Common use of General Security Requirements Clause in Contracts

General Security Requirements. (a) GA shall have a written, comprehensive information security program for the establishment and maintenance of a security system covering all electronic equipment, including its computers and any wireless system that, at a minimum, has the following elements: (i) Secure user authentication protocols that include: (A) control of user IDs and other identifiers; (B) a secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices; (C) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; (D) restricting access to active users and active user accounts only; (E) blocking access to user identification after multiple unsuccessful attempts to gain access or limitation placed on access for the particular system; (F) prohibitions against sharing or migrating access privileges to another individual; and (G) assignment of access privileges only to identifiable, individual accounts, and all activity conducted by these accounts must be auditable. (ii) Secure access control measures that: (A) restrict access to records and files containing Confidential Information to those who need such information to perform their job duties; and (B) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls. (b) Company may require GA to have an annual review and/or an annual technical audit of its security policies and practices by Company, or, at GA’s option and expense, an independent auditor, to ensure compliance with this Amendment. The third party audit report, including recommendations for remedying deficiencies where appropriate, will be provided to Company within seven (7) business days of receipt of the report by GA. GA shall have thirty (30) calendar days to implement remedies to any identified deficiencies, and notify Company that such deficiencies have been addressed. GA’s failure to remedy the identified deficiencies shall be considered in breach of this Section 5. (c) GA will encrypt all records and files containing Confidential Information that are transmitted across public networks or transmitted wirelessly. (d) GA will encrypt all desktop computers, laptops and all other portable devices on which Confidential Information is stored. (e) GA will monitor systems for unauthorized use of or access to Confidential Information. (f) For files containing Confidential Information on a system that is connected to the Internet, GA will maintain up-to-date firewall protection and operating system security patches designed to maintain the integrity of the Confidential Information. (g) GA will maintain up-to-date versions of system security agent software which includes malware protection and up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis. (h) GA will educate and train employees on the proper use of the computer security system and the importance of Confidential Information security. In addition: (i) GA will designate one or more employees to maintain the comprehensive information security program. (ii) GA will identify and assess foreseeable internal and external risks to the security, confidentiality and/or integrity of any electronic, paper or other records containing Confidential Information, and will evaluate and improve, where necessary, the effectiveness of their current safeguards for limiting such risks, including but not limited to: (A) ongoing employee (including temporary and contract employee) training; (B) employee compliance with policies and procedures; and (C) means for detecting and preventing security system failures. (iii) GA will maintain a security policy for Representatives that protects records containing Confidential Information that are transported outside of business premises. (iv) GA will impose appropriate disciplinary measures for employees that violate its comprehensive information security program rules. (v) GA will have processes in place to prevent terminated employees from accessing records containing Confidential Information by immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names. (i) No transfer of Confidential Information may be made by GA outside of the United States without the prior, express written authorization of Company.

General Security Requirements. When storing Confidential Information, Representative shall comply with the following requirements: (a) GA Representative shall have a written, comprehensive information security program for the establishment and maintenance of a security system covering all electronic equipmentits computers, including its computers and any wireless system system, that, at a minimum, has shall have the following elements: (i) Secure user authentication protocols that include: (A) control of user IDs and other identifiers; (B) a secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices; (C) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; (D) restricting access to active users and active user accounts only; (E) blocking access to user identification after multiple unsuccessful attempts to gain access or limitation placed on access for the particular system; (F) prohibitions against sharing or migrating access privileges to another individual; and (G) assignment of access privileges only to identifiable, individual accounts, and all activity conducted by these accounts must be auditable. (ii) Secure access control measures that: (A) restrict access to records and files containing Confidential Information to those who need such information to perform their job duties; and (B) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls. (b) Company may require GA to have an annual review and/or an annual technical audit of its security policies and practices by CompanyTo the extent technically feasible, or, at GA’s option and expense, an independent auditor, to ensure compliance with this Amendment. The third party audit report, including recommendations for remedying deficiencies where appropriate, will be provided to Company within seven (7) business days of receipt of the report by GA. GA shall have thirty (30) calendar days to implement remedies to any identified deficiencies, and notify Company that such deficiencies have been addressed. GA’s failure to remedy the identified deficiencies shall be considered in breach of this Section 5. (c) GA Representative will encrypt all records and files containing Confidential Information that are transmitted across public networks or transmitted wirelessly. (dc) GA will encrypt all desktop computers, laptops and all other portable devices on which Confidential Information is stored. (e) GA Representative will monitor systems for unauthorized use of or access to Confidential Information. (fd) Representative will encrypt all Confidential Information stored on laptops or other portable devices. (e) For files containing Confidential Information on a system that is connected to the Internet, GA Representative will maintain up-to-date firewall protection and operating system security patches designed to maintain the integrity of the Confidential Information. (gf) GA Representative will maintain up-to-date versions of system security agent software which includes malware protection and up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis. (hg) GA Representative will educate and train employees on the proper use of the computer security system and the importance of Confidential Information security. In addition: (i) GA Representative will designate one or more employees to maintain the comprehensive information security program. (ii) GA Representative will identify and assess foreseeable internal and external risks to the security, confidentiality and/or integrity of any electronic, paper or other records containing Confidential Information, and will evaluate and improve, where necessary, the effectiveness of their current safeguards for limiting such risks, including but not limited to: (A) ongoing employee (including temporary and contract employee) training; (B) employee compliance with policies and procedures; and (C) means for detecting and preventing security system failures. (iii) GA Representative will maintain a security policy for Representatives that protects records containing Confidential Information that are transported outside of business premises. (iv) GA Representative will impose appropriate disciplinary measures for employees that violate its their comprehensive information security program rules. (v) GA Representative will have processes in place to prevent terminated employees from accessing records containing Confidential Information by immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names. (i) No transfer of Confidential Information may be made by GA outside of the United States without the prior, express written authorization of Company.

General Security Requirements. The Supplier shall: 6.1 Be compliant with applicable government and industry mandated information security standards (examples of such standards include, but are not limited to, ISO/IEC 27001, the Payment Card Industry-Data Security Standards (PCI-DSS), Electronic Data Interchange (EDI) standards, and the information security requirements documented within laws, such as the Health Insurance Portability and Accountability Act - HIPAA.) 6.2 Establish and maintain a formal and comprehensive security program in accordance with Industry Best Practice with reasonable and appropriate administrative, organizational, technical, and physical safeguards, including those set out in this Part C (the "Information Security Requirements"), designed to ensure the security, confidentiality, integrity, and availability of Subscriber Data (including, without limitation, the privacy of Subscriber Data) and to guard against Security Incidents. Such data safeguards will include, but are not limited to, the following: (a) GA Supplier shall maintain an inventory of systems used by Supplier to store or process Subscriber Data; (b) Supplier shall have a writtenmedia and non-volatile storage sanitization and destruction policy and procedure, comprehensive which: (i) requires onsite destruction or sanitization; (ii) meets at a minimum, NIST SP 800-88 Purge and Destruction requirements; and (iii) includes the issuance of a certificate of destruction or sanitization to Subscriber that Subscriber Data is properly wiped or destroyed, so as not to allow for any type of data recovery at any time during or at the end of the term of this Agreement or as requested by Subscriber; (c) Any hard copy materials containing Subscriber Data or related application support shall be secured in locked containers when not in use, and destroyed by secure shredding at any time during or at the end of the term of this Agreement or as requested by Subscriber. Certificate(s) of Destruction may be requested by Subscriber; (d) Isolate Subscriber’s applications and Subscriber Data from any other customer’s or Supplier’s own applications and information security program by using physically separate servers or (where physical separation of servers is not a condition of any agreement with the Supplier) by using logical access controls. (e) Have documented procedures for the establishment secure backup and maintenance recovery of a security system covering all electronic equipmentSubscriber Data, including its computers and any wireless system thatwhich shall include, at a minimum, has Strong Encryption, secure procedures for the following elements: (i) Secure user authentication protocols that include: (A) control of user IDs transport, storage, and other identifiers; (B) a secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices; (C) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security disposal of the data they protect; (D) restricting access to active users and active user accounts only; (E) blocking access to user identification after multiple unsuccessful attempts to gain access or limitation placed on access for the particular system; (F) prohibitions against sharing or migrating access privileges to another individual; and (G) assignment backup copies of access privileges only to identifiableSubscriber Data, individual accounts, and all activity conducted by these accounts must be auditable. (ii) Secure access control measures that: (A) restrict access to records and files containing Confidential Information to those who need such information to perform their job duties; and (B) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity documented chain of the security of the access controls. (b) Company may require GA to have an annual review and/or an annual technical audit of its security policies and practices by Company, or, at GA’s option and expense, an independent auditor, to ensure compliance with this Amendment. The third party audit report, including recommendations for remedying deficiencies where appropriate, will be provided to Company within seven (7) business days of receipt of the report by GA. GA shall have thirty (30) calendar days to implement remedies to any identified deficiencies, and notify Company that such deficiencies have been addressed. GA’s failure to remedy the identified deficiencies shall be considered in breach of this Section 5. (c) GA will encrypt all records and files containing Confidential Information that are transmitted across public networks or transmitted wirelessly. (d) GA will encrypt all desktop computers, laptops and all other portable devices on which Confidential Information is stored. (e) GA will monitor systems for unauthorized use of or access to Confidential Informationcustody. (f) For files containing Confidential Use Strong Encryption to protect Personal Information on a system that is connected to the Internet, GA will maintain up-to-date firewall protection when transmitted and operating system security patches designed to maintain the integrity of the Confidential Informationstored. (g) GA will maintain up-to-date versions of system security agent software which includes malware protection and up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis. (h) GA will educate and train employees on the proper use of the computer security system and the importance of Confidential Information security. In addition: (i) GA will designate one or more employees to maintain the comprehensive information security program. (ii) GA will identify and assess foreseeable internal and external risks to the security, confidentiality and/or integrity of any electronic, paper or other records containing Confidential Information, and will evaluate and improve, where necessary, the effectiveness of their current safeguards for limiting such risks, including but not limited to: (A) ongoing employee (including temporary and contract employee) training; (B) employee compliance with policies and procedures; and (C) means for detecting and preventing security system failures. (iii) GA will maintain a security policy for Representatives that protects records containing Confidential Information that are transported outside of business premises. (iv) GA will impose appropriate disciplinary measures for employees that violate its comprehensive information security program rules. (v) GA will have processes in place to prevent terminated employees from accessing records containing Confidential Information by immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names. (i) No transfer of Confidential Information may be made by GA outside of the United States without the prior, express written authorization of Company.

General Security Requirements. (a) GA shall have a written, comprehensive information security program for the establishment and maintenance of a security system covering all electronic equipment, including its computers and any wireless system that, at a minimum, has the following elements: (i) Secure user authentication protocols that include: (A) control of user IDs and other identifiers; (B) a secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices; (C) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; (D) restricting access to active users and active user accounts only; (E) blocking access to user identification after multiple unsuccessful attempts to gain access or limitation placed on access for the particular system; (F) prohibitions against sharing or migrating access privileges to another individual; and (G) assignment of access privileges only to identifiable, individual accounts, and all activity conducted by these accounts must be auditable. (ii) Secure access control measures that: (A) restrict access to records and files containing Confidential Information to those who need such information to perform their job duties; and (B) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls. (b) Company may require GA to have an annual review and/or an annual technical audit of its security policies and practices by Company, or, at GA’s option and expense, an independent auditor, to ensure compliance with this AmendmentAddendum. The third party audit report, including recommendations for remedying deficiencies where appropriate, will be provided to Company within seven (7) business days of receipt of the report by GA. GA shall have thirty (30) calendar days to implement remedies to any identified deficiencies, and notify Company that such deficiencies have been addressed. GA’s failure to remedy the identified deficiencies shall be considered in breach of this Section 5. (c) GA will encrypt all records and files containing Confidential Information that are transmitted across public networks or transmitted wirelessly. (d) GA will encrypt all desktop computers, laptops and all other portable devices on which Confidential Information is stored. (e) GA will monitor systems for unauthorized use of or access to Confidential Information. (f) For files containing Confidential Information on a system that is connected to the Internet, GA will maintain up-to-date firewall protection and operating system security patches designed to maintain the integrity of the Confidential Information. (g) GA will maintain up-to-date versions of system security agent software which includes malware protection and up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis. (h) GA will educate and train employees on the proper use of the computer security system and the importance of Confidential Information security. In addition: (i) GA will designate one or more employees to maintain the comprehensive information security program. (ii) GA will identify and assess foreseeable internal and external risks to the security, confidentiality and/or integrity of any electronic, paper or other records containing Confidential Information, and will evaluate and improve, where necessary, the effectiveness of their current safeguards for limiting such risks, including but not limited to: (A) ongoing employee (including temporary and contract employee) training; (B) employee compliance with policies and procedures; and (C) means for detecting and preventing security system failures. (iii) GA will maintain a security policy for Representatives that protects records containing Confidential Information that are transported outside of business premises. (iv) GA will impose appropriate disciplinary measures for employees that violate its comprehensive information security program rules. (v) GA will have processes in place to prevent terminated employees from accessing records containing Confidential Information by immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names. (i) No transfer of Confidential Information may be made by GA outside of the United States without the prior, express written authorization of Company.

General Security Requirements. (a) GA Special Agent shall have a written, comprehensive information security program for the establishment and maintenance of a security system covering all electronic equipment, including its computers and any wireless system that, at a minimum, has the following elements: (i) Secure user authentication protocols that include: (A) control of user IDs and other identifiers; (B) a secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices; (C) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; (D) restricting access to active users and active user accounts only; (E) blocking access to user identification after multiple unsuccessful attempts to gain access or limitation placed on access for the particular system; (F) prohibitions against sharing or migrating access privileges to another individual; and (G) assignment of access privileges only to identifiable, individual accounts, and all activity conducted by these accounts must be auditable. (ii) Secure access control measures that: (A) restrict access to records and files containing Confidential Information to those who need such information to perform their job duties; and (B) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls. (b) Company may require GA Special Agent to have an annual review and/or an annual technical audit of its security policies and practices by Company, or, at GASpecial Agent’s option and expense, an independent auditor, to ensure compliance with this Amendment. The third party audit report, including recommendations for remedying deficiencies where appropriate, will be provided to Company within seven (7) business days of receipt of the report by GASpecial Agent. GA Special Agent shall have thirty (30) calendar days to implement remedies to any identified deficiencies, and notify Company that such deficiencies have been addressed. GASpecial Agent’s failure to remedy the identified deficiencies shall be considered in breach of this Section 5. (c) GA Special Agent will encrypt all records and files containing Confidential Information that are transmitted across public networks or transmitted wirelessly. (d) GA Special Agent will encrypt all desktop computers, laptops and all other portable devices on which Confidential Information is stored. (e) GA Special Agent will monitor systems for unauthorized use of or access to Confidential Information. (f) For files containing Confidential Information on a system that is connected to the Internet, GA Special Agent will maintain up-to-date firewall protection and operating system security patches designed to maintain the integrity of the Confidential Information. (g) GA Special Agent will maintain up-to-date versions of system security agent software which includes malware protection and up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis. (h) GA Special Agent will educate and train employees on the proper use of the computer security system and the importance of Confidential Information security. In addition: (i) GA Special Agent will designate one or more employees to maintain the comprehensive information security program. (ii) GA Special Agent will identify and assess foreseeable internal and external risks to the security, confidentiality and/or integrity of any electronic, paper or other records containing Confidential Information, and will evaluate and improve, where necessary, the effectiveness of their current safeguards for limiting such risks, including but not limited to: (A) ongoing employee (including temporary and contract employee) training; (B) employee compliance with policies and procedures; and (C) means for detecting and preventing security system failures. (iii) GA Special Agent will maintain a security policy for Representatives that protects records containing Confidential Information that are transported outside of business premises. (iv) GA Special Agent will impose appropriate disciplinary measures for employees that violate its comprehensive information security program rules. (v) GA Special Agent will have processes in place to prevent terminated employees from accessing records containing Confidential Information by immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names.Confidential (i) No transfer of Confidential Information may be made by GA Special Agent outside of the United States without the prior, express written authorization of Company.

General Security Requirements. When storing Confidential Information, Producer shall comply with the following requirements: (a) GA Producer shall have a written, comprehensive information security program for the establishment and maintenance of a security system covering all electronic equipmentits computers, including its computers and any wireless system system, that, at a minimum, has shall have the following elements: (i) Secure user authentication protocols that include: (A) control of user IDs and other identifiers; (B) a secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices; (C) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; (D) restricting access to active users and active user accounts only; (E) blocking access to user identification after multiple unsuccessful attempts to gain access or limitation placed on access for the particular system; (F) prohibitions against sharing or migrating access privileges to another individual; and (G) assignment of access privileges only to identifiable, individual accounts, and all activity conducted by these accounts must be auditable. (ii) Secure access control measures that: (A) restrict access to records and files containing Confidential Information to those who need such information to perform their job duties; and (B) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls. (b) Company may require GA to have an annual review and/or an annual technical audit of its security policies and practices by CompanyTo the extent technically feasible, or, at GA’s option and expense, an independent auditor, to ensure compliance with this Amendment. The third party audit report, including recommendations for remedying deficiencies where appropriate, will be provided to Company within seven (7) business days of receipt of the report by GA. GA shall have thirty (30) calendar days to implement remedies to any identified deficiencies, and notify Company that such deficiencies have been addressed. GA’s failure to remedy the identified deficiencies shall be considered in breach of this Section 5. (c) GA Producer will encrypt all records and files containing Confidential Information that are transmitted across public networks or transmitted wirelessly. (dc) GA will encrypt all desktop computers, laptops and all other portable devices on which Confidential Information is stored. (e) GA Producer will monitor systems for unauthorized use of or access to Confidential Information. (fd) Producer will encrypt all Confidential Information stored on laptops or other portable devices. (e) For files containing Confidential Information on a system that is connected to the Internet, GA Producer will maintain up-to-to- date firewall protection and operating system security patches designed to maintain the integrity of the Confidential Information. (gf) GA Producer will maintain up-to-date versions of system security agent software which includes malware protection and up-to-to- date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis. (hg) GA Producer will educate and train employees on the proper use of the computer security system and the importance of Confidential Information security. In addition: (i) GA Producer will designate one or more employees to maintain the comprehensive information security program. (ii) GA Producer will identify and assess foreseeable internal and external risks to the security, confidentiality and/or integrity of any electronic, paper or other records containing Confidential Information, and will evaluate and improve, where necessary, the effectiveness of their current safeguards for limiting such risks, including but not limited to: (A) ongoing employee (including temporary and contract employee) training; (B) employee compliance with policies and procedures; and (C) means for detecting and preventing security system failures. (iii) GA Producer will maintain a security policy for Representatives that protects records containing Confidential Information that are transported outside of business premises. (iv) GA Producer will impose appropriate disciplinary measures for employees that violate its their comprehensive information security program rules. (v) GA Producer will have processes in place to prevent terminated employees from accessing records containing Confidential Information by immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names. (i) No transfer of Confidential Information may be made by GA outside of the United States without the prior, express written authorization of Company.

General Security Requirements. (a) GA Special Agent shall have a written, comprehensive information security program for the establishment and maintenance of a security system covering all electronic equipment, including its computers and any wireless system that, at a minimum, has the following elements: (i) Secure user authentication protocols that include: (A) control of user IDs and other identifiers; (B) a secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices; (C) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; (D) restricting access to active users and active user accounts only; (E) blocking access to user identification after multiple unsuccessful attempts to gain access or limitation placed on access for the particular system; (F) prohibitions against sharing or migrating access privileges to another individual; and (G) assignment of access privileges only to identifiable, individual accounts, and all activity conducted by these accounts must be auditable. (ii) Secure access control measures that: (A) restrict access to records and files containing Confidential Information to those who need such information to perform their job duties; and (B) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls. (b) Company may require GA Special Agent to have an annual review and/or an annual technical audit of its security policies and practices by Company, or, at GASpecial Agent’s option and expense, an independent auditor, to ensure compliance with this Amendment. The third party audit report, including recommendations for remedying deficiencies where appropriate, will be provided to Company within seven (7) business days of receipt of the report by GASpecial Agent. GA Special Agent shall have thirty (30) calendar days to implement remedies to any identified deficiencies, and notify Company that such deficiencies have been addressed. GASpecial Agent’s failure to remedy the identified deficiencies shall be considered in breach of this Section 5. (c) GA Special Agent will encrypt all records and files containing Confidential Information that are transmitted across public networks or transmitted wirelessly. (d) GA Special Agent will encrypt all desktop computers, laptops and all other portable devices on which Confidential Information is stored. (e) GA Special Agent will monitor systems for unauthorized use of or access to Confidential Information. (f) For files containing Confidential Information on a system that is connected to the Internet, GA Special Agent will maintain up-to-date firewall protection and operating system security patches designed to maintain the integrity of the Confidential Information. (g) GA Special Agent will maintain up-to-date versions of system security agent software which includes malware protection and up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis. (h) GA Special Agent will educate and train employees on the proper use of the computer security system and the importance of Confidential Information security. In addition: (i) GA Special Agent will designate one or more employees to maintain the comprehensive information security program. (ii) GA Special Agent will identify and assess foreseeable internal and external risks to the security, confidentiality and/or integrity of any electronic, paper or other records containing Confidential Information, and will evaluate and improve, where necessary, the effectiveness of their current safeguards for limiting such risks, including but not limited to: (A) ongoing employee (including temporary and contract employee) training; (B) employee compliance with policies and procedures; and (C) means for detecting and preventing security system failures. (iii) GA Special Agent will maintain a security policy for Representatives that protects records containing Confidential Information that are transported outside of business premises. (iv) GA Special Agent will impose appropriate disciplinary measures for employees that violate its comprehensive information security program rules. (v) GA Special Agent will have processes in place to prevent terminated employees from accessing records containing Confidential Information by immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names. (i) No transfer of Confidential Information may be made by GA Special Agent outside of the United States without the prior, express written authorization of Company.

General Security Requirements. (a) GA Special Agent shall have a written, comprehensive information security program for the establishment and maintenance of a security system covering all electronic equipment, including its computers and any wireless system that, at a minimum, has the following elements: (i) Secure user authentication protocols that include: (A) control of user IDs and other identifiers; (B) a secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices; (C) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; (D) restricting access to active users and active user accounts only; (E) blocking access to user identification after multiple unsuccessful attempts to gain access or limitation placed on access for the particular system; (F) prohibitions against sharing or migrating access privileges to another individual; and (G) assignment of access privileges only to identifiable, individual accounts, and all activity conducted by these accounts must be auditable. (ii) Secure access control measures that: (A) restrict access to records and files containing Confidential Information to those who need such information to perform their job duties; and (B) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls. (b) Company may require GA Special Agent to have an annual review and/or an annual technical audit of its security policies and practices by Company, or, at GASpecial Agent’s option and expense, an independent auditor, to ensure compliance with this AmendmentAddendum. The third party audit report, including recommendations for remedying deficiencies where appropriate, will be provided to Company within seven (7) business days of receipt of the report by GASpecial Agent. GA Special Agent shall have thirty (30) calendar days to implement remedies to any identified deficiencies, and notify Company that such deficiencies have been addressed. GASpecial Agent’s failure to remedy the identified deficiencies shall be considered in breach of this Section 5. (c) GA Special Agent will encrypt all records and files containing Confidential Information that are transmitted across public networks or transmitted wirelessly. (d) GA Special Agent will encrypt all desktop computers, laptops and all other portable devices on which Confidential Information is stored. (e) GA Special Agent will monitor systems for unauthorized use of or access to Confidential Information. (f) For files containing Confidential Information on a system that is connected to the Internet, GA Special Agent will maintain up-to-date firewall protection and operating system security patches designed to maintain the integrity of the Confidential Information. (g) GA Special Agent will maintain up-to-date versions of system security agent software which includes malware protection and up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis. (h) GA Special Agent will educate and train employees on the proper use of the computer security system and the importance of Confidential Information security. In addition: (i) GA Special Agent will designate one or more employees to maintain the comprehensive information security program. (ii) GA Special Agent will identify and assess foreseeable internal and external risks to the security, confidentiality and/or integrity of any electronic, paper or other records containing Confidential Information, and will evaluate and improve, where necessary, the effectiveness of their current safeguards for limiting such risks, including but not limited to: (A) ongoing employee (including temporary and contract employee) training; (B) employee compliance with policies and procedures; and (C) means for detecting and preventing security system failures. (iii) GA Special Agent will maintain a security policy for Representatives that protects records containing Confidential Information that are transported outside of business premises. (iv) GA Special Agent will impose appropriate disciplinary measures for employees that violate its comprehensive information security program rules. (v) GA Special Agent will have processes in place to prevent terminated employees from accessing records containing Confidential Information by immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names. (i) No transfer of Confidential Information may be made by GA Special Agent outside of the United States without the prior, express written authorization of Company.