Common use of Protecting and Reporting Clause in Contracts

Protecting and Reporting. the Loss of Personally Identifiable Information (PII)‌ PII is any information about an individual maintained by an entity, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, SSN, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. 1. The Requesting Party’s Responsibilities in Safeguarding PII The Requesting Party shall establish, maintain, and follow its own policy and procedures to protect PII, including policies and procedures for reporting lost or compromised, or potentially lost or compromised, PII. The Requesting Party shall inform its Authorized Users which handle PII of their individual responsibility to safeguard such information. In addition, the Requesting Party shall, within reason, take appropriate and necessary action to: (1) educate Authorized Users on the proper procedures designed to protect PII; and (2) enforce their compliance with the policy and procedures prescribed. All Authorized Users shall properly safeguard PII from loss, theft, or inadvertent disclosure. Each Authorized User is responsible for safeguarding this information at all times, regardless of whether or not the user is at his or her regular duty station. 2. Reporting Lost, Compromised or Potentially Compromised PII (a) When the Requesting Party or its Authorized User becomes aware or suspects that XXX has been lost, compromised, or potentially compromised the Requesting Party, in accordance with its incident reporting process, shall provide immediate notification of the incident to the primary SSA contact. If the primary SSA contact is not readily available, the Requesting Party shall immediately notify one of two SSA alternates, if names of alternates have been provided. (See Section XVI for the phone numbers of the designated primary and alternate SSA contacts.) The Requesting Party shall act to ensure that each Authorized User has been given information as to who the primary and alternate SSA contacts are and how to contact them. (b) The Requesting Party shall provide the primary SSA contact or the alternate, as applicable, with updates on the status of the reported PII loss or compromise as they become available but shall not delay the initial report. (c) The Requesting Party shall provide complete and accurate information about the details of the possible PII loss to assist the SSA contact/alternate, including the following information: 1. Contact information; 2. A description of the loss, compromise, or potential compromise (i.e., nature of loss/compromise/potential compromise, scope, number of files or records, type of equipment or media, etc.) including the approximate time and location of the loss; 3. A description of safeguards used, where applicable (e.g., locked briefcase, redacted personal information, password protection, encryption, etc.); 4. Name of SSA employee contacted; 5. Whether the Requesting Party or the Authorized User has contacted or been contacted by any external organizations (i.e., other agencies, law enforcement, press, etc.); 6. Whether the Requesting Party or the Authorized User has filed any other reports (i.e., Federal Protective Service, local police, and SSA reports); and 7. Any other pertinent information

Protecting and Reporting. the Loss of Personally Identifiable Information (PII)‌ PII is any information about an individual maintained by an entity, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, SSN, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.PII) 1. The Requesting Party’s Responsibilities in Safeguarding PII The Requesting Party shall establish, maintain, and follow its own policy and procedures to protect PII, including policies and procedures for reporting lost or compromised, or potentially lost or compromised, PII. The Requesting Party shall inform its Authorized Users which handle PII of their individual responsibility to safeguard such information. In addition, the Requesting Party shall, within reason, take appropriate and necessary action to: (1) educate Authorized Users on the proper procedures designed to protect PII; and (2) enforce their compliance with the policy and procedures prescribed. All Authorized Users shall properly safeguard PII from loss, theft, or inadvertent disclosure. Each Authorized User is responsible for safeguarding this information at all times, regardless of whether or not the user is at his or her regular duty station. 2. Reporting Lost, Compromised or Potentially Compromised PII (a) When the Requesting Party or its Authorized User becomes aware or suspects that XXX has been lost, compromised, or potentially compromised the Requesting Party, in accordance with its incident reporting process, shall provide immediate notification of the incident to the primary SSA contact. If the primary SSA contact is not readily available, the Requesting Party shall immediately notify one of two SSA alternates, if names of alternates have been provided. (See Section XVI for the phone numbers of the designated primary and alternate SSA contacts.) The Requesting Party shall act to ensure that each Authorized User has been given information as to who the primary and alternate SSA contacts are and how to contact them. (b) The Requesting Party shall provide the primary SSA contact or the alternate, as applicable, with updates on the status of the reported PII loss or compromise as they become available but shall not delay the initial report. (c) The Requesting Party shall provide complete and accurate information about the details of the possible PII loss to assist the SSA contact/alternate, including the following information: 1. Contact information; 2. A description of the loss, compromise, or potential compromise (i.e., nature of loss/compromise/potential compromise, scope, number of files or records, type of equipment or media, etc.) including the approximate time and location of the loss; 3. A description of safeguards used, where applicable (e.g., locked briefcase, redacted personal information, password protection, encryption, etc.); 4. Name of SSA employee contacted; 5. Whether the Requesting Party or the Authorized User has contacted or been contacted by any external organizations (i.e., other agencies, law enforcement, press, etc.); 6. Whether the Requesting Party or the Authorized User has filed any other reports (i.e., Federal Protective Service, local police, and SSA reports); and 7. Any other pertinent information