Data Breach Response Plan Clause Samples
A Data Breach Response Plan clause outlines the procedures and responsibilities that parties must follow in the event of a data breach involving sensitive or confidential information. Typically, this clause specifies notification timelines, the required content of breach notifications, and the steps for investigating and mitigating the breach, such as informing affected individuals and cooperating with regulatory authorities. Its core function is to ensure a prompt, coordinated, and effective response to data breaches, thereby minimizing potential harm and ensuring compliance with legal and contractual obligations.
Data Breach Response Plan. Within one year after the effective date of this Contract, the Academy Board shall design and implement a comprehensive data breach response plan. The data breach response plan should be made available to Academy personnel and any Educational Service Provider contracting with the Academy. The data breach response plan should be updated periodically by the Academy Board to address changes in data threat assessments and changes in applicable state and federal privacy laws.
Data Breach Response Plan. After it becomes aware of or suspects that any PII received from IDE has been subject to a Confidential Information Breach, IVRS shall (i) notify IDE of such Confidential Information Breach as soon as practicable, but no more than 24 hours after discovery of the Confidential Information Breach and (ii) promptly investigate the Confidential Information Breach and provide IDE with detailed information about the Confidential Information Breach. Unless the parties agree otherwise, IVRS shall be responsible, at its expense, for notifying affected individuals of the Confidential Information Breach as required by law (including but not limited to Iowa Code Chapter 715C) or as mutually agreed upon by the parties. IVRS shall, at its expense, take reasonable steps to mitigate the effects and to minimize any damage resulting from the Confidential Information Breach. Such steps shall include when appropriate a credit monitoring or protection plan. The credit monitoring or protection plan shall include, but is not limited to, reimbursement for the full cost of commencing a security freeze, temporary suspension, or removal of a security freeze per credit file pursuant to Iowa Code Section 714G.5 and shall cover a length of time commensurate with the circumstances of the Confidential Information Breach. The foregoing obligations may be delayed or waived if a law enforcement agency determines that the performance of the obligations would impede a criminal investigation.
Data Breach Response Plan. 6.2.1. If the Licensee becomes aware of an actual, or potential, eligible data breach, the Licensee shall immediately notify Compsys and provide Compsys with the following details:
(a) The nature of the data breach;
(b) The type and sensitivity of the information involved in the data breach;
(c) Remedial action that has been taken in response to the data breach;
(d) Any security measures in place to protect the data;
(e) The nature of the harm that may arise as a result of the data breach; and
(f) Any other relevant matters. Where possible, Compsys will endeavour to work with the Licensee to take remedial action to prevent serious harm from eventuating to the individual/s the subject of the data.
6.2.2. Alternatively, if Compsys becomes aware of an eligible data breach in respect of the Licensee’s data, Compsys may notify the Licensee and, where possible, work with the Licensee to take remedial action to prevent serious harm from eventuating to the individual/s the subject of the data.
6.2.3. Where an eligible data breach has occurred, Compsys shall determine which party is responsible for the data breach and allocate responsibility for notification of the data breach to the individual/s the subject of the data and/or OAIC.
6.2.4. As a general rule, a party will be deemed responsible for the data breach where that party’s employee/s or premises have:
6.2.4.1. lost, or have been the subject of a theft of, laptops, removable storage devices, or paper records containing personal information;
6.2.4.2. disposed of hard disk drives and other digital storage media without the contents first being erased;
6.2.4.3. accessed or disclosed personal information outside the requirements of authorisation of their employment;
6.2.4.4. had paper records stolen from insecure recycling or garbage bins;
6.2.4.5. mistakenly provided personal information to the wrong person, for example, an email was sent to the wrong address;
6.2.4.6. has been deceived into improperly releasing the personal information of another person; and
6.2.4.7. any other scenario that Compsys deems the responsibility of the Licensee.
6.2.5. Compsys will also be deemed responsible for a data breach where its database/s containing personal information are hacked into or otherwise illegally accessed by individuals outside of the Compsys organisation.
6.2.6. The party Compsys deems responsible for the data breach has the responsibility of reporting the breach to:
6.2.6.1. the individual the subject of the in...