Common use of D ata Breach Clause in Contracts

D ata Breach. In the event that Student Data is known to Provider as having been accessed or obtained by an unauthorized individual, Provider shall provide notification to LEA promptly following discovery of the incident. Provider shall follow the following process: a. The security breach notification shall be written in plain language, shall be titled “Notice of Data Breach,” and shall present the information described b. The security breach notification described above in section 2(a) shall include, at a minimum, the following information, if known: i. The name and contact information of the reporting Provider subject to this section. ii. A list of the types of Student Data that were or are reasonably believed to have been the subject of a breach. iii. If the information is possible to determine at the time the notice is provided, then either (1) the date of the breach, (2) the estimated date of the breach, or (3) the date range within which the breach occurred. The notification shall also include the date of the notice. iv. Whether the notification was delayed as a result of a law enforcement investigation and the law enforcement agency determined that notification would impede a criminal investigation. v. A general description of the breach incident, if that information is possible to determine at the time the notice is provided. c. At LEA’s request, the security breach notification from Provider to LEA may also include any of the following: i. Information about what the Provider has done to protect individuals whose information has been breached. d. Provider agrees to adhere to all requirements in applicable state and federal law with respect to a data breach related to the Student Data, including, when appropriate or required, the required responsibilities and procedures for notification and mitigation of any such data breach. e. Provider further acknowledges and agrees to have a written incident response plan that reflects industry standard practices and is consistent with industry standards and federal and state law for responding to a data breach, breach of security, privacy incident or unauthorized acquisition or use of Student Data or any portion thereof, including personally identifiable information and agrees to provide LEA, upon request, with a summary copy of said written incident response plan. f. In the context of a Data Breach, Provider is prohibited from directly contacting parent, legal guardian or eligible student unless expressly requested by LEA, unless otherwise required by law. If LEA requests Provider’s assistance providing notice of unauthorized access, and such assistance is not unduly burdensome to Provider . To the extent any public notice or notification to parents, legal guardians or other third parties mentions Provider by name, Provider shall have the right to review and approve such communications g. In the event of a breach originating from LEA’s use of the Service, Provider shall

D ata Breach. In the event that of an unauthorized release, disclosure or acquisition of Student Data is known to that compromises the security, confidentiality or integrity of the Student Data maintained by the Provider as having been accessed or obtained by an unauthorized individual, the Provider shall provide notification to LEA promptly without undue delay (and in any event within the time period required by applicable law) following discovery the confirmation of the incident, unless notification within this time limit would disrupt investigation of the incident by law enforcement. In such an event, notification shall be made within a reasonable time after the incident. Provider shall follow the following process: a. The security breach notification shall be written in plain language, shall be titled “Notice of Data Breach,” and shall present the information described b. (1) The security breach notification described above in section 2(a) shall include, at a minimum, the following information, if knowninformation to the extent known by the Provider and as it becomes available: i. The name and contact information of the reporting Provider LEA subject to this section. ii. A list of the types of Student Data personal information that were or are reasonably believed to have been the subject of a breach. iii. If the information is possible to determine at the time the notice is provided, then either either (1) the date of the breach, (2) the estimated date of the breach, or (3) the date range within which the breach occurred. The notification shall also include the date of the notice. iv. Whether the notification was delayed as a result of a law enforcement investigation and investigation, if that information is possible to determine at the law enforcement agency determined that notification would impede a criminal investigation.time the notice is provided; and v. A general description of the breach incident, if that information is possible to determine at the time the notice is provided. c. At LEA’s request, the security breach notification from Provider to LEA may also include any of the following: i. Information about what the Provider has done to protect individuals whose information has been breached. d. (2) Provider agrees to adhere to all federal and state requirements in applicable state and federal law with respect to a data breach related to the Student Data, including, when appropriate or required, the required responsibilities and procedures for notification and mitigation of any such data breach. e. (3) Provider further acknowledges and agrees to have a written incident response plan that reflects industry standard best practices and is consistent with industry standards and federal and state law for responding to a data breach, breach of security, privacy incident or unauthorized acquisition or use of Student Data or any portion thereof, including personally identifiable information and agrees to provide LEA, upon request, with a summary copy of said written incident response plan. f. In (4) LEA shall provide notice and facts surrounding the context of a Data Breachbreach to the affected students, Provider is prohibited from directly contacting parent, legal guardian parents or eligible student unless expressly requested by LEA, unless otherwise required by law. If LEA requests Provider’s assistance providing notice of unauthorized access, and such assistance is not unduly burdensome to Provider . To the extent any public notice or notification to parents, legal guardians or other third parties mentions Provider by name, Provider shall have the right to review and approve such communicationsguardians. g. (5) In the event of a breach originating from LEA’s use of the Service, Provider shallshall cooperate with LEA to the extent necessary to expeditiously secure Student Data.

D ata Breach. In the event that Student Data is known to Provider as having been accessed or obtained by an unauthorized individual, Provider shall provide notification to LEA promptly following discovery within a reasonable amount of time of the incident, and not exceeding forty eight (48) hours. Provider shall follow the following process: a. The security breach notification shall be written in plain language, shall be titled “Notice of Data Breach,” and shall present the information describeddescribed herein under the following headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” Additional information may be provided as a supplement to the notice. b. The security breach notification described above in section 2(a) shall include, at a minimum, the following information, if known: i. The name and contact information of the reporting Provider LEA subject to this section. ii. A list of the types of Student Data personal information that were or are reasonably believed to have been the subject of a breach. iii. If the information is possible to determine at the time the notice is provided, then either (1) the date of the breach, (2) the estimated date of the breach, or (3) the date range within which the breach occurred. The notification shall also include the date of the notice. iv. Whether the notification was delayed as a result of a law enforcement investigation and investigation, if that information is possible to determine at the law enforcement agency determined that notification would impede a criminal investigationtime the notice is provided. v. A general description of the breach incident, if that information is possible to determine at the time the notice is provided. c. At LEA’s requestdiscretion, the security breach notification from Provider to LEA may also include any of the following: i. Information about what the Provider agency has done to protect individuals whose information has been breached. ii. Advice on steps that the person whose information has been breached may take to protect himself or herself. d. Provider agrees to adhere to all requirements in applicable state State and in federal law with respect to a data breach related to the Student Data, including, when appropriate or required, the required responsibilities and procedures for notification and mitigation of any such data breach. e. Provider further acknowledges and agrees to have a written incident response plan that reflects industry standard best practices and is consistent with industry standards and federal and state law for responding to a data breach, breach of security, privacy incident or unauthorized acquisition or use of Student Data or any portion thereof, including personally identifiable information and agrees to provide LEA, upon request, with a summary copy of said written incident response plan. f. In the context of a Data Breach, Provider is prohibited from directly contacting parent, legal guardian or eligible student pupil unless expressly requested by LEA, unless otherwise required by law. If LEA requests Provider’s assistance providing notice of unauthorized access, and such assistance is not unduly burdensome to Provider . To the extent any public notice or notification to parents, legal guardians or other third parties mentions Provider by nameProvider, Provider shall have notify the right affected parent, legal guardian or eligible pupil of the unauthorized access, which shall include the information listed in subsections (b) and (c), above. If requested by LEA, Provider shall reimburse LEA for costs incurred to review and approve such communicationsnotify parents/families of a breach not originating from LEA's use of the Service. g. In the event of a breach originating from LEA’s use of the Service, Provider shallshall cooperate with LEA to the extent necessary to expeditiously secure Student Data. ARTICLE VI- GENERAL OFFER OF PRIVACY TERMS

D ata Breach. In the event that of an unauthorized release, disclosure or acquisition of Student Data is known to that compromises the security, confidentiality or integrity of the Student Data maintained by the Provider as having been accessed or obtained by an unauthorized individual, the Provider shall provide notification to LEA promptly following discovery within s eventy-two (72) hoursthirty (30) business days’ of confirmation of the incident, unless notification within this time limit would disrupt investigation of the incident by law enforcement. In such an event, notification shall be made within a reasonable time after the incident. Provider shall follow the following process: a. The security breach notification shall be written in plain language, shall be titled “Notice of Data Breach,” and shall present the information described b. (1) The security breach notification described above in section 2(a) shall include, at a minimum, the following information, if knowninformation to the extent known by the Provider and as it becomes available: i. The name and contact information of the reporting Provider LEA subject to this section. ii. A list of the types of Student Data personal information that were or are reasonably believed to have been the subject of a breach. iii. If the information is possible to determine at the time the notice is provided, then either (1) the date of the breach, (2) the estimated date of the breach, or (3) the date range within which the breach occurred. The notification shall also include the date of the notice. iv. Whether the notification was delayed as a result of a law enforcement investigation and investigation, if that information is possible to determine at the law enforcement agency determined that notification would impede a criminal investigation.time the notice is provided; and v. A general description of the breach incident, if that information is possible to determine at the time the notice is provided. c. At LEA’s request, the security breach notification from Provider to LEA may also include any of the following: i. Information about what the Provider has done to protect individuals whose information has been breached. d. (2) Provider agrees to adhere to all federal and state requirements in applicable state and federal law with respect to a data breach related to the Student Data, including, when appropriate or required, the required responsibilities and procedures for notification and mitigation of any such data breach.required e. (3) Provider further acknowledges and agrees to have a written incident response plan that reflects industry standard best practices and is consistent with industry standards and federal and state law for responding to a data breach, breach of security, privacy incident or unauthorized acquisition or use of Student Data or any portion thereof, including personally identifiable information and agrees to provide LEA, upon request, with a summary copy of said written incident response plan. f. In (4) LEA shall provide notice and facts surrounding the context of a Data Breachbreach to the affected students, Provider is prohibited from directly contacting parent, legal guardian parents or eligible student unless expressly requested by LEA, unless otherwise required by law. If LEA requests Provider’s assistance providing notice of unauthorized access, and such assistance is not unduly burdensome to Provider . To the extent any public notice or notification to parents, legal guardians or other third parties mentions Provider by name, Provider shall have the right to review and approve such communicationsguardians. g. (5) In the event of a breach originating from LEA’s use of the Service, Provider shallshall cooperate with LEA to the extent necessary to expeditiously secure Student Data.

D ata Breach. In the event that Student Data is known to Provider as having been accessed or obtained by an unauthorized individual, Provider shall provide notification to LEA promptly following discovery as soon as practicable and no later than within ten (10) days of the incident. Provider shall follow the following process: a. The security breach notification shall be written in plain language, shall be titled “Notice of Data Breach,” and shall present the information describedtitled b. The security breach notification described above in section 2(a) shall include, at a minimum, the following information, if known: i. The name and contact information of the reporting Provider LEA subject to this section. ii. A list of the types of Student Data personal information that were or are reasonably believed to have been the subject of a breach. iii. If the information is possible to determine at the time the notice is provided, then either (1) the date of the breach, (2) the estimated date of the breach, or (3) the date range within which the breach occurred. The notification shall also include the date of the notice. iv. Whether the notification was delayed as a result of a law enforcement investigation and investigation, if that information is possible to determine at the law enforcement agency determined that notification would impede a criminal investigationtime the notice is provided. v. A general description of the breach incident, if that information is possible to determine at the time the notice is provided. vi. The estimated number of students and teachers affected by the breach, if any. c. At LEA’s request, the security breach notification from Provider to LEA may also include any of the following: i. Information about what the Provider agency has done to protect individuals whose information has been breached. ii. Advice on steps that the person whose information has been breached may take to protect himself or herself. d. Provider agrees to adhere to all requirements in applicable state the New Hampshire Data Breach law and in federal law with respect to a data breach related to the Student Data, including, when appropriate or required, the required responsibilities and procedures for notification and mitigation of any such data breach. e. Provider further acknowledges and agrees to have a written incident response plan that reflects industry standard best practices and is consistent with industry standards and federal and state law for responding to a data breach, breach of security, privacy incident or unauthorized acquisition or use of Student Data or any portion thereof, including personally identifiable information and agrees to provide LEA, upon request, with a summary copy of said written incident response plan.unauthorized f. In At the context request and with the assistance of a Data Breachthe District, Provider is prohibited from directly contacting shall notify the affected parent, legal guardian or eligible student unless expressly requested by LEA, unless otherwise required by law. If LEA requests Provider’s assistance providing notice pupil of the unauthorized access, which shall include the information listed in subsections (b) and such assistance is not unduly burdensome to Provider (c), above. 1. To the extent any public notice or notification to parents, legal guardians or other third parties mentions Provider by name, Provider shall have the right to review and approve such communications g. In the event of a breach originating from LEA’s use of the Service, Provider shallT

D ata Breach. In the event that Student Data is known to Provider as having been accessed or obtained by an unauthorized individual, Provider shall provide notification to LEA promptly following discovery within ten (10) days of the incident. Provider shall follow the following process:: following a. The security breach notification shall be written in plain language, shall be titled “Notice of Data Breach,” and shall present provided as a supplement to the information describednotice. b. The security breach notification described above in section 2(a) shall include, at a minimum, the following information, if known: i. The name and contact information of the reporting Provider LEA subject to this section. ii. A list of the types of Student Data personal information that were or are reasonably believed to have been the subject of a breach. iii. If the information is possible to determine at the time the notice is provided, then either (1) the date of the breach, (2) the estimated date of the breach, or (3) the date range within which the breach occurred. The notification shall also include the date of the notice. iv. Whether the notification was delayed as a result of a law enforcement investigation and investigation, if that information is possible to determine at the law enforcement agency determined that notification would impede a criminal investigationtime the notice is provided. v. A general description of the breach incident, if that information is possible to determine at the time the notice is provided. c. At LEA’s request, the security breach notification from Provider to LEA may also include any of the following: i. Information about what the Provider agency has done to protect individuals whose information has been breached. ii. Advice on steps that the person whose information has been breached may take to protect himself or herself. d. Provider agrees to adhere to all requirements in applicable state the Massachusetts Data Breach law and in federal law with respect to a data breach related to the Student Data, including, when appropriate or required, the required responsibilities and procedures for notification and mitigation of any such data breach. e. Provider further acknowledges and agrees to have a written incident response plan that reflects industry standard best practices and is consistent with industry standards and federal and state law for responding to a data breach, breach of security, privacy incident or unauthorized acquisition or use of Student Data or any portion thereof, including personally identifiable information and agrees to provide LEA, upon request, with a summary copy of said written incident response plan. f. In At the context request and with the assistance of a Data Breachthe District, Provider is prohibited from directly contacting shall notify the affected parent, legal guardian or eligible student unless expressly requested by LEA, unless otherwise required by law. If LEA requests Provider’s assistance providing notice pupil of the unauthorized access, which shall include the information listed in subsections (b) and such assistance is not unduly burdensome to Provider (c), above. 1. To the extent any public notice or notification to parents, legal guardians or other third parties mentions Provider by name, Provider shall have the right to review and approve such communications g. In the event of a breach originating from LEA’s use of the Service, Provider shallT