Personal Identifiable Information Security. Provider shall protect and secure data in electronic form containing such PII. At a minimum, Provider’s safeguards for the protection of PII shall include: 1. Encrypting, securing or modifying such PII by any method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable. 2. Limiting access of PII to Authorized Persons. 3. Securing business facilities, data centers, paper files, servers, back-up systems and computing equipment, including, but not limited to, all mobile devices and other equipment with information storage capability. 4. Implementing network, device application, database, and platform security. 5. Securing information transmission, storage, and disposal; and implementing authentication and access controls within media, applications, operating systems and equipment. 6. Encrypting PII stored on any mobile media. 7. Encrypting PII transmitted over public or wireless networks. 8. Implementing appropriate personnel security and integrity procedures and practices, including, but not limited to, conducting background checks consistent with applicable law, as required by The Children’s Trust from time to time. 9. Providing written copies of appropriate privacy and information security training to Provider’s employees, as required by and to The Children’s Trust. 10. Purchasing and maintaining cyber insurance coverage, in accordance with Section K. 7. 11. Provider shall dispose, or arrange for the disposal, of customer records that contain PII within its custody or control when the records are no longer required to be retained pursuant to Sections H and O. Such disposal shall involve shredding, erasing or otherwise modifying PII in its control or possession to make it unreadable or undecipherable. 12. During the term of each Authorized Person’s employment by Provider, Provider shall at all times cause such Authorized Persons to abide strictly by Provider’s obligations under this Contract. Provider further agrees that it shall maintain a disciplinary process to address any unauthorized access, use or disclosure of PII by any of Provider’s officers, directors, partners, principals, employees, agents or contractors. Upon The Children’s Trust’s request, Provider shall promptly identify all Authorized Persons as of the date of such request to The Children’s Trust in writing. 13. Upon The Children’s Trust’s written request, Provider shall provide The Children’s Trust with a network diagram that outlines Provider’s information technology network infrastructure and all equipment used in relation to fulfilling its obligations under this Contract, including, without limitation: (i) connectivity to The Children’s Trust and all third Parties who may access Provider’s network to the extent the network contains PII; (ii) all network connections including remote access and wireless connectivity; (iii) all access control devices, such as (solely by way of example) firewalls, packet filters, intrusion detection and access-list routers; (iv) all back-up or redundant servers; and (v) permitted access through each network connection.
Appears in 5 contracts
