Common use of Data Breach; Loss of City Data Clause in Contracts

Data Breach; Loss of City Data. In the event of any Data Breach, act, SaaS Software Error, omission, negligence, misconduct, or breach that compromises or is suspected to compromise the security, confidentiality, or integrity of City Data or the physical, technical, administrative, or organizational safeguards put in place by Contractor that relate to the protection of the security, confidentiality, or integrity of City Data, Contractor shall, as applicable: (a) Notify City immediately following discovery, but no later than twenty-four (24) hours, of becoming aware of such occurrence or suspected occurrence. Contractor’s report shall identify: (i) the nature of the unauthorized access, use or disclosure; (ii) the Confidential Information accessed, used or disclosed; (iii) the person(s) who accessed, used, disclosed and/or received protected information (if known); (iv) what Contractor has done or will do to mitigate any deleterious effect of the unauthorized access, use or disclosure, and (v) what corrective action Contractor has taken or will take to prevent future unauthorized access, use or disclosure. (b) In the event of a suspected Breach, Contractor shall keep the City informed regularly of the progress of its investigation until the uncertainty is resolved; (c) Contractor shall coordinate with the City in its breach response activities including without limitation: (i) Immediately preserve any potential forensic evidence relating to the breach, and remedy the breach as quickly as circumstances permit; (ii) Promptly (within 2 business days) designate a contact person to whom the City will direct inquiries, and who will communicate Contractor responses to City inquiries; (iii) As rapidly as circumstances permit, apply appropriate resources to remedy the breach condition, investigate, document, restore City service(s) as directed by the City, and undertake appropriate response activities; (iv) Provide status reports to the City on Data Breach response activities, either on a daily basis or a frequency approved by the City; (v) Make all reasonable efforts to assist and cooperate with the City in its Breach response efforts; (vi) Ensure that knowledgeable Contractor staff are available on short notice, if needed, to participate in City-initiated meetings and/or conference calls regarding the Breach; and (vii) Cooperate with City in investigating the occurrence, including making available all relevant records, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by City. (d) In the case of personally identifiable information (PII) or protected health information (PHI), at City’s sole election, (a) notify the affected individuals as soon as practicable but no later than is required to comply with applicable law, or, in the absence of any legally required notification period, within five (5) calendar days of the occurrence; or, (b) reimburse City for any costs in notifying the affected individuals; (e) In the case of PII, provide third-party credit and identity monitoring services to each of the affected individuals who comprise the PII for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no fewer than twenty-four (24) months following the date of notification to such individuals; (f) Perform or take any other actions required to comply with applicable law as a result of the occurrence; (g) Recreate lost City Data in the manner and on the schedule set by City without charge to City; and (h) Provide to City a detailed plan within ten (10) calendar days of the occurrence describing the measures Contractor will undertake to prevent a future occurrence. (i) Notification to affected individuals, as described above, shall comply with applicable law, be written in plain language, and contain (at the City’s election) information that may include: name and contact information of Contractor’s (or City’s) representative; a description of the nature of the loss; a list of the types of data involved; the known or approximate date of the loss; how such loss may affect the affected individual; what steps Contractor has taken to protect the affected individual; what steps the affected individual can take to protect himself or herself; contact information for major credit card reporting agencies; and, information regarding the credit and identity monitoring services to be provided by Contractor. (j) Contractor shall retain and preserve City Data in accordance with the City’s instruction and requests, including without limitation any retention schedules and/or litigation hold orders provided by the City to Contractor, independent of where the City Data is stored. (k) City shall conduct all media communications related to such Data Breach, unless in its sole discretion, City directs Contractor to do so.

Data Breach; Loss of City Data. In the event of any Data Breach, act, SaaS Software Errorerror, omission, negligence, misconduct, or breach that compromises or is suspected to compromise the security, confidentiality, or integrity of City Data or the physical, technical, administrative, or organizational safeguards put in place by Contractor that relate to the protection of the security, confidentiality, or integrity of City Data, Contractor shall, as applicable: (a) Notify City immediately following discovery, but no later than twenty-four (24) hours, of becoming aware of such occurrence or suspected occurrence. Contractor’s report shall identify: (i) the nature of the unauthorized access, use or disclosure; (ii) the Confidential Information accessed, used or disclosed; (iii) the person(s) who accessed, used, used and disclosed and/or received protected information (if known); (iv) what Contractor has done or will do to mitigate any deleterious effect of the unauthorized access, use or disclosure, and (v) what corrective action Contractor has taken or will take to prevent future unauthorized access, use or disclosure. (b) In the event of a suspected Breach, Contractor shall keep the City informed regularly of the progress of its investigation until the uncertainty is resolved; (c) Contractor shall coordinate with the City in its breach response activities including without limitation: (i) Immediately preserve any potential forensic evidence relating to the breach, and remedy the breach as quickly as circumstances permit; (ii) Promptly (within 2 business days) designate a contact person to whom the City will direct inquiries, and who will communicate Contractor responses to City inquiries; (iii) As rapidly as circumstances permit, apply appropriate resources to remedy the breach condition, investigate, document, restore City service(s) as directed by the City, and undertake appropriate response activities; (iv) Provide status reports to the City on Data Breach response activities, either on a daily basis or a frequency approved by the City; (v) Make all reasonable efforts to assist and cooperate with the City in its Breach response efforts; (vi) Ensure that knowledgeable Contractor staff are available on short notice, if needed, to participate in City-initiated meetings and/or conference calls regarding the Breach; and (vii) Cooperate with City in investigating the occurrence, including making available all relevant records, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by City. (d) In the case of personally identifiable information (PII) or protected health information (PHI), at City’s sole election, (a) notify the affected individuals as soon as practicable but no later than is required to comply with applicable law, or, in the absence of any legally required notification period, within five (5) calendar days of the occurrence; or, (b) reimburse City for any costs in notifying the affected individuals; (e) In the case of PII, provide third-party credit and identity monitoring services to each of the affected individuals who comprise the PII for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no fewer than twenty-four eighteen (2418) months following the date of notification to such individuals; (f) Perform or take any other actions required to comply with applicable law as a result of the occurrence; (g) Without limiting Contractor’s obligations of indemnification as further described in this Agreement, indemnify, defend, and hold harmless City for any and all claims, including reasonable attorneys’ fees, costs, and expenses incidental thereto, which may be suffered by, accrued against, charged to, or recoverable from City in connection with the occurrence; (h) Recreate lost City Data in the manner and on the schedule set by City without charge to City; and (hi) Provide to City a detailed plan within ten (10) calendar days of the occurrence describing the measures Contractor will undertake to prevent a future occurrence. (ij) Notification to affected individuals, as described above, shall comply with applicable law, be written in plain language, and contain (at the City’s 's election) information that may include: name and contact information of Contractor’s (or City’s) representative; a description of the nature of the loss; a list of the types of data involved; the known or approximate date of the loss; how such loss may affect the affected individual; what steps Contractor has taken to protect the affected individual; what steps the affected individual can take to protect himself or herself; contact information for major credit card reporting agencies; and, information regarding the credit and identity monitoring services to be provided by Contractor. (jk) Contractor shall retain and preserve City Data in accordance with the City’s instruction and requests, including without limitation any retention schedules and/or litigation hold orders provided by the City to Contractor, independent of where the City Data is stored. (kl) City shall conduct all media communications communications, unless at its sole discretion directs Contractor to do so, related to such Data Breach, unless in its sole discretion, City directs Contractor to do so.

Data Breach; Loss of City Data. In the event of any Data Breach, act, SaaS Software Error, omission, negligence, misconduct, or breach that compromises or is suspected to compromise the security, confidentiality, or integrity of City Data or the physical, technical, administrative, or organizational safeguards put in place by Contractor that relate to the protection of the security, confidentiality, or integrity of City Data, Contractor shall, as applicable: (a) Notify City immediately following discovery, but no later than twenty-four (24) 24 hours, of becoming aware of such occurrence or suspected occurrence. Contractor’s report shall identify: (i) the nature of the unauthorized access, use or disclosure; (ii) the Confidential Information accessed, used or disclosed; (iii) the person(s) who accessed, used, disclosed and/or received protected information (if known); (iv) what Contractor has done or will do to mitigate any deleterious effect of the unauthorized access, use or disclosure, and (v) what corrective action Contractor has taken or will take to prevent future unauthorized access, use or disclosure. (b) In the event of a suspected Breach, Contractor shall keep the City informed regularly of the progress of its investigation until the uncertainty is resolved; (c) Contractor shall coordinate with the City in its breach response activities including activities, including, without limitation: (i) Immediately preserve any potential forensic evidence relating to the breach, and remedy the breach as quickly as circumstances permit; (ii) Promptly (within 2 two business days) designate a contact person to whom the City will direct inquiries, and who will communicate Contractor responses to City inquiries; (iii) As rapidly as circumstances permit, apply appropriate resources to remedy the breach condition, investigate, document, and restore City service(s) as directed by the City, ; and undertake appropriate response activities; (iv) Provide status reports to the City on Data Breach response activities, either on a daily basis or a frequency approved by the City; (v) Make all reasonable efforts to assist and cooperate with the City in its Data Breach response efforts; (vi) Ensure that knowledgeable Contractor staff are available on short notice, if needed, to participate in City-initiated meetings and/or conference calls regarding the Breach; and (vii) Cooperate with City in investigating the occurrence, including making available all relevant records, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by City. (d) In the case of personally identifiable information (PII) or protected health information (PHI), at City’s sole election, (a) notify the affected individuals as soon as practicable practicable, but no later than is required to comply with applicable law, or, in the absence of any legally required notification period, within five (5) calendar days Days of the occurrence; or, or (b) reimburse City for any costs in notifying the affected individuals; (e) In the case of PII, provide third-party credit and identity monitoring services to each of the affected individuals who comprise the PII for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no fewer than twenty-four (24) 18 months following the date of notification to such individuals; (f) Perform or take any other actions required to comply with applicable law as a result of the occurrence; (g) Without limiting Contractor’s obligations of indemnification as described in Article 5 of this Agreement, indemnify, defend, and hold harmless City for any and all claims, including reasonable attorneys’ fees, costs, and expenses incidental thereto, which may be suffered by, accrued against, charged to, or recoverable from City in connection with the occurrence; (h) Recreate lost City Data in the manner and on the schedule set by City without charge to City; and (hi) Provide to City a detailed plan within ten (10) calendar days 10 Days of the occurrence describing the measures Contractor will undertake to prevent a future occurrence. (ij) Notification to affected individuals, as described above, shall comply with applicable law, be written in plain language, and contain (at the City’s 's election) information that may include: name and contact information of Contractor’s (or City’s) representative; a description of the nature of the loss; a list of the types of data involved; the known or approximate date of the loss; how such loss may affect the affected individual; what steps Contractor has taken to protect the affected individual; what steps the affected individual can take to protect himself or herself; contact information for major credit card reporting agencies; and, information regarding the credit and identity monitoring services to be provided by Contractor. (jk) Contractor shall retain and preserve City Data in accordance with the City’s instruction and requests, including including, without limitation limitation, any retention schedules and/or litigation hold orders provided by the City to Contractor, independent of where the City Data is stored. (kl) City shall conduct all media communications related to such Data Breach, unless in its sole discretion, City directs Contractor to do so.

Data Breach; Loss of City Data. In the event that Contractor experiences a Security Incident while City is in the Private Tenant Phase only, Contractor shall provide City with notice within 24 hours of discovery of the Security Incident. In the event of any Data Breach, act, SaaS Software Error, omission, negligence, misconduct, or breach Breach that compromises or is suspected to compromise the security, confidentiality, security or integrity of City Data while City is in either the Private Tenant or the physical, technical, administrative, or organizational safeguards put in place by Contractor that relate to the protection of the security, confidentiality, or integrity of City DataShared Tenant Phase, Contractor shall, as applicable: (a) 9.11.1 Notify City immediately following discovery, but no later than twenty-four forty- eight (2448) hours, of becoming aware of such occurrence or suspected occurrence. Contractor’s report shall identify: (i) the nature of the unauthorized accessevent, use or disclosure; (ii) the Confidential Information information accessed, used or disclosed; (iii) the person(s) who accessed, used, used and disclosed and/or received protected information (if known); (iv) what Contractor has done or will do to mitigate any deleterious effect of the unauthorized access, use or disclosure, and (v) what corrective action Contractor has taken or will take to prevent future unauthorized access, use or disclosure.. SAMPLE (b) In the event of a suspected Breach, Contractor shall keep the City informed regularly of the progress of its investigation until the uncertainty is resolved; (c) Contractor shall coordinate 9.11.2 Coordinate with the City in its breach response activities including without limitation: (i) Immediately preserve any potential forensic evidence relating to the breach, and remedy the breach as quickly as circumstances permit; (ii) Promptly (within 2 5 business days) designate a contact person to whom the City will direct inquiries, and who will communicate Contractor responses to City inquiries; (iii) As rapidly as circumstances permit, apply appropriate resources to remedy the breach condition, investigate, document, restore City service(s) as directed by the City, and undertake appropriate response activities; (iv) Provide status reports to the City on Data Breach response activities, either on a daily basis or a frequency approved by the City; (v) Make all reasonable efforts to assist and cooperate with the City in its Data Breach response efforts; (vi) Ensure that knowledgeable Contractor staff are available on short notice, if needed, to participate in City-initiated meetings and/or conference calls regarding the Data Breach; and (vii) Cooperate with City in investigating the occurrence, including making available all relevant records, logs, files, data reporting, and other materials as it relates to City’s Data only, required to comply with applicable law or as otherwise required by City. (d) In the case of personally identifiable information (PII) or protected health information (PHI), at City’s sole election, (a) notify the affected individuals as soon as practicable but no later than is required to comply with applicable law, or, in the absence of any legally required notification period, within five (5) calendar days of the occurrence; or, (b) reimburse City for any costs in notifying the affected individuals; (e) In the case of PII, provide third-party credit and identity monitoring services to each of the affected individuals who comprise the PII for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no fewer than twenty-four (24) months following the date of notification to such individuals; (f) 9.11.3 Perform or take any other actions required to comply with applicable law as a result of the occurrence; (g) Recreate lost City Data 9.11.4 Provide DR or back-up data in the manner and on the schedule set by case of data loss to City without charge to City; and (h) 9.11.5 Provide to City a detailed plan within ten (10) calendar days of the occurrence describing the measures Contractor will undertake to prevent a future occurrence. (i) Notification to affected individuals, as described above, shall comply with applicable law, be written in plain language, and contain (at the City’s election) information that may include: name and contact information of Contractor’s (or City’s) representative; a description of the nature of the loss; a list of the types of data involved; the known or approximate date of the loss; how such loss may affect the affected individual; what steps Contractor has taken to protect the affected individual; what steps the affected individual can take to protect himself or herself; contact information for major credit card reporting agencies; and, information regarding the credit and identity monitoring services to be provided by Contractor. (j) Contractor shall retain and preserve City Data in accordance with the City’s instruction and requests, including without limitation any retention schedules and/or litigation hold orders provided by the City to Contractor, independent of where the City Data is stored. (k) City shall conduct all media communications related to such Data Breach, unless in its sole discretion, City directs Contractor to do so.

Data Breach; Loss of City Data. In the event that Contractor experiences a Security Incident while City is in the Private Tenant Phase only, Contractor shall provide City with notice within 24 hours of discovery of the Security Incident. In the event of any Data Breach, act, SaaS Software Error, omission, negligence, misconduct, or breach Breach that compromises or is suspected to compromise the security, confidentiality, security or integrity of City Data while City is in either the Private Tenant or the physical, technical, administrative, or organizational safeguards put in place by Contractor that relate to the protection of the security, confidentiality, or integrity of City DataShared Tenant Phase, Contractor shall, as applicable: (a) 9.11.1 Notify City immediately following discovery, but no later than twenty-four forty- eight (2448) hours, of becoming aware of such occurrence or suspected occurrence. Contractor’s report shall identify: (i) the nature of the unauthorized accessevent, use or disclosure; (ii) the Confidential Information information accessed, used or disclosed; (iii) the person(s) who accessed, used, used and disclosed and/or received protected information (if known); (iv) what Contractor has done or will do to mitigate any deleterious effect of the unauthorized access, use or disclosure, and (v) what corrective action Contractor has taken or will take to prevent future unauthorized access, use or disclosure. (b) In the event of a suspected Breach, Contractor shall keep the City informed regularly of the progress of its investigation until the uncertainty is resolved; (c) Contractor shall coordinate 9.11.2 Coordinate with the City in its breach response activities including without limitation: (i) Immediately preserve any potential forensic evidence relating to the breach, and remedy the breach as quickly as circumstances permit; (ii) Promptly (within 2 5 business days) designate a contact person to whom the City will direct inquiries, and who will communicate Contractor responses to City inquiries; (iii) As rapidly as circumstances permit, apply appropriate resources to remedy the breach condition, investigate, document, restore City service(s) as directed by the City, and undertake appropriate response activities; (iv) Provide status reports to the City on Data Breach response activities, either on a daily basis or a frequency approved by the City;; SAMPLE (v) Make all reasonable efforts to assist and cooperate with the City in its Data Breach response efforts; (vi) Ensure that knowledgeable Contractor staff are available on short notice, if needed, to participate in City-initiated meetings and/or conference calls regarding the Data Breach; and (vii) Cooperate with City in investigating the occurrence, including making available all relevant records, logs, files, data reporting, and other materials as it relates to City’s Data only, required to comply with applicable law or as otherwise required by City. (d) In the case of personally identifiable information (PII) or protected health information (PHI), at City’s sole election, (a) notify the affected individuals as soon as practicable but no later than is required to comply with applicable law, or, in the absence of any legally required notification period, within five (5) calendar days of the occurrence; or, (b) reimburse City for any costs in notifying the affected individuals; (e) In the case of PII, provide third-party credit and identity monitoring services to each of the affected individuals who comprise the PII for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no fewer than twenty-four (24) months following the date of notification to such individuals; (f) 9.11.3 Perform or take any other actions required to comply with applicable law as a result of the occurrence; (g) Recreate lost City Data 9.11.4 Provide DR or back-up data in the manner and on the schedule set by case of data loss to City without charge to City; and (h) 9.11.5 Provide to City a detailed plan within ten (10) calendar days of the occurrence describing the measures Contractor will undertake to prevent a future occurrence. (i) Notification to affected individuals, as described above, shall comply with applicable law, be written in plain language, and contain (at the City’s election) information that may include: name and contact information of Contractor’s (or City’s) representative; a description of the nature of the loss; a list of the types of data involved; the known or approximate date of the loss; how such loss may affect the affected individual; what steps Contractor has taken to protect the affected individual; what steps the affected individual can take to protect himself or herself; contact information for major credit card reporting agencies; and, information regarding the credit and identity monitoring services to be provided by Contractor. (j) Contractor shall retain and preserve City Data in accordance with the City’s instruction and requests, including without limitation any retention schedules and/or litigation hold orders provided by the City to Contractor, independent of where the City Data is stored. (k) City shall conduct all media communications related to such Data Breach, unless in its sole discretion, City directs Contractor to do so.

Data Breach; Loss of City Data. In the event of any Data Breach, act, SaaS Software Error, omission, negligence, misconduct, or breach that compromises or is suspected to compromise the security, confidentiality, or integrity of City Data or the physical, technical, administrative, or organizational safeguards put in place by Contractor that relate to the protection of the security, confidentiality, or integrity of City Data, Contractor shall, as applicable: (a) : Notify City immediately following discovery, but no later than twenty-four (24) hours, of becoming aware of such occurrence or suspected occurrence. Contractor’s report shall identify: (i) : the nature of the unauthorized access, use or disclosure; (ii) ; the Confidential Information accessed, used or disclosed; (iii) ; the person(s) who accessed, used, disclosed and/or received protected information (if known); (iv) ; what Contractor has done or will do to mitigate any deleterious effect of the unauthorized access, use or disclosure, and (v) and what corrective action Contractor has taken or will take to prevent future unauthorized access, use or disclosure. (b) . In the event of a suspected Breach, Contractor shall keep the City informed regularly of the progress of its investigation until the uncertainty is resolved; (c) ; Contractor shall coordinate with the City in its breach response activities including without limitation: (i) : Immediately preserve any potential forensic evidence relating to the breach, and remedy the breach as quickly as circumstances permit; (ii) ; Promptly (within 2 business days) designate a contact person to whom the City will direct inquiries, and who will communicate Contractor responses to City inquiries; (iii) ; As rapidly as circumstances permit, apply appropriate resources to remedy the breach condition, investigate, document, restore City service(s) as directed by the City, and undertake appropriate response activities; (iv) ; Provide status reports to the City on Data Breach response activities, either on a daily basis or a frequency approved by the City; (v) ; Make all reasonable efforts to assist and cooperate with the City in its Breach response efforts; (vi) ; Ensure that knowledgeable Contractor staff are available on short notice, if needed, to participate in City-initiated meetings and/or conference calls regarding the Breach; and (vii) and Cooperate with City in investigating the occurrence, including making available all relevant records, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by City. (d) . In the case of personally identifiable information (PII) or protected health information (PHI), at City’s sole election, (a) notify the affected individuals as soon as practicable but no later than is required to comply with applicable law, or, in the absence of any legally required notification period, within five (5) calendar days of the occurrence; or, (b) reimburse City for any costs in notifying the affected individuals; (e) ; In the case of PII, provide third-party credit and identity monitoring services to each of the affected individuals who comprise the PII for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no fewer than twenty-four (24) months following the date of notification to such individuals; (f) ; Perform or take any other actions required to comply with applicable law as a result of the occurrence; (g) ; Recreate lost City Data in the manner and on the schedule set by City without charge to City; and (h) and Provide to City a detailed plan within ten (10) calendar days of the occurrence describing the measures Contractor will undertake to prevent a future occurrence. (i) . Notification to affected individuals, as described above, shall comply with applicable law, be written in plain language, and contain (at the City’s election) information that may include: name and contact information of Contractor’s (or City’s) representative; a description of the nature of the loss; a list of the types of data involved; the known or approximate date of the loss; how such loss may affect the affected individual; what steps Contractor has taken to protect the affected individual; what steps the affected individual can take to protect himself or herself; contact information for major credit card reporting agencies; and, information regarding the credit and identity monitoring services to be provided by Contractor. (j) . Contractor shall retain and preserve City Data in accordance with the City’s instruction and requests, including without limitation any retention schedules and/or litigation hold orders provided by the City to Contractor, independent of where the City Data is stored. (k) . City shall conduct all media communications related to such Data Breach, unless in its sole discretion, City directs Contractor to do so.

Data Breach; Loss of City Data. In the event of any Data Breach, act, SaaS Software Application Error, omission, negligence, misconduct, or breach that compromises or is suspected to compromise the security, confidentiality, or integrity of City Data or the physical, technical, administrative, or organizational safeguards put in place by Contractor that relate to the protection of the security, confidentiality, or integrity of City Data, Contractor shall, as applicable: (a) Notify City immediately following discovery, but no later than twenty-twenty- four (24) hours, of becoming aware of such occurrence or suspected occurrence. Contractor’s report shall identify: (i) the nature of the unauthorized access, use or disclosure; (ii) the Confidential Information accessed, used or disclosed; (iii) the person(s) who accessed, used, disclosed and/or received protected information (if known); (iv) what Contractor has done or will do to mitigate any deleterious effect of the unauthorized access, use or disclosure, and (v) what corrective action Contractor has taken or will take to prevent future unauthorized access, use or disclosure. (b) In the event of a suspected Breach, Contractor shall keep the City informed regularly of the progress of its investigation until the uncertainty is resolved; (c) Contractor shall coordinate with the City in its breach response activities including without limitation: (i) Immediately preserve any potential forensic evidence relating to the breach, and remedy the breach as quickly as circumstances permit; (ii) Promptly (within 2 business days) designate a contact person to whom the City will direct inquiries, and who will communicate Contractor responses to City inquiries; (iii) As rapidly as circumstances permit, apply appropriate resources to remedy the breach condition, investigate, document, restore City service(s) as directed by the City, and undertake appropriate response activities; (iv) Provide status reports to the City on Data Breach response activities, either on a daily basis or a frequency approved by the City; (v) Make all reasonable efforts to assist and cooperate with the City in its Breach response efforts; (vi) Ensure that knowledgeable Contractor staff are available on short notice, if needed, to participate in City-initiated meetings and/or conference calls regarding the Breach; and (vii) Cooperate with City in investigating the occurrence, including making available all relevant records, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by City. (d) In the case of personally identifiable information (PII) or protected health information (PHI), at City’s sole election, (a) notify the affected individuals as soon as practicable but no later than is required to comply with applicable law, or, in the absence of any legally required notification period, within five (5) calendar days of the occurrence; or, (b) reimburse City for any costs in notifying the affected individuals; (e) In the case of PII, provide third-party credit and identity monitoring services to each of the affected individuals who comprise the PII for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no fewer than twenty-twenty- four (24) months following the date of notification to such individuals; (f) Perform or take any other actions required to comply with applicable law as a result of the occurrence; (g) Recreate lost City Data in the manner and on the schedule set by City without charge to City; and (h) Provide to City a detailed plan within ten (10) calendar days of the occurrence describing the measures Contractor will undertake to prevent a future occurrence. (i) Notification to affected individuals, as described above, shall comply with applicable law, be written in plain language, and contain (at the City’s 's election) information that may include: name and contact information of Contractor’s (or City’s) representative; a description of the nature of the loss; a list of the types of data involved; the known or approximate date of the loss; how such loss may affect the affected individual; what steps Contractor has taken to protect the affected individual; what steps the affected individual can take to protect himself or herself; contact information for major credit card reporting agencies; and, information regarding the credit and identity monitoring services to be provided by Contractor. (j) Contractor shall retain and preserve City Data in accordance with the City’s instruction and requests, including without limitation any retention schedules and/or litigation hold orders provided by the City to Contractor, independent of where the City Data is stored. (k) City shall conduct all media communications related to such Data Breach, unless in its sole discretion, City directs Contractor to do so.

Data Breach; Loss of City Data. In the event of any Data Breach, act, SaaS Software Errorerror, omission, negligence, misconduct, or breach that compromises or is suspected to compromise the security, confidentiality, or integrity of City Data or the physical, technical, administrative, or organizational safeguards put in place by Contractor that relate to the protection of the security, confidentiality, or integrity of City Data, Contractor shall, as applicable: (a) i. Notify City immediately following discovery, but no later than twenty-twenty- four (24) hours, of becoming aware of such occurrence or suspected occurrence. Contractor’s report shall identify: (i) a. the nature of the unauthorized access, use or disclosure; (ii) b. the Confidential Information accessed, used or disclosed; (iii) c. the person(s) who accessed, used, used and disclosed and/or received protected information (if known); (iv) d. what Contractor has done or will do to mitigate any deleterious effect of the unauthorized access, use or disclosure, and (v) e. what corrective action Contractor has taken or will take to prevent future unauthorized access, use or disclosure. (b) ii. In the event of a suspected Breach, Contractor shall keep the City informed regularly of the progress of its investigation until the uncertainty is resolved; (c) iii. Contractor shall coordinate with the City in its breach response activities including without limitation: (i) Immediately a. immediately preserve any potential forensic evidence relating to the breach, and remedy the breach as quickly as circumstances permit; (ii) b. Promptly (within 2 business days) designate a contact person to whom the City will direct inquiries, and who will communicate Contractor responses to City inquiries; (iii) c. As rapidly as circumstances permit, apply appropriate resources to remedy the breach condition, investigate, document, restore City service(s) as directed by the City, and undertake appropriate response activities; (iv) d. Provide status reports to the City on Data Breach response activities, either on a daily basis or a frequency approved by the City; (v) e. Make all reasonable efforts to assist and cooperate with the City in its Breach response efforts; (vi) f. Ensure that knowledgeable Contractor staff are available on short notice, if needed, to participate in City-initiated meetings and/or conference calls regarding the Breach; and (vii) g. Cooperate with City in investigating the occurrence, including making available all relevant records, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by City. (d) iv. In the case of personally identifiable information (PII) or protected health information (PHI), at City’s sole election, (a) notify the affected individuals as soon as practicable but no later than is required to comply with applicable law, or, in the absence of any legally required notification period, within five (5) calendar days of the occurrence; or, (b) reimburse City for any costs in notifying the affected individuals; (e) v. In the case of PII, provide third-party credit and identity monitoring services to each of the affected individuals who comprise the PII for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no fewer than twenty-four eighteen (2418) months following the date of notification to such individuals; (f) vi. Perform or take any other actions required to comply with applicable law as a result of the occurrence; (g) vii. Without limiting Contractor’s obligations of indemnification as further described in this Agreement, indemnify, defend, and hold harmless City for any and all claims, including reasonable attorneys’ fees, costs, and expenses incidental thereto, which may be suffered by, accrued against, charged to, or recoverable from City in connection with the occurrence; viii. Recreate lost City Data in the manner and on the schedule set by City without charge to City; and (h) ix. Provide to City a detailed plan within ten (10) calendar days of the occurrence describing the measures Contractor will undertake to prevent a future occurrence. (i) x. Notification to affected individuals, as described above, shall comply with applicable law, be written in plain language, and contain (at the City’s 's election) information that may include: name and contact information of Contractor’s (or City’s) representative; a description of the nature of the loss; a list of the types of data involved; the known or approximate date of the loss; how such loss may affect the affected individual; what steps Contractor has taken to protect the affected individual; what steps the affected individual can take to protect himself or herself; contact information for major credit card reporting agencies; and, information regarding the credit and identity monitoring services to be provided by Contractor. (j) xi. Contractor shall retain and preserve City Data in accordance with the City’s instruction and requests, including without limitation any retention schedules and/or litigation hold orders provided by the City to Contractor, independent of where the City Data is stored. (k) xii. City shall conduct all media communications communications, unless at its sole discretion directs Contractor to do so, related to such Data Breach, unless in its sole discretion, City directs Contractor to do so.

Data Breach; Loss of City Data. In the event of any Data Breach, act, SaaS Software Errorerror, omission, negligence, misconduct, or breach that compromises or is suspected to compromise the security, confidentiality, or integrity of City Data or the physical, technical, administrative, or organizational safeguards put in place by Contractor FIRST PARTY that relate to the protection of the security, confidentiality, or integrity of City Data, Contractor FIRST PARTY shall, as applicable: (a) i. Notify City immediately following discovery, but no later than twenty-twenty- four (24) hours, of becoming aware of such occurrence or suspected occurrence. Contractor’s FIRST PARTY’S report shall identify: (i) 1. the nature of the unauthorized access, use or disclosure; (ii) 2. the Confidential Information accessed, used or disclosed; (iii) 3. the person(s) who accessed, used, used and disclosed and/or received protected information (if known); (iv) 4. what Contractor FIRST PARTY has done or will do to mitigate any deleterious effect of the unauthorized access, use or disclosure, ; and (v) 5. what corrective action Contractor FIRST PARTY has taken or will take to prevent future unauthorized access, use or disclosure. (b) ii. In the event of a suspected Breach, Contractor FIRST PARTY shall keep the City informed regularly of the progress of its investigation until the uncertainty is resolved; (c) Contractor iii. FIRST PARTY shall coordinate with the City in its breach response activities including without limitation: (i) Immediately 1. immediately preserve any potential forensic evidence relating to the breach, and remedy the breach as quickly as circumstances permit; (ii) 2. Promptly (within 2 business days) designate a contact person to whom the City will direct inquiries, and who will communicate Contractor FIRST PARTY responses to City inquiries; (iii) 3. As rapidly as circumstances permit, apply appropriate resources to remedy the breach condition, investigate, document, restore City service(s) as directed by the City, and undertake appropriate response activities; (iv) 4. Provide status reports to the City on Data Breach response activities, either on a daily basis or a frequency approved by the City; (v) ; e. Make all reasonable efforts to assist and cooperate with the City in its Breach response efforts; (vi) 5. Ensure that knowledgeable Contractor FIRST PARTY staff are available on short notice, if needed, to participate in City-initiated meetings and/or conference calls regarding the Breach; and (vii) 6. Cooperate with City in investigating the occurrence, including making available all relevant records, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by City. (d) iv. In the case of personally identifiable information (PII) or protected health information (PHI), at City’s sole election, (a) notify the affected individuals as soon as practicable but no later than is required to comply with applicable law, or, in the absence of any legally required notification period, within five (5) calendar days of the occurrence; or, (b) reimburse City for any costs in the CITY notifying the affected individuals; (e) v. In the case of PII, provide third-party credit and identity monitoring services to each of the affected individuals who comprise the PII for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no fewer than twenty-four eighteen (2418) months following the date of notification to such individuals; (f) vi. Perform or take any other actions required to comply with applicable law as a result of the occurrence; (g) vii. Without limiting FIRST PARTY’s obligations of indemnification as further described in this Agreement, indemnify, defend, and hold harmless City for any and all claims, including reasonable attorneys’ fees, costs, and expenses incidental thereto, which may be suffered by, accrued against, charged to, or recoverable from City in connection with the occurrence; viii. Recreate lost City Data in the manner and on the schedule set by City without charge to City; and (h) ix. Provide to City a detailed plan within ten (10) calendar days of the occurrence describing the measures Contractor FIRST PARTY will undertake to prevent a future occurrence. (i) x. Notification to affected individuals, as described above, shall comply with applicable law, be written in plain language, and contain (at the City’s election) information that may include: name and contact information of Contractor’s FIRST PARTY’S (or City’s) representative; a description of the nature of the loss; a list of the types of data involved; the known or approximate date of the loss; how such loss may affect the affected individual; what steps Contractor FIRST PARTY has taken to protect the affected individual; what steps the affected individual can take to protect himself or herself; contact information for major credit card reporting agencies; and, information regarding the credit and identity monitoring services to be provided by ContractorFIRST PARTY. (j) Contractor xi. FIRST PARTY shall retain and preserve City Data in accordance with the City’s instruction and requests, including without limitation any retention schedules and/or litigation hold orders provided by the City to ContractorFIRST PARTY, independent of where the City Data is stored. (k) xii. City shall conduct all media communications communications, unless at its sole discretion directs FIRST PARTY to do so, related to such Data Breach, unless in its sole discretion, City directs Contractor to do so.

Data Breach; Loss of City Data. In the event of any Data Breach, act, SaaS Software Error, omission, negligence, misconduct, or breach that compromises or is suspected to compromise the security, confidentiality, or integrity of City Data or the physical, technical, administrative, or organizational safeguards put in place by Contractor that relate to the protection of the security, confidentiality, or integrity of City Data, Contractor shall, as applicable: (a) : Notify City immediately following discovery, but no later than twenty-four (24) hours, of becoming aware of such occurrence or suspected occurrence. Contractor’s report shall identify: (i) : the nature of the unauthorized access, use or disclosure; (ii) ; the Confidential Information accessed, used or disclosed; (iii) ; the person(s) who accessed, used, disclosed and/or received protected information (if known); (iv) ; what Contractor has done or will do to mitigate any deleterious effect of the unauthorized access, use or disclosure, and (v) and what corrective action Contractor has taken or will take to prevent future unauthorized access, use or disclosure. (b) . In the event of a suspected Breach, Contractor shall keep the City informed regularly of the progress of its investigation until the uncertainty is resolved; (c) ; Contractor shall coordinate with the City in its breach response activities including without limitation: (i) : Immediately preserve any potential forensic evidence relating to the breach, and remedy the breach as quickly as circumstances permit; (ii) ; Promptly (within 2 business days) designate a contact person to whom the City will direct inquiries, and who will communicate Contractor responses to City inquiries; (iii) ; As rapidly as circumstances permit, apply appropriate resources to remedy the breach condition, investigate, document, restore City service(s) as directed by the City, and undertake appropriate response activities; (iv) ; Provide status reports to the City on Data Breach response activities, either on a daily basis or a frequency approved by the City; (v) ; Make all reasonable efforts to assist and cooperate with the City in its Breach response efforts; (vi) ; Ensure that knowledgeable Contractor staff are available on short notice, if needed, to participate in City-initiated meetings and/or conference calls regarding the Breach; and (vii) and Cooperate with City in investigating the occurrence, including making available all relevant records, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by City. (d) . In the case of personally identifiable information (PII) or protected health information (PHI), at City’s sole election, (a) notify the affected individuals as soon as practicable but no later than is required to comply with applicable law, or, in the absence of any legally required notification period, within five (5) calendar days of the occurrence; or, (b) reimburse City for any costs in notifying the affected individuals; (e) ; In the case of PII, provide third-party credit and identity monitoring services to each of the affected individuals who comprise the PII for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no fewer than twenty-four (24) months following the date of notification to such individuals; (f) ; Perform or take any other actions required to comply with applicable law as a result of the occurrence; (g) ; Recreate lost City Data in the manner and on the schedule set by City without charge to City; and (h) and Provide to City a detailed plan within ten (10) calendar days of the occurrence describing the measures Contractor will undertake to prevent a future occurrence. (i) . Notification to affected individuals, as described above, shall comply with applicable law, be written in plain language, and contain (at the City’s election) information that may include: name and contact information of Contractor’s (or City’s) representative; a description of the nature of the loss; a list of the types of data involved; the known or approximate date of the loss; how such loss may affect the affected individual; what steps Contractor has taken to protect the affected individual; what steps the affected individual can take to protect himself or herself; contact information for major credit card reporting agencies; and, information regarding the credit and identity monitoring services to be provided by Contractor. (j) . Contractor shall retain and preserve City Data in accordance with the City’s instruction and requests, including without limitation any retention schedules and/or litigation hold orders provided by the City to Contractor, independent of where the City Data is stored. (k) . City shall conduct all media communications related to such Data Breach, unless in its sole discretion, City directs Contractor to do so. Proprietary or Confidential Information of City. Contractor understands and agrees that, in the performance of the work or services under this Agreement may involve access to City Data that is Confidential Information. Contractor and any subcontractors or agents shall use Confidential Information only in accordance with all applicable local, state and federal laws restricting the access, use and disclosure of Confidential Information and only as necessary in the performance of this Agreement. Contractor’s failure to comply with any requirements of local, state or federal laws restricting access, use and disclosure of Confidential Information shall be deemed a material breach of this Agreement, for which City may terminate the Agreement. In addition to termination or any other remedies set forth in this Agreement or available in equity or law, the City may bring a false claim action against Contractor pursuant to Chapters 6 or 21 of the Administrative Code, or debar Contractor. Contractor agrees to include all of the terms and conditions regarding Confidential Information contained in this Agreement in all subcontractor or agency contracts providing services under this Agreement.

Data Breach; Loss of City Data. In the event of any Data Breach, act, SaaS Software Errorsoftware error, omission, negligence, misconduct, or breach that compromises or is suspected to compromise the security, confidentiality, or integrity of City Data or the physical, technical, administrative, or organizational safeguards put in place by Contractor that relate to the protection of the security, confidentiality, or integrity of City Data, Contractor shall, as applicable: (a) : Notify City immediately following discovery, but no later than twenty-four (24) hours, of becoming aware of such occurrence or suspected occurrence. Contractor’s report shall identify: (i) : the nature of the unauthorized access, use or disclosure; (ii) ; the Confidential Information accessed, used or disclosed; (iii) ; the person(s) who accessed, used, disclosed and/or received protected information (if known); (iv) ; what Contractor has done or will do to mitigate any deleterious effect of the unauthorized access, use or disclosure, and (v) and what corrective action Contractor has taken or will take to prevent future unauthorized access, use or disclosure. (b) . In the event of a suspected Breach, Contractor shall keep the City informed regularly of the progress of its investigation until the uncertainty is resolved; (c) ; Contractor shall coordinate with the City in its breach response activities including without limitation: (i) : Immediately preserve any potential forensic evidence relating to the breach, and remedy the breach as quickly as circumstances permit; (ii) ; Promptly (within 2 business days) designate a contact person to whom the City will direct inquiries, and who will communicate Contractor responses to City inquiries; (iii) ; As rapidly as circumstances permit, apply appropriate resources to remedy the breach condition, investigate, document, restore City service(s) as directed by the City, and undertake appropriate response activities; (iv) ; Provide status reports to the City on Data Breach response activities, either on a daily basis or a frequency approved by the City; (v) ; Make all reasonable efforts to assist and cooperate with the City in its Breach response efforts; (vi) ; Ensure that knowledgeable Contractor staff are available on short notice, if needed, to participate in City-initiated meetings and/or conference calls regarding the Breach; and (vii) and Cooperate with City in investigating the occurrence, including making available all relevant records, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by City. (d) . In the case of personally identifiable information (PII) or protected health information (PHI), at City’s sole election, (a) notify the affected individuals as soon as practicable but no later than is required to comply with applicable law, or, in the absence of any legally required notification period, within five (5) calendar days of the occurrence; or, (b) reimburse City for any costs in notifying the affected individuals; (e) ; In the case of PII, provide third-party credit and identity monitoring services to each of the affected individuals who comprise the PII for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no fewer than twenty-four (24) months following the date of notification to such individuals; (f) ; Perform or take any other actions required to comply with applicable law as a result of the occurrence; (g) ; Recreate lost City Data in the manner and on the schedule set by City without charge to City; and (h) and Provide to City a detailed plan within ten (10) calendar days of the occurrence describing the measures Contractor will undertake to prevent a future occurrence. (i) . Notification to affected individuals, as described above, shall comply with applicable law, be written in plain language, and contain (at the City’s 's election) information that may include: name and contact information of Contractor’s (or City’s) representative; a description of the nature of the loss; a list of the types of data involved; the known or approximate date of the loss; how such loss may affect the affected individual; what steps Contractor has taken to protect the affected individual; what steps the affected individual can take to protect himself or herself; contact information for major credit card reporting agencies; and, information regarding the credit and identity monitoring services to be provided by Contractor. (j) . Contractor shall retain and preserve City Data in accordance with the City’s instruction and requests, including without limitation any retention schedules and/or litigation hold orders provided by the City to Contractor, independent of where the City Data is stored. (k) . City shall conduct all media communications related to such Data Breach, unless in its sole discretion, City directs Contractor to do so.. Data Security. To prevent unauthorized access or “hacking” of City Data, Contractor shall at all times during the Term provide and maintain up-to-date security with respect to (a) the Services, (b) the Contractor’s Website, (c) Contractor's physical facilities, and (d) Contractor's networks. Contractor shall provide security for its networks and all Internet connections consistent with best practices observed by well-managed software and systems working in the financial services industry, and shall promptly install all patches, fixes, upgrades, updates and new versions of any security software it employs. Contractor will maintain appropriate safeguards to restrict access to City's Data to those employees, agents or service providers of Contractor who need the information to carry out the purposes for which it was disclosed to Contractor. For information disclosed in electronic form, Contractor agrees that appropriate safeguards include electronic barriers (e.g., most current industry standard encryption for transport and storage, such as the National Institute of Standards and Technology’s Internal Report 7977 or Federal Information Processing Standards [FIPS] 140-2 [Security Requirements for Cryptographic Modules] or FIPS-197 or successors, intrusion prevention/detection or similar barriers) and secure authentication (e.g., password protected) access to the City's Confidential Information and hosted City Data. For information disclosed in written form, Contractor agrees that appropriate safeguards include secured storage of City Data. City Data classified as Confidential Information shall be encrypted at rest and in transit with controlled access. Contractor shall also establish and maintain any additional physical, electronic, administrative, technical and procedural controls and safeguards to protect City Data that are no less rigorous than accepted industry practices (including, as periodically amended or updated, the International Organization for Standardization’s standards: ISO/IEC 27001:2005 – Information Security Management Systems – Requirements and ISO-IEC 27002:2005 – Code of Practice for International Security Management, NIST Special Publication 800-53 Revision 4 or its successor, NIST Special Publication 800-18 or its successor, the Information Technology Library (ITIL) standards, the Control Objectives for Information and related Technology (COBIT) standards, or other applicable industry standards for information security), and shall ensure that all such controls and safeguards, including the manner in which Confidential Information is collected, accessed, used, stored, processed, disposed of and disclosed, comply with applicable data protection and privacy laws, as well as the terms and conditions of this Agreement. Contractor warrants to the City compliance with the following (as periodically amended or updated) as applicable: The California Information Practices Act/California Consumer Privacy Act (Civil Code §§ 1798 et seq): The European General Data Protection Regulation (“GDPR”) Compliance with the following, as applicable: Federal Risk and Authorization Management Program (FedRAMP) certification, where federal funding is involved, and show evidence of having an active compliance program; Based upon the City’s classification of Data: Relevant security provisions of the Internal Revenue Service (IRS) Publication 1075, including the requirements that Data not traverse networks located outside of the United States; Relevant security provisions of the Payment Card Industry (PCI) Data Security Standard (PCI DSS) including the PCI DSS Cloud Computing Guidelines; Relevant security provisions of the Social Security Administration (SSA) Document Electronic Information Exchange Security Requirement and Procedures for State and Local Agencies Exchanging Electronic Information with the Social Security Administration; Relevant security provisions of the Criminal Justice Services (CJIS) Security policy. Relevant security provisions of the Medi-Cal Privacy and Security Agreement between the California Department of Health Care Services and the County of San Francisco;

Data Breach; Loss of City Data. In Notwithstanding anything to the contrary set forth in the Agreement and accompanying Purchase Orders, in the event of any Data Breach, act, SaaS Software Error, omission, negligence, misconduct, or breach that compromises or is suspected to compromise the security, confidentiality, or integrity of City Data or the physical, technical, administrative, or organizational safeguards put in place by Contractor that relate to the protection of the security, confidentiality, or integrity of City Data, Contractor shall, as applicable: (a) Notify City immediately following discovery, but no later than twenty-four (24) hours, of becoming aware of such occurrence or suspected occurrence. Contractor’s report shall identify: (i) the nature of the unauthorized access, use use, or disclosure; (ii) the Confidential Information accessed, used used, or disclosed; (iii) the person(s) who accessed, used, disclosed disclosed, and/or received protected information (if known); (iv) what Contractor has done or will do to mitigate any deleterious effect of the unauthorized access, use use, or disclosure, ; and (v) what corrective action Contractor has taken or will take to prevent future unauthorized access, use use, or disclosure. (b) In the event of a suspected Breach, Contractor shall keep the City informed regularly of the progress of its investigation until the uncertainty is resolved; (c) Contractor shall coordinate with the City in its breach response activities including without limitation: (i) Immediately preserve any potential forensic evidence relating to the breach, and remedy the breach as quickly as circumstances permit; (ii) Promptly (within 2 two (2) business days) designate a contact person to whom the City will direct inquiries, and who will communicate Contractor responses to City inquiries; (iii) As rapidly as circumstances permit, apply appropriate resources to remedy the breach condition, investigate, document, restore City service(s) as directed by the City, and undertake appropriate response activities; (iv) Provide status reports to the City on Data Breach response activities, either on a daily basis or a frequency approved by the City; (v) Make all reasonable efforts to assist and cooperate with the City in its Breach response efforts; (vi) Ensure that knowledgeable Contractor staff are available on short notice, if needed, to participate in City-initiated meetings and/or conference calls regarding the Breach; and (vii) Cooperate with City in investigating the occurrence, including making available all relevant records, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by City. (d) In the case of personally identifiable information (PII) or protected health information (PHI), at City’s sole election, (a) notify the affected individuals as soon as practicable but no later than is required to comply with applicable law, or, in the absence of any legally required notification period, within five (5) calendar days of the occurrence; or, (b) reimburse City for any costs in notifying the affected individuals; (e) In the case of PII, provide third-party credit and identity monitoring services to each of the affected individuals who comprise the PII for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no fewer than twenty-four (24) months following the date of notification to such individuals; (f) Perform or take any other actions required to comply with applicable law as a result of the occurrence; (g) Recreate lost City Data in the manner and on the schedule set by City without charge to City; and (h) Provide to City a detailed plan within ten (10) calendar days of the occurrence describing the measures Contractor will undertake to prevent a future occurrence. (i) Notification to affected individuals, as described above, shall comply with applicable law, be written in plain language, and contain (at the City’s election) information that may include: name and contact information of Contractor’s (or City’s) representative; a description of the nature of the loss; a list of the types of data involved; the known or approximate date of the loss; how such loss may affect the affected individual; what steps Contractor has taken to protect the affected individual; what steps the affected individual can take to protect himself or herself; contact information for major credit card reporting agencies; and, information regarding the credit and identity monitoring services to be provided by Contractor. (j) Contractor shall retain and preserve City Data in accordance with the City’s instruction and requests, including without limitation any retention schedules and/or litigation hold orders provided by the City to Contractor, independent of where the City Data is stored. (k) City shall conduct all media communications related to such Data Breach, unless in its sole discretion, City directs Contractor to do so.

Data Breach; Loss of City Data. In the event of any Data Breach, act, SaaS Software Error, omission, negligence, misconduct, or breach that compromises or is suspected to compromise the security, confidentiality, or integrity of City Data or the physical, technical, administrative, or organizational safeguards put in place by Contractor that relate to the protection of the security, confidentiality, or integrity of City Data, Contractor shall, as applicable: (a) Notify City immediately following discovery, but no later than twenty-twenty- four (24) hours, of becoming aware of such occurrence or suspected occurrence. Contractor’s report shall identify: (i) the nature of the unauthorized access, use or disclosure; (ii) the Confidential Information accessed, used or disclosed; (iii) the person(s) who accessed, used, disclosed and/or received protected information (if known); (iv) what Contractor has done or will do to mitigate any deleterious effect of the unauthorized access, use or disclosure, and (v) what corrective action Contractor has taken or will take to prevent future unauthorized access, use or disclosure. (b) In the event of a suspected Breach, Contractor shall keep the City informed regularly of the progress of its investigation until the uncertainty is resolved; (c) Contractor shall coordinate with the City in its breach response activities including without limitation: (i) Immediately preserve any potential forensic evidence relating to the breach, and remedy the breach as quickly as circumstances permit; (ii) Promptly (within 2 business days) designate a contact person to whom the City will direct inquiries, and who will communicate Contractor responses to City inquiries; (iii) As rapidly as circumstances permit, apply appropriate resources to remedy the breach condition, investigate, document, restore City service(s) as directed by the City, and undertake appropriate response activities; (iv) Provide status reports to the City on Data Breach response activities, either on a daily basis or a frequency approved by the City; (v) Make all reasonable efforts to assist and cooperate with the City in its Breach response efforts; (vi) Ensure that knowledgeable Contractor staff are available on short notice, if needed, to participate in City-initiated meetings and/or conference calls regarding the Breach; and (vii) Cooperate with City in investigating the occurrence, including making available all relevant records, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by City. (d) In the case of personally identifiable information (PII) or protected health information (PHI), at City’s sole election, (a) notify the affected individuals as soon as practicable but no later than is required to comply with applicable law, or, in the absence of any legally required notification period, within five (5) calendar days of the occurrence; or, (b) reimburse City for any costs in notifying the affected individuals; (e) In the case of PII, provide third-party credit and identity monitoring services to each of the affected individuals who comprise the PII for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no fewer than twenty-twenty- four (24) months following the date of notification to such individuals; (f) Perform or take any other actions required to comply with applicable law as a result of the occurrence; (g) Recreate lost City Data in the manner and on the schedule set by City without charge to City; and (h) Provide to City a detailed plan within ten (10) calendar days of the occurrence describing the measures Contractor will undertake to prevent a future occurrence. (i) Notification to affected individuals, as described above, shall comply with applicable law, be written in plain language, and contain (at the City’s 's election) information that may include: name and contact information of Contractor’s (or City’s) representative; a description of the nature of the loss; a list of the types of data involved; the known or approximate date of the loss; how such loss may affect the affected individual; what steps Contractor has taken to protect the affected individual; what steps the affected individual can take to protect himself or herself; contact information for major credit card reporting agencies; and, information regarding the credit and identity monitoring services to be provided by Contractor. (j) Contractor shall retain and preserve City Data in accordance with the City’s instruction and requests, including without limitation any retention schedules and/or litigation hold orders provided by the City to Contractor, independent of where the City Data is stored. (k) City shall conduct all media communications related to such Data Breach, unless in its sole discretion, City directs Contractor to do so.

Data Breach; Loss of City Data. In the event of any Data Breach, act, SaaS Software Error, omission, negligence, misconduct, or breach that compromises or is suspected to compromise the security, confidentiality, or integrity of City Data or the physical, technical, administrative, or organizational safeguards put in place by Contractor that relate to the protection of the security, confidentiality, or integrity of City Data, Contractor shall, as applicable: (a) Notify City immediately following discovery, but no later than twenty-four (24) hours, of becoming aware of such occurrence or suspected occurrence. Contractor’s report shall identify: (i) the nature of the unauthorized access, use or disclosure; (ii) the Confidential Information accessed, used or disclosed; (iii) the person(s) who accessed, used, disclosed and/or received protected information (if known); (iv) what Contractor has done or will do to mitigate any deleterious effect of the unauthorized access, use or disclosure, and (v) what corrective action Contractor has taken or will take to prevent future unauthorized access, use or disclosure. (b) In the event of a suspected Breach, Contractor shall keep the City informed regularly of the progress of its investigation until the uncertainty is resolved; (c) Contractor shall coordinate with the City in its breach response activities including without limitation: (i) Immediately preserve any potential forensic evidence relating to the breach, and remedy the breach as quickly as circumstances permit; (ii) Promptly (within 2 business days) designate a contact person to whom the City will direct inquiries, and who will communicate Contractor responses to City inquiries; (iii) As rapidly as circumstances permit, apply appropriate resources to remedy the breach condition, investigate, document, restore City service(s) as directed by the City, and undertake appropriate response activities; (iv) Provide status reports to the City on Data Breach response activities, either on a daily basis or a frequency approved by the City; (v) Make all reasonable efforts to assist and cooperate with the City in its Breach response efforts; (vi) Ensure that knowledgeable Contractor staff are available on short notice, if needed, to participate in City-initiated meetings and/or conference calls regarding the Breach; and (vii) Cooperate with City in investigating the occurrence, including making available all relevant records, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by City. (d) In the case of personally identifiable information (PII) PII or protected health information (PHI), at City’s sole election, (a) notify the affected individuals as soon as practicable but no later than is required to comply with applicable law, or, in the absence of any legally required notification period, within five (5) calendar days of the occurrence; or, (b) reimburse City for any costs in notifying the affected individuals; (e) In the case of PII, provide third-party credit and identity monitoring services to each of the affected individuals who comprise the PII for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no fewer than twenty-four (24) months following the date of notification to such individuals; (f) Perform or take any other actions required to comply with applicable law as a result of the occurrence; (g) Recreate lost City Data in the manner and on the schedule set by City without charge to City; and (h) Provide to City a detailed plan within ten (10) calendar days of the occurrence describing the measures Contractor will undertake to prevent a future occurrence. (i) Notification to affected individuals, as described above, shall comply with applicable law, be written in plain language, and contain (at the City’s election) information that may include: name and contact information of Contractor’s (or City’s) representative; a description of the nature of the loss; a list of the types of data involved; the known or approximate date of the loss; how such loss may affect the affected individual; what steps Contractor has taken to protect the affected individual; what steps the affected individual can take to protect himself or herself; contact information for major credit card reporting agencies; and, information regarding the credit and identity monitoring services to be provided by Contractor. (j) Contractor shall retain and preserve City Data in accordance with the City’s instruction and requests, including without limitation any retention schedules and/or litigation hold orders provided by the City to Contractor, independent of where the City Data is stored. (k) City shall conduct all media communications related to such Data Breach, unless in its sole discretion, City directs Contractor to do so.

Data Breach; Loss of City Data. In the event of any Data Breach, act, SaaS Software ErrorMMS software error, omission, negligence, misconduct, or breach that compromises or is suspected to compromise the security, confidentiality, or integrity of City Data or the physical, technical, administrative, or organizational safeguards put in place by Contractor that relate to the protection of the security, confidentiality, or integrity of City Data, Contractor shall, as applicable:is (a) Notify City immediately following discovery, but no later than twenty-four (24) 24 hours, of becoming aware of such occurrence or suspected occurrence. Contractor’s report shall identify: (i) the nature of the unauthorized access, use or disclosure; (ii) the Confidential Information accessed, used or disclosed; (iii) the person(s) who accessed, used, disclosed and/or received protected information (if known); (iv) what Contractor has done or will do to mitigate any deleterious effect of the unauthorized access, use or disclosure, and (v) what corrective action Contractor has taken or will take to prevent future unauthorized access, use or disclosure. (b) In the event of a suspected Breach, Contractor shall keep the City informed regularly of the progress of its investigation until the uncertainty is resolved; (c) Contractor shall coordinate with the City in its breach response activities including activities, including, without limitation: (i) Immediately preserve any potential forensic evidence relating to the breach, and remedy the breach as quickly as circumstances permit; (ii) Promptly (within 2 two business days) designate a contact person to whom the City will direct inquiries, and who will communicate Contractor responses to City inquiries; (iii) As rapidly as circumstances permit, apply appropriate resources to remedy the breach condition, investigate, document, restore City service(s) as directed by the City, and undertake appropriate response activities; (iv) Provide status reports to the City on Data Breach response activities, either on a daily basis or a frequency approved by the City; (v) Make all reasonable efforts to assist and cooperate with the City in its Breach response efforts; (vi) Ensure that knowledgeable Contractor staff are available on short notice, if needed, to participate in City-initiated meetings and/or conference calls regarding the Breach; and (vii) Cooperate with City in investigating the occurrence, including making available all relevant records, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by City. (d) In the case of personally identifiable information (PII) or protected health information (PHI), at City’s sole election, (a) notify the affected individuals as soon as practicable but no later than is required to comply with applicable law, or, in the absence of any legally required notification period, within five (5) calendar days of the occurrence; or, (b) reimburse City for any costs in notifying the affected individuals; (e) In the case of PII, provide third-party credit and identity monitoring services to each of the affected individuals who comprise the PII for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no fewer than twenty-four (24) months following the date of notification to such individuals; (f) Perform or take any other actions required to comply with applicable law as a result of the occurrence; (ge) Recreate lost City Data in the manner and on the schedule set by City without charge to City; and (hf) Provide to City a detailed plan within ten (10) calendar days 10 Days of the occurrence describing the measures Contractor will undertake to prevent a future occurrence. (ig) Notification to affected individuals, as described above, shall comply with applicable law, be written in plain language, and contain (at the City’s 's election) information that may include: name and contact information of Contractor’s (or City’s) representative; a description of the nature of the loss; a list of the types of data involved; the known or approximate date of the loss; how such loss may affect the affected individual; what steps Contractor has taken to protect the affected individual; what steps the affected individual can take to protect himself or herself; contact information for major credit card reporting agencies; and, information regarding the credit and identity monitoring services to be provided by Contractor.the (jh) Contractor shall retain and preserve City Data in accordance with the City’s instruction and requests, including without limitation any retention schedules and/or litigation hold orders provided by the City to Contractor, independent of where the City Data is stored.with (ki) City shall conduct all media communications related to such Data Breach, unless in its sole discretion, City directs Contractor to do so.