Common use of Breaches & Security Incidents Clause in Contracts

Breaches & Security Incidents. 1. Contractor shall immediately report to the Covered California Privacy Officer at XxxxxxxXxxxxxx@xxxxxxx.xx.xxx any actual or suspected Breaches or Security Incidents involving PII created or received under this Agreement. Contractor’s report shall contain the following information to the extent applicable and known at that time: a. A brief description of what happened including the date of the incident and the date of the discovery of the incident; b. The names or identification numbers of the individuals whose PII has been, or is reasonably believed to have been accessed, acquired, used or disclosed c. A description of the types of PII that were involved in the incident, as applicable; d. Information regarding any information system intrusion and any systems potentially compromised; e. A brief description of Contractor’s investigation and mitigation plan; and f. Any other information necessary for Covered California to conduct an investigation and include in notifications to the individual(s) or relevant regulatory authorities under applicable privacy and security requirements. 2. Upon completion of the initial report, contractor shall immediately commence an investigation in accordance with applicable law to: a. Determine the scope of the incident; b. Mitigate harm that may result from the incident; and c. Restore the security of the system to prevent any further harm or incidents. 3. Contractor shall cooperate with Covered California in investigating the actual or suspected incident and in meeting Covered California’s obligations, if any, under applicable laws. 4. Contractor shall mitigate to the extent practicable any harmful effect of any Incident that is known or reasonably discoverable to Contractor. 5. After conducting its investigation, and within fifteen (15) calendar days, unless an extension is granted by Covered California, Contractor shall file a complete report with the information listed above in subsection (1), if available. Contractor shall make all reasonable efforts to obtain all relevant information and shall provide an explanation if any information cannot be obtained. The complete report shall include a corrective action plan that describes the steps to be taken to prevent any future reoccurrence of the incident. 6. Contractor shall cooperate with Covered California in developing content for any public statements and shall not give any public statements without the express written permission of Covered California. 7. If a Breach requires notifications and reporting under applicable laws, and the cause of the Breach is attributable to Contractor, its agents or subcontractors, Contractor shall: a. Be fully responsible for providing breach notifications and reporting as required under applicable laws; b. Pay any costs of such Breach notifications as well as any costs or damages associated with the incident; and c. Should Covered California in its sole discretion determine that credit monitoring is an appropriate remedy, arrange for and bear the reasonable, out-of-pocket cost of providing to each such affected individual one (1) year of credit monitoring services from a nationally recognized supplier of such services. 8. If Contractor determines that an impermissible acquisition, use, or disclosure of PII does not require breach notifications or reporting, it shall document its assessment and provide such documentation to Covered California within one week of its completion. Notwithstanding the foregoing, Covered California reserves the right to reject Contractor’s assessment and direct Contractor to treat the incident as a Breach.

Breaches & Security Incidents. 1. A. The Contractor shall immediately report to the Covered California Exchange Privacy Officer at XxxxxxxXxxxxxx@xxxxxxx.xx.xxx Privacy Xxxxxxx@xxxxxxx.xx.xxx any actual or suspected Breaches or Security Incidents involving PII created or received under this Agreement. Contractor’s report shall contain the following information to the extent applicable and known at that time: a. I. A brief description of what happened including the date of the incident and the date of the discovery of the incident; b. II. The names or identification numbers of the individuals whose PII has been, or is reasonably believed to have been accessed, acquired, used or disclosed; c. III. A description of the types of PII that were involved in the incident, as applicable; d. IV. Information regarding any information system intrusion and any systems potentially compromised; e. V. A brief description of Contractor’s investigation and mitigation plan; and f. VI. Any other information necessary for Covered California the Exchange to conduct an investigation and include in notifications to the individual(s) or relevant regulatory authorities under applicable privacy and security requirements. 2. B. Upon completion of the initial report, contractor Contractor shall immediately commence an investigation in accordance with applicable law to: a. I. Determine the scope of the incident; b. II. Mitigate harm that may result from the incident; and c. III. Restore the security of the system to prevent any further harm or incidents. 3. C. Contractor shall cooperate with Covered California the Exchange in investigating the actual or suspected incident and in meeting Covered Californiathe Exchange’s obligations, if any, under applicable laws. 4. D. Contractor shall mitigate to the extent practicable any harmful effect of any Incident incident that is known or reasonably discoverable to Contractor. 5. E. After conducting its investigation, and within fifteen (15) calendar days, unless an extension is granted by Covered Californiathe Exchange, Contractor shall file a complete report with the information listed above in subsection (1), if available. Contractor shall make all reasonable efforts to obtain all relevant information and shall provide an explanation if any information cannot be obtained. The complete report shall include a corrective action plan that describes the steps to be taken to prevent any future reoccurrence of the incident. 6. F. Contractor shall cooperate with Covered California the Exchange in developing content for any public statements and shall not give any public statements without the express written permission of Covered Californiathe Exchange. 7. G. If a Breach breach requires notifications and reporting under applicable laws, and the cause of the Breach is attributable to Contractor, its agents or subcontractors, the Contractor shall: a. I. Be fully responsible for providing breach notifications and reporting as required under applicable laws; b. II. Pay any costs of such Breach notifications as well as any costs or damages associated with the incident; and c. III. Should Covered California the Exchange in its sole discretion determine that credit monitoring is an appropriate remedy, arrange for and bear the reasonable, out-of-pocket cost of providing to each such affected individual one (1) year of credit monitoring services from a nationally recognized supplier of such services. 8. H. If a Contractor determines that an impermissible acquisition, use, or disclosure of PII does not require breach notifications or reporting, it he/she shall document its the assessment and provide such documentation to Covered California the Exchange within one week of its completion. Notwithstanding the foregoing, Covered California the Exchange reserves the right to reject Contractor’s the assessment and direct advise the Contractor to treat the incident as a Breach.