Common use of GLB Compliance Clause in Contracts

GLB Compliance. (a) First Data acknowledges that Capital One is subject to Title V of the GLB Act, pursuant to which Capital One is required to obtain certain undertakings from First Data with regard to the privacy, use and protection of Personally Identifiable Information of Capital One’s customers or prospective customers. Therefore, notwithstanding anything to the contrary contained in this Agreement and in addition to (and not in substitution for) First Data’s other obligations hereunder: (i) First Data shall protect and keep confidential all Personally Identifiable Information about or pertaining to Capital One’s customers, prospective customers or other individuals about whom Capital One has collected Personally Identifiable Information that is disclosed by Capital One or otherwise obtained by First Data in the performance of its duties under this Agreement (collectively, the “Customer Data”). For the avoidance of doubt, Customer Data shall have the same meaning as the term “nonpublic personal information,” which is defined in Title V of the GLB Act and applicable regulations promulgated thereunder, and does not include (A) information collected from Capital One employees (in their capacity as employees, and not as Capital One’s customers) by First Data for the purpose of administering and providing the Services, and (B) nonpublic information collected from a source other than Capital One that has been obtained on a non-confidential basis and that is not subject to the GLB Act. During the Term, First Data shall collect and use Customer Data only to the extent necessary to exercise its rights or perform its obligations under this Agreement for which such Customer Data was disclosed to First Data or as otherwise directed by Capital One. (ii) First Data shall ensure that First Data Personnel shall not attempt to access, or allow access to, any Customer Data that they are not permitted to access under this Agreement. (iii) First Data represents and warrants that it has, and covenants that for so long as it retains Customer Data it will continue to have, adequate administrative, technical, and physical safeguards to (A) ensure the security and confidentiality of such Customer Data; (B) protect against any anticipated threats or hazards to the security or integrity of such Customer Data; (C) protect against unauthorized access to or use of such Customer Data; and (D) without limiting the generality of items (A) through (C) preceding, to meet the objectives of the requirements contained in Section 501(b) of the GLB Act and the Interagency Guidelines Establishing Standards for Safeguarding Capital One Information adopted by federal bank regulatory agencies, including the OTS and Board of Governors of the Federal Reserve System. To the extent technologically feasible, such safeguards shall include using software that: (A) requires all users to enter a user identification and password prior to gaining access to Customer Data; (B) controls and tracks the addition and deletion of users authorized to access Customer Data; and (C) controls and tracks user access to Customer Data. First Data shall develop, implement and maintain, at First Data’s own expense, a proven system or methodology to audit for compliance with the requirements of this Section 13.3(a)(iii) and appropriate mitigation strategies to address issues identified as a result of these audits. (iv) First Data shall promptly notify Capital One if First Data discovers there has been a material breach of, or a serious attempt to breach, its security safeguards required by this Section 13.3, or if the security of Customer Data has been or may be compromised for any reason (including unauthorized access to and unauthorized attempts to access Customer Data). First Data must take appropriate actions to address incidents of unauthorized access to or use of Customer Data. Capital One may take all reasonable and appropriate steps to protect Customer Data in such event, including auditing First Data’s security safeguards required under this Section 13.3. First Data shall have a business continuity plan that enables First Data to take appropriate actions to address incidents of unauthorized access to or misuse of Customer Data. Such plan shall also enable Capital One to expeditiously implement its own response program. (v) First Data shall not retain Customer Data unless First Data has a specific business purpose to retain it, which purpose is set forth in this Agreement. First Data shall destroy such Customer Data or return it to Capital One, at Capital One’s option: (i) during the Term promptly following the time at which such Customer Data is no longer needed to provide the Services, or (ii) within sixty (60) days after termination or expiration of this Agreement. (b) The obligations set forth in this Section 13.3 shall survive termination of this Agreement.

GLB Compliance. (a) First Data TSYS acknowledges that Capital One is subject to Title V of the GLB ActAct and the Interagency Guidelines Establishing Standards for Safeguarding Customer Information adopted by federal bank regulatory agencies, including the OTS and Board of Governors of the Federal Reserve System, as each may be amended from time to time (collectively, the “GLB Regulations”) and may be subject to Canadian Privacy Legislation pursuant to which Capital One is required to comply with certain regulations and implement certain procedures and processes with respect the privacy, use and protection of Personally Identifiable Information of Capital One’s customers or prospective customers, and, as a result of engaging TSYS to perform the Services is required to obtain certain undertakings from First Data TSYS with regard to the privacy, use and protection of Personally Identifiable Information of Capital One’s customers or prospective customers. Therefore, notwithstanding anything to the contrary contained in this Agreement Agreement, and in addition to (and not in substitution for) First Data’s TSYS’ other obligations hereunderunder this Agreement, TSYS shall, in accordance with the GLB Act and the GLB Regulations, for so long as it retains Customer Information: (i) First Data shall protect and keep confidential all Personally Identifiable Information about or pertaining to Capital One’s customers, prospective customers or other individuals about whom Capital One has collected Personally Identifiable Information that is disclosed by Capital One or otherwise obtained by First Data TSYS in the performance of its duties under this Agreement (collectively, the “Customer DataInformation”). For the avoidance of doubt, Customer Data shall have the same meaning as the term Information includes all data considered “nonpublic personal information,” which is as defined in Title V of the GLB Act and applicable regulations promulgated thereunder, and does not include (A) information collected from Capital One employees (in their capacity as employees, and not as Capital One’s customers) by First Data for the purpose of administering and providing the Services, and (B) nonpublic information collected from a source other than Capital One that has been obtained on a non-confidential basis and that is not subject to the GLB Act. During the Term, First Data TSYS shall collect and use Customer Data Information only to the extent necessary to exercise its rights or perform its obligations under this Agreement for which such Customer Data Information was disclosed to First Data TSYS or as otherwise directed by Capital One.; (ii) First Data shall implement process and procedures designed to ensure that First Data TSYS Personnel shall not attempt to access, or allow access to, any Customer Data Information that they are not permitted to access under this Agreement.; (iii) First Data represents and warrants that it has, and covenants that for so long as it retains Customer Data it will continue to have, adequate have administrative, technical, and physical safeguards to to: (A) ensure the security and confidentiality of such Customer Data; Information; (B) protect against any anticipated threats or hazards to the security or integrity of such Customer Data; Information; (C) protect against unauthorized access to or use of such Customer DataInformation; and and (D) without limiting the generality of items (A) through (C) preceding, to meet the objectives of the requirements contained in Section 501(b) of the GLB Act and the Interagency Guidelines Establishing Standards for Safeguarding Capital One Information adopted by federal bank regulatory agencies, including the OTS and Board of Governors of the Federal Reserve SystemGLB Regulations. To the extent technologically feasible, such Such safeguards shall include using software systems and controls that: (A1) requires all users to enter a user identification and password prior to gaining access to Customer DataInformation; (B2) controls and tracks the addition and deletion of users authorized to access Customer DataInformation; and (C3) controls and tracks user access to Customer Data. First Data shall develop, Information; (iv) implement and maintain, at First Data’s TSYS’ own expense, a proven system or methodology to audit for [***] compliance with the requirements of this Section 13.3(a)(iii) 13.2 and appropriate mitigation strategies to address issues identified as a result of these audits.such [***]; and (ivv) First Data shall promptly notify Capital One if First Data TSYS discovers there has been a material breach of, or a serious attempt to breach, its security safeguards required by this Section 13.3, or if 13.2 such that the security of Customer Data Information has been been, or TSYS has a reasonable basis to believe may be have been, compromised for any reason (including unauthorized access to and unauthorized attempts to access Customer DataInformation). First Data must TSYS shall provide such notice promptly, and in all cases within [***] hours, after discovery of the breach or attempted breach. TSYS shall take appropriate actions to address incidents of unauthorized access to or use of Customer DataInformation. Capital One may take all reasonable and appropriate steps to protect Customer Data Information in such event, including auditing First Data’s investigating TSYS’ security safeguards required under this Section 13.3. First Data shall have a business continuity plan that enables First Data to take appropriate actions to address incidents of unauthorized access to or misuse of Customer Data. Such plan shall also enable Capital One to expeditiously implement its own response program13.2. (vb) First Data TSYS shall not retain Customer Data Information unless First Data has a specific business purpose it is required to retain itdo so to perform the Services or by applicable law. (c) Upon reasonable notice to TSYS, which purpose is set forth in this Agreement. First Data shall destroy such Customer Data or return it to Capital One, One and its representatives may (at Capital One’s option: (i) during review either TSYS’ information technology infrastructure security or an independent audit provided by TSYS in order to monitor TSYS’ compliance with the Term promptly following the time at which such Customer Data is no longer needed to provide the Services, or (ii) within sixty (60) days after termination or expiration terms of this AgreementSection 13.2. TSYS shall implement, and maintain, at TSYS’ own expense, appropriate mitigation strategies to address issues identified as a result of these reviews. (bd) The obligations set forth in this Section 13.3 13.2 are material for purposes of determining a breach of the Agreement, and they shall survive termination of this Agreement.