Breaches and Security Incidents During the term of the Agreement, CONTRACTOR 27 agrees to implement reasonable systems for the discovery of any Breach of unsecured DHCS PI and PII 28 or security incident. CONTRACTOR agrees to give notification of any beach of unsecured DHCS PI 29 and PII or security incident in accordance with subparagraph F, of the Business Associate Contract, 30 Exhibit B to the Agreement.
Security Incident Reporting A security incident occurs when CDA information assets are or reasonably believed to have been accessed, modified, destroyed, or disclosed without proper authorization, or are lost, or stolen. Subrecipient must comply with CDA’s security incident reporting procedures located at xxxxx://xxx.xxxxx.xx.xxx/ProgramsProviders/#Resources.
Security Incident Response Upon becoming aware of a Security Incident, MailChimp shall notify Customer without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer.
Security Incident “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
Security Incidents 11.1 Includes identification, managing and agreed reporting procedures for actual or suspected security breaches.
COMPLIANCE WITH NEW YORK STATE INFORMATION SECURITY BREACH AND NOTIFICATION ACT Contractor shall comply with the provisions of the New York State Information Security Breach and Notification Act (General Business Law Section 899-aa; State Technology Law Section 208).
Security Breach Notice and Reporting The Contractor shall have policies and procedures in place for the effective management of Security Breaches, as defined below, which shall be made available to the State upon request.
Security Incident Notification The Transfer Agent shall promptly notify the Trust but in no event later than 72 hours following discovery of any Security Incident(s). Such notification shall include the extent and nature of such intrusion, disclosure, or unauthorized access, the identity of the compromised Customer Confidential Information (to the extent it can be ascertained), how the Transfer Agent was affected by the Security Incident, and its response to such Security Incident. The Transfer Agent shall use continuous and diligent efforts to remedy the cause and the effects of such Security Incident in an expeditious manner and deliver to the Trust a root cause analysis and future incident Mitigation plan with regard to any such incident. The Transfer Agent shall reasonably cooperate with the Trust’s investigation and response to each Security Incident. If the Trust determines in its sole discretion that it may need or be required to notify any individual(s) as a result of a Security Incident, the Trust shall have the right to control all such notifications and the Transfer Agent shall bear all direct costs associated with the notification, to the extent the notification and corresponding actions are required by U.S. law, and subject to the limitation of liability set forth in the Agreement. Without limiting the foregoing, unless otherwise required by U.S. law, no such notifications shall be made by the Transfer Agent without the Trust’s prior written consent and the Trust shall, together with the Transfer Agent, determine the content and delivery of all such notifications. For the avoidance of doubt, the Transfer Agent shall be solely responsible for all costs and expenses, subject to the limitations of liability under the Agreement that the Trust and/or the Transfer Agent may incur to the extent that they are attributable to or arise from the Transfer Agent’s breach of its confidentiality obligations under the Agreement.
COMPLIANCE WITH BREACH NOTIFICATION AND DATA SECURITY LAWS Contractor shall comply with the provisions of the New York State Information Security Breach and Notification Act (General Business Law § 899-aa and State Technology Law § 208) and commencing March 21, 2020 shall also comply with General Business Law § 899-bb.
Stipulated Penalties for Failure to Comply with Certain Obligations As a contractual remedy, the Friendship Entities and OIG hereby agree that failure to comply with certain obligations as set forth in this CIA may lead to the imposition of the following monetary penalties (hereinafter referred to as “Stipulated Penalties”) in accordance with the following provisions.
1. A Stipulated Penalty of $2,500 (which shall begin to accrue on the day after the date the obligation became due) for each day the Friendship Entities fail to establish and implement any of the following obligations as described in Sections III and IV:
a. a Compliance Officer;
b. a Compliance Committee;
c. the Board of Directors compliance obligations and the engagement of a Compliance Expert, the performance of a Compliance Program Review and the preparation of a Compliance Program Review Report, as required by Section III.A.3.;
d. the management certification obligations;
e. a written Code of Conduct;
f. written Policies and Procedures;
g. the development and/or implementation of a Training Plan for the training of Covered Persons, Relevant Covered Persons, and Board Members;
h. a risk assessment and internal review process as required by Section III.E;
i. a Disclosure Program;
j. Ineligible Persons screening and removal requirements;
k. notification of Government investigations or legal proceedings;
l. policies and procedures regarding the repayment of Overpayments;
m. the repayment of Overpayments as required by Section III.I and Appendix B; n. reporting of Reportable Events; and
o. disclosure of changes to business units or locations.
2. A Stipulated Penalty of $2,500 (which shall begin to accrue on the day after the date the obligation became due) for each day the Friendship Entities fail to engage and use an IRO, as required by Section III.D, Appendix A, or Appendix B.
3. A Stipulated Penalty of $2,500 (which shall begin to accrue on the day after the date the obligation became due) for each day the Friendship Entities fail to submit the Implementation Report or any Annual Reports to OIG in accordance with the requirements of Section V by the deadlines for submission.
4. A Stipulated Penalty of $2,500 (which shall begin to accrue on the day after the date the obligation became due) for each day the Friendship Entities fail to submit any Claims Review or Additional Items Review Report in accordance with the requirements of Section III.D and Appendix B.
5. A Stipulated Penalty of $1,500 for each day the Friendship Entities fail to grant access as required in Section VII. (This Stipulated Penalty shall begin to accrue on the date the Friendship Entities fail to grant access.)
6. A Stipulated Penalty of $50,000 for each false certification submitted by or on behalf of the Friendship Entities as part of their Implementation Report, any Annual Report, additional documentation to a report (as requested by the OIG), or otherwise required by this CIA.
7. A Stipulated Penalty of $1,000 for each day the Friendship Entities fail to comply fully and adequately with any obligation of this CIA. OIG shall provide notice to the Friendship Entities stating the specific grounds for its determination that the Friendship Entities have failed to comply fully and adequately with the CIA obligation(s) at issue and steps the Friendship Entities shall take to comply with the CIA. (This Stipulated Penalty shall begin to accrue 10 days after the date the Friendship Entities receive this notice from OIG of the failure to comply.) A Stipulated Penalty as described in this Subsection shall not be demanded for any violation for which OIG has sought a Stipulated Penalty under Subsections 1- 6 of this Section.
