Business Practice Commitments. As further consideration for the settlement and releases provided herein, Shift Digital agrees to take reasonable measures to further secure personal information within its custody and control and to maintain such measures already taken. Specifically, Shift Digital agrees that it has or will implement the following: (1) ensure that the default setting for all Microsoft Azure data storage containers is private; (2) conduct frequent enterprise-wide automated scans across its cloud computing platform to confirm that the access settings of all data storage containers are correct; (3) conduct periodic manual reviews of all Microsoft Azure data storage containers to ensure they are set to the correct access settings; (4) maintain role-based security protocols that limit permission to create Microsoft Azure data storage containers to a small number of designated users; (5) encrypt all application data within its control in Microsoft Azure at-rest and in-transit; (6) use Microsoft Azure Security Center tools, such as constant vulnerability scans, to proactively monitor security threats; (7) conduct annual third-party penetration testing of its applications and address any vulnerabilities as appropriate; (8) commission annual third-party assessments of its security programs and practices and update its programs and practices to address threats and vulnerabilities; (9) engage an outside service provider for Virtual Chief Information Security Officer Services and work to build a dedicated data security team; and (10) further develop and formalize its data classification protocols, risk management operations, and incident response procedures.
Business Practice Commitments. 70. 23andMe, at its sole and separate expense, shall certify that it has adopted, paid for, and implemented and intends to maintain the following Business Practice Commitments related to information security to safeguard current users’ and Settlement Class Members’ Personal Information. The cost of the measures in this Section will not be paid from the Qualified Settlement Fund.
Business Practice Commitments. Metromile endeavors to take reasonable steps to secure personal information within its platform, including its online car insurance application process (“Online Quote Flow”). As part of those efforts, Metromile agrees that it has taken or will take the following measures (or measures that are better protective of customer data security). Metromile is responsible for all costs associated with implementing and maintaining these Business Practice Commitments, which costs are separate and apart from the Settlement Fund.
1) Set up mechanisms to block suspicious website traffic, including by configuring Metromile’s firewalls to block traffic from IP addresses exhibiting suspicious traffic patterns (e.g., abnormally repetitive quote requests from the same IP address).
2) Implement reCAPTCHA logging to block automated use of the Online Quote Flow.
3) Engage a third-party security auditor/penetration tester as well as internal security personnel to conduct penetration tests and audits on Metromile’s systems on a periodic basis, and address any problems or issues detected thereby on a risk- prioritized basis.
4) Periodically audit, test, and train Metromile’s security personnel regarding new or modified procedures corresponding with their job responsibilities.
5) Implement reasonably appropriate data segmentation by creating firewalls and access controls.
6) Conduct periodic computer system scanning and security checks.
7) Conduct periodic internal training and education to inform Metromile employees about the company’s security practices.
8) Protect endpoints with anti-malware software and local firewalls. The requirements of this ¶ 2.6 shall remain in place for three (3) years following the date the court approves the settlement.
Business Practice Commitments. Defendant will provide a confidential declaration to Settlement Class Counsel describing its information security improvements since the Security Incident and estimating the cost of those improvements. The cost of such improvements will be paid by Defendant separate and apart from all other settlement benefits.
Business Practice Commitments. For a period of 3 years following the execution of a formal settlement agreement, Defendant commits to pay for, implement and continue certain data-security enhancements and business practices. Due to their confidential and sensitive nature, those enhancements and practices are not being publicly disclosed herein but have been shared with Plaintiff’s Counsel, who agrees to maintain the confidentiality of that information. Nothing in this provision prohibits Order Express from changing vendors for the identified business practices so long as a comparable product/service is maintained. Defendant agrees to provide a declaration detailing its business practice changes implemented after the Ransomware Attack.
Business Practice Commitments. 4.8.1 As additional consideration for the Dismissal and Release of Claims, Premera covenants, warrants, and agrees to provide equitable injunctive relief in the form described in Exhibit A to this Settlement Agreement. The obligations set forth in Exhibit A shall terminate three (3) years from the date of the execution of this Agreement, unless otherwise specified in Exhibit A.
4.8.2 The Settling Parties agree that plaintiffs and Class Counsel were a catalyst in causing Premera to undertake remedial measures it will or has already undertaken. Included in this Agreement, as negotiated between the Settling Parties, are minimum budgetary requirements for Premera until 2022, which are contractually mandated by this Agreement. Premera agrees that the difference between its yearly 2012-2014 security budgets and its contractually agreed budgets of $14 million per year from 2019 through 2022 under Exhibit A is at least equal to the cost of implementing and maintaining the obligations set forth in Exhibit A. Plaintiffs have retained an expert who has placed a value on the proposed injunctive relief. Premera neither challenges nor accepts that valuation, but agrees that the security remediation measures obtained by plaintiffs are of substantial value to the Settlement Class.
Business Practice Commitments. 71. Business Practice Commitments. RadNet agrees to adopt and implement certain business practice commitments described below (“Business Practice Commitments”) for a period of at least three (3) years following the Effective Date. These Business Practice Commitments are specific business practice commitments and remedial measures and are described as follows:
1.1 RadNet, having engaged a third-party cybersecurity consultant agrees to adopt and implement certain business practices and remedial measures set forth below (“Business Practice Commitments”) for a period of three (3) years following the Effective Date. These Business Practice Commitments are specific commitments and remedial measures designed to include continuous threat assessment processes to maintain RadNet’s security posture, and to provide protection against threats now and in the future, specifically with respect to current and former employee and job applicant PII, and include the following:
a. Endpoint protection: Ensure implementation of endpoint security measures, including appropriate implementation of endpoint security applications, patching mechanisms, logging and alerting.
Business Practice Commitments. Albertsons agrees to adopt, implement, and/or continue the following business practices set forth below (“Business Practice Commitments”) through December 31, 2025, subject to the terms and conditions of this Section: Revise communications protocols and requirements Enhance contracts and notification requirements for third-party vendors Strengthen associate education and awareness campaigns Deploy and configure modern machine-learning based email protection Maintain endpoint protection for Windows, Linux and critical assets Maintain security controls around identity management services Migrate sensitive edge data from non-centralized file servers to cloud Maturing of data security practices The Parties acknowledge that technical and business requirements for securing information evolve and change dynamically. In the event that technological or industry developments, or intervening changes in law, business practices, or business structure, render specific Business Practice Commitments obsolete or make compliance by Albertsons with them unreasonable, unnecessary, or impractical, Albertsons may modify its business practices as necessary to ensure appropriate data security practices are being followed. All costs associated with implementing the Business Practice Commitments will be borne by Albertsons separate and apart from the Settlement Fund. Within thirty (30) days of the execution of this Settlement Agreement, Albertsons agrees to provide a confidential, non-public declaration, which is to be treated as attorneys’ eyes only, providing additional detail regarding the Business Practice Commitments set forth above. Albertsons will also include in that non-public, confidential declaration information about its use of multi-factor authentication. Within fourteen (14) days of the execution of this Settlement Agreement, Albertsons agrees to provide to Plaintiffs’ counsel the estimated cost of implementing the Business Practice Commitments identified above.
Business Practice Commitments. Artech, having engaged a third-party cybersecurity consultant, agrees to adopt, implement, and/or continue certain business practices set forth below (“Business Practice Commitments”) for a period of at least three (3) years following the Effective Date. These Business Practice Commitments are designed to maintain Artech’s security posture, and to provide protection against threats now and in the future, specifically with respect to current and former employee and job applicant Personal Information, and include the following:
a. Defendant has conducted baseline penetration testing through a well-established third- party IT security vendor, and will continue to conduct substantially-equivalent penetration testing at least annually. Defendant has included sufficient funds in its IT security budget to accomplish annual penetration testing as outlined in this subparagraph for 2021, and will reauthorize sufficient funds in its IT budget for each subsequent year through 2024 to utilize the same or any comparably-priced improved testing technology as may be available.
b. Defendant shall continue to ensure that anti-malware software resides on all its servers, and that its VPN appliance is updated as soon as practicable after security updates become available, but in no instance less often than monthly.
c. Defendant is implementing a company-wide encryption protocol wherein all Personal Information is segregated by its employees and encrypted daily.
d. Defendant is testing its IT security for NIST compliance, and has achieved compliance with many NIST requirements, with the remainder to be addressed through SIEM software. Defendant will provide a declaration or certification of such compliance on or before December 21, 2022.
e. Defendant is currently evaluating several Security Information and Event Management (“SIEM”) software options, and shall deploy SIEM software on or before December 31, 2022.
f. Defendant currently provides IT security and Personal Information training to all of its personnel during onboarding, and on a quarterly basis thereafter, which will continue. This training includes directions about how to handle suspicious communications and documents, and encourages personnel to report any concerns about Defendant’s information security systems.
g. Defendant has developed and implemented a formal written Personal Information policy, which it will continue to maintain with appropriate updates.
h. Defendant is developing a suite of testing and auditi...
Business Practice Commitments. CPK, having engaged a third-party cybersecurity consultant that provided forensics, recovery, and remediation following the Data Security Incident, agrees to maintain certain recently implemented business practices and remedial measures as set forth below (“Business Practice Commitments”) for a period of three (3) years following the Effective Date. These Business Practice Commitments are specific commitments and remedial measures designed to include continuous threat assessment processes to maintain CPK’s security posture, and to provide protection against threats now and in the future, specifically with respect to the personally identifiable information of current and former employees, and include the following:
(a) Endpoint protection: Ensure implementation of endpoint security measures, including appropriate implementation of endpoint security applications, patching mechanisms, logging and alerting.
(b) Enhanced password protection. Require users to employ more complex account passwords, and to change those passwords on a regular basis.
(c) Multi-factor authentication. Require multi-factor authentication in order to gain external access to email servers or systems located on CPK’s networks.
(d) Cybersecurity training and awareness program: Enhanced internal training and education for all employees in order to better enable them to identify potential security threats. The Parties acknowledge that technical requirements for securing information evolve and change dynamically. In the event that technological or industry developments, or intervening changes in law or business practices, render specific Business Practice Commitments obsolete or make compliance by CPK with them unreasonable or technically impractical, CPK may modify its business practices as necessary to ensure appropriate security practices are being followed. All costs associated with implementing the Business Practice Commitments will be borne by CPK separate and apart from the relief afforded to Settlement Class members.
