISBNA). In accordance with the Information Security Breach and Notification Act (ISBNA) (NYS General Business Law, §889-aa and §889- bbaa; NYS Technology Law, §208), Contractor shall be responsible for complying with the provisions theprovisions of the ISBNA and the following terms contained herein with respect to any Private Information private information (as defined in ISBNA) received by Contractor under the this Contract (Private Information) that is within the control of the Contractor either on the State’s ITS' information technology security systems or the Contractor’s information technology security systems (System). In the event of a breach of the security of the System (as defined by ISBNA) Contractor shall immediately commence an investigation, in cooperation with the StateITS, to determine the scope of the breach and restore the security of the System to prevent any further breaches. Contractor shall also notify the State of any ITS ofany breach of the security of the System immediately following discovery of such breach. Notice of such breach will be sent to: ITS: ITS General Counsel Empire State Plaza Swan Street Building, Core 0 Xxxxxx, Xxx Xxxx 00000 (518) 473-5115 xxx.xx.xxx@xxx.xx.xxx OTDA: OTDA General Counsel 00 Xxxxx Xxxxx Xxxxxx 00X Xxxxxx, Xxx Xxxx 00000 (518) 474-9502 Xxxx.xx.xxxxxxxxxxxxx@xxxx.xx.xxx Except as otherwise asotherwise instructed by the StateITS, Contractor shall, to the fullest extent possible, first consult with and receive authorization from ITS and OTDA prior to notifying any individuals, the Department of State (DOS), the NYS Division of State Police, the NYS Office of the Attorney General (OAG), or any consumer reporting agencies of a breach of the security of the System or concerning any determination to delay notification due to law enforcement investigationsenforcementinvestigations. Nothing herein shall in any way impair the authority of the OAG to bring an bringan action against Contractor to enforce the provisions of ISBNA or limit Contractor’s liability for any violations of the ISBNA or any other applicable statutes, rules, rules or regulations. In the event that the Contractor is advised by a law enforcement agency pursuant to GBL §899-aa(4) to delay the notice under GBL §899-aa(3), the Contractor shall provide the providethe notice under GBL §899-899- aa(3) to the State not more than twenty-four hours after the Contractor has been advised by the law enforcement agency that notice under GBL §899-aa(3) can be providedbeprovided. In accordance with ISBNA, Contractor is responsible for complying with the following terms with respect to any Private Information (as defined in the ISBNA) received by or on behalf of the State ITS under the this Contract. Contractor: • Shall supply ITS with a copy of its breach notification policy, which shall be modified to be in compliance with this provision. • Must encrypt any database fields and backup tapes that contain Private Information, as set forth in the ISBNA. • Must ensure that the State's Private Information is encrypted in transit to/from Contractor's systems. • In general, Contractor must ensure that Private Information is not displayed to users on computer screens or in printed reports; however, specific users who are authorized to view the private data elements and who have been properly authenticated may view/receive such data. • Must monitor for breaches of security to any of its systems that store or process the State's Private Information. • Shall take all steps as set forth in ISBNA to ensure Private Information shall not be released without authorization from the StateITS. • In the event a security breach occurs as defined by ISBNA, notify the ITS Chief Enterprise Information Security Officer (CISOEISO) by telephone within four (4) hours of becoming aware of the breach and commence an investigation in cooperation with the State ITS to determine the scope and cause of the breach, and to prevent the future recurrence of such security breaches. • Coordinate all communication regarding the data breach with the ITS CISO EISO and the StateITS. • Take immediate and necessary steps needed to restore the information security system to prevent further breaches, and take corrective action in the timeframe required by the StateITS. If Contractor is unable to complete the corrective action within the required timeframe, in addition to any other remedies available, the State ITS may contract with a third-party to provide the required services until corrective actions and services resume in a manner acceptable to the StateITS, or until the State ITS has completed a new procurement for a replacement service system. The Contractor will be responsible for the cost of these services during this period. Contractor shall be responsible for providing all notices required by the ISBNA and for all costs associated with providing said notices. The State ITS reserves the right to require commercially standard credit monitoring for any and all individuals affected by the data breach at the sole expense of the Contractor for a period not to be determined by the State, but not less than twelve (12) exceed 12 months, which shall begin thirty (30) 30 days following the notice of offer from the Contractor of such credit monitoring to those affected individuals, which shall be within a reasonable time following the identification of such affected individuals. The State ITS reserves the right to require notice by regular or electronic mail.

BREACHES OF NYS CONFIDENTIAL INFORMATION. a. Compliance with the NYS Information Security Breach and Notification Act (“ISBNA”). In accordance with the Information Security Breach and Notification Act (ISBNA) (NYS General Business Law, §889-aa and §889- bb889-bb of the General Business Law of the State of New York (“GBL”); NYS §208 of the State Technology Law, §208Law of the State of New York), Contractor shall be responsible for complying with the provisions of the ISBNA and the following terms contained herein with respect to any Private Information (as defined in ISBNA) received by Contractor under the Contract that is within the control of the Contractor either on the State’s information technology systems or the Contractor’s information technology systems (System). In the event of a breach of the security of the System (as defined by ISBNA) Contractor shall immediately commence an investigation, in cooperation with the State, to determine the scope of the breach and restore the security of the System to prevent any further breaches. Contractor shall also notify the State of any breach of the security of the System immediately following discovery of such breach. Notice of such breach will be sent to: ITSNYS ITS Cyber Command Center Telephone (Mon – Fri, 9AM-5PM): (000) 000-0000 Telephone (Mon – Fri, 5PM-9AM, weekends, and holidays): (000) 000-0000 Email: xxxxx@xxx.xx.xxx With a copy to: ITS General Counsel Empire State Plaza Swan Street Building, Core 0 Xxxxxx, Xxx Xxxx 00000 (518000) 473000-5115 0000 xxx.xx.xxx@xxx.xx.xxx OTDA: OTDA General Counsel 00 Xxxxx Xxxxx Xxxxxx 00X Xxxxxx, Xxx Xxxx 00000 (518) 474-9502 Xxxx.xx.xxxxxxxxxxxxx@xxxx.xx.xxx Except as otherwise instructed by the State, Contractor shall, to the fullest extent possible, first consult with and receive authorization from ITS and OTDA prior to notifying any individuals, the Department of State (“DOS”), the NYS Division of State Police, the NYS Office of the Attorney General (OAG), or any consumer reporting agencies of a breach of the security of the System or concerning any determination to delay notification due to law enforcement investigations. Nothing herein shall in any way impair the authority of the OAG to bring an action against Contractor to enforce the provisions of ISBNA or limit Contractor’s liability for any violations of the ISBNA or any other applicable statutes, rules, or regulations. In the event that the Contractor is advised by a law enforcement agency pursuant to GBL §899-aa(4) to delay the notice under GBL §899-aa(3), the Contractor shall provide the notice under GBL §899-899- aa(3) to the State not more than twenty-four hours after the Contractor has been advised by the law enforcement agency that notice under GBL §899-aa(3) can be provided. In accordance with ISBNA, Contractor is responsible for complying with the following terms with respect to any Private Information (as defined in the ISBNA) received by or on behalf of the State under the Contract. Contractor: • Shall supply ITS with a copy of its breach notification policy, which shall be modified to be in compliance with this provision. • Must encrypt any database fields and backup tapes that contain Private Information, as set forth in the ISBNA. • Must ensure that the State's Private Information is encrypted in transit to/from Contractor's systems. • In general, Contractor must ensure that Private Information is not displayed to users on computer screens or in printed reports; however, specific users who are authorized to view the private data elements and who have been properly authenticated may view/receive such data. • Must monitor for breaches of security to any of its systems that store or process the State's Private Information. • Shall take all steps as set forth in ISBNA to ensure Private Information shall not be released without authorization from the State. • In the event a security breach occurs as defined by ISBNA, notify the ITS Chief Information Security Officer (CISO) by telephone within four (4) hours of becoming aware of the breach and commence an investigation in cooperation with the State to determine the scope and cause of the breach, and to prevent the future recurrence of such security breaches. • Coordinate all communication regarding the data breach with the ITS CISO and the State. • Take immediate and necessary steps needed to restore the information security system to prevent further breaches, and take corrective action in the timeframe required by the State. If Contractor is unable to complete the corrective action within the required timeframe, in addition to any other remedies available, the State may contract with a third-party to provide the required services until corrective actions and services resume in a manner acceptable to the State, or until the State has completed a new procurement for a replacement service system. The Contractor will be responsible for the cost of these services during this period. Contractor shall be responsible for providing all notices required by the ISBNA and for all costs associated with providing said notices. The State reserves the right to require commercially standard credit monitoring for any and all individuals affected by the data breach at the sole expense of the Contractor for a period to be determined by the State, but not less than twelve (12) months, which shall begin thirty (30) days following the notice of offer from the Contractor of such credit monitoring to those affected individuals, which shall be within a reasonable time following the identification of such affected individuals. The State reserves the right to require notice by regular or electronic mail.

BREACHES OF NYS CONFIDENTIAL INFORMATION. a. Compliance with the NYS Information Security Breach and Notification Act (ISBNA). In accordance with the Information Security Breach and Notification Act (ISBNA) (NYS General Business Law, §889-aa and §889- bb; NYS Technology Law, §208), Contractor shall be responsible for complying with the provisions of the ISBNA and the following terms contained herein with respect to any Private Information (as defined in ISBNA) received by Contractor under the Contract that is within the control of the Contractor either on the State’s information technology systems or the Contractor’s information technology systems (System). In the event of a breach of the security of the System (as defined by ISBNA) Contractor shall immediately commence an investigation, in cooperation with the State, to determine the scope of the breach and restore the security of the System to prevent any further breaches. Contractor shall also notify the State of any breach of the security of the System immediately following discovery of such breach. Notice of such breach will be sent to: ITS: ITS General Counsel Empire State Plaza Swan Street Building, Core 0 Xxxxxx, Xxx Xxxx 00000 (518) 473-5115 xxx.xx.xxx@xxx.xx.xxx OTDA: OTDA General Counsel 00 Xxxxx Xxxxx Xxxxxx 00X Xxxxxx, Xxx Xxxx 00000 (518) 474-9502 Xxxx.xx.xxxxxxxxxxxxx@xxxx.xx.xxx Except as otherwise instructed by the State, Contractor shall, to the fullest extent possible, first consult with and receive authorization from ITS and OTDA prior to notifying any individuals, the Department of State (DOS), the NYS Division of State Police, the NYS Office of the Attorney General (OAG), or any consumer reporting agencies of a breach of the security of the System or concerning any determination to delay notification due to law enforcement investigations. Nothing herein shall in any way impair the authority of the OAG to bring an action against Contractor to enforce the provisions of ISBNA or limit Contractor’s liability for any violations of the ISBNA or any other applicable statutes, rules, or regulations. In the event that the Contractor is advised by a law enforcement agency pursuant to GBL §899-aa(4) to delay the notice under GBL §899-aa(3), the Contractor shall provide the notice under GBL §899-aa(3) to the State not more than twenty-four hours after the Contractor has been advised by the law enforcement agency that notice under GBL §899-aa(3) can be provided. In accordance with ISBNA, Contractor is responsible for complying with the following terms with respect to any Private Information (as defined in the ISBNA) received by or on behalf of the State under the Contract. Contractor: • Shall supply ITS with a copy of its breach notification policy, which shall be modified to be in compliance with this provision. • Must encrypt any database fields and backup tapes that contain Private Information, as set forth in the ISBNA. • Must ensure that the State's Private Information is encrypted in transit to/from Contractor's systems. • In general, Contractor must ensure that Private Information is not displayed to users on computer screens or in printed reports; however, specific users who are authorized to view the private data elements and who have been properly authenticated may view/receive such data. • Must monitor for breaches of security to any of its systems that store or process the State's Private Information. • Shall take all steps as set forth in ISBNA to ensure Private Information shall not be released without authorization from the State. • In the event a security breach occurs as defined by ISBNA, notify the ITS Chief Information Security Officer (CISO) by telephone within four (4) hours of becoming aware of the breach and commence an investigation in cooperation with the State to determine the scope and cause of the breach, and to prevent the future recurrence of such security breaches. • Coordinate all communication regarding the data breach with the ITS CISO and the State. • Take immediate and necessary steps needed to restore the information security system to prevent further breaches, and take corrective action in the timeframe required by the State. If Contractor is unable to complete the corrective action within the required timeframe, in addition to any other remedies available, the State may contract with a third-party to provide the required services until corrective actions and services resume in a manner acceptable to the State, or until the State has completed a new procurement for a replacement service system. The Contractor will be responsible for the cost of these services during this period. Contractor shall be responsible for providing all notices required by the ISBNA and for all costs associated with providing said notices. The State reserves the right to require commercially standard credit monitoring for any and all individuals affected by the data breach at the sole expense of the Contractor for a period to be determined by the State, but not less than twelve (12) months, which shall begin thirty (30) days following the notice of offer from the Contractor of such credit monitoring to those affected individuals, which shall be within a reasonable time following the identification of such affected individuals. The State reserves the right to require notice by regular or electronic mail.