Common use of Security Breach Notification Clause in Contracts

Security Breach Notification. 32.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, or acquisition of COUNTY data (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the unauthorized use or received the unauthorized disclosure, what CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 The COUNTY, at its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actions.

Security Breach Notification. 32.2.1 29.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, or acquisition of COUNTY data (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the unauthorized use or received the unauthorized disclosure, what CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 29.2.2 The COUNTY, at its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actions.

Security Breach Notification. 32.2.1 31.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, or acquisition of COUNTY data (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the unauthorized use or received the unauthorized disclosure, what CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 31.2.2 The COUNTY, at its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actions.

Security Breach Notification. 32.2.1 33.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, or acquisition of COUNTY data (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the unauthorized use or received the unauthorized disclosure, what CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 33.2.2 The COUNTY, at its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actions.

Security Breach Notification. 32.2.1 34.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, or acquisition of COUNTY data (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the unauthorized use or received the unauthorized disclosure, what CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 34.2.2 The COUNTY, at its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actions.

Security Breach Notification. 32.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, or acquisition of COUNTY data (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the unauthorized use or received the unauthorized disclosure, what CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 The COUNTY, at its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actions.DocuSign Envelope ID: 40A3DBA1-1EC3-47FB-9184-F7D865CC9EEA

Security Breach Notification. 32.2.1 30.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, or acquisition of COUNTY data (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the unauthorized use or received the unauthorized disclosure, what CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 30.2.2 The COUNTY, at its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actions.

Security Breach Notification. 32.2.1 33.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, or acquisition of COUNTY data (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but DocuSign Envelope ID: 44282CE5-6473-48DF-9776-506176377993 not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the unauthorized use or received the unauthorized disclosure, what CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 33.2.2 The COUNTY, at its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actions.

Security Breach Notification. 32.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, or acquisition of COUNTY data (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the unauthorized use or received the unauthorized disclosure, what CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 The COUNTY, at its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of FDA0121 Page 34 of 41 March 3, 2021 all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actions.

Security Breach Notification. 32.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, or acquisition of COUNTY data (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the unauthorized use or received the unauthorized disclosure, what CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 . The COUNTY, at in its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actions.

Security Breach Notification. 32.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably DocuSign Envelope ID: 23B4657D-C98F-4EA3-A3C2-208A37E4A951 foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, or acquisition of COUNTY data (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the unauthorized use or received the unauthorized disclosure, what CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 The COUNTY, at its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actions.

Security Breach Notification. 32.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, or acquisition of COUNTY data (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but DocuSign Envelope ID: 2F1D3A9A-464B-4F08-AD1F-E394D40DDAD6 not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the unauthorized use or received the unauthorized disclosure, what CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 The COUNTY, at its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actions.

Security Breach Notification. 32.2.1 30.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, or acquisition of COUNTY data (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the unauthorized use or received the unauthorized disclosure, what CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 30.2.2 The COUNTY, at inat its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the MA-063-23011212 Page 38 of 50 March 1, 2023 event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actions.

Security Breach Notification. 32.2.1 33.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, or acquisition of COUNTY data (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the unauthorized use or received the unauthorized disclosure, what CCD2721-A1 Page 9 of 17 February 1, 2024 CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 . The COUNTY, at its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actionsactionsB attached hereto and incorporated by reference.

Security Breach Notification. 32.2.1 33.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, or acquisition of COUNTY data (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the unauthorized use or received the unauthorized disclosure, what CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 33.2.2 The COUNTY, at in its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actions. 34. COPYRIGHT ACCESS‌ The U.S. Department of Health and Human Services, the CDSS, and COUNTY will have a royalty-free, nonexclusive, and irrevocable license to publish, translate, or use, now and hereafter, all material developed under this Agreement, including those covered by copyright.

Security Breach Notification. 32.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, or acquisition of COUNTY data (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the unauthorized use or received the unauthorized disclosure, what CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 The COUNTY, at its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actions.

Security Breach Notification. 32.2.1 30.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, or acquisition of COUNTY data (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the unauthorized use or received the unauthorized disclosure, what CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 30.2.2 The COUNTY, at in its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: to notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actions.

Security Breach Notification. 32.2.1 29.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, or acquisition of COUNTY data (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the unauthorized use or received the unauthorized disclosure, what DocuSign Envelope ID: 7C2B325D-40A0-41AF-81E0-813B26F84191 CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 29.2.2 The COUNTY, at its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actions.

Security Breach Notification. 32.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, or acquisition of COUNTY data (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. CCD2721 Page 35 of 47 December 23, 2021 CGM 1718 Page 35 of 39 1-14-19 Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the unauthorized use or received the unauthorized disclosure, what CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 The COUNTY, at inat its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actions.

Security Breach Notification. 32.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, or acquisition of COUNTY data (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the DocuSign Envelope ID: EDEAB430-1500-48C5-AAF6-4904D0AD00E7 unauthorized use or received the unauthorized disclosure, what CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 The COUNTY, at its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actions.

Security Breach Notification. 32.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, or acquisition of COUNTY data (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. DocuSign Envelope ID: 7300CE4E-5385-4DED-A457-AB32C02A1A47 Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the unauthorized use or received the unauthorized disclosure, what CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 The COUNTY, at its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actions.

Security Breach Notification. 32.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, or acquisition of COUNTY data WDM0321 Page 32 of 41 May 17, 2021 (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the unauthorized use or received the unauthorized disclosure, what CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 The COUNTY, at its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actions.

Security Breach Notification. 32.2.1 33.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, or acquisition of COUNTY data (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but DocuSign Envelope ID: C90E6514-7DAE-4FF3-852B-B31A67475FF5 not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the unauthorized use or received the unauthorized disclosure, what CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 33.2.2 The COUNTY, at its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actions.

Security Breach Notification. 32.2.1 31.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, disclosure or acquisition of COUNTY data (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: : 31.2.1.1 Investigate to determine the nature and extent of the Security Breach. . 31.2.1.2 Contain the incident by taking necessary actionby, including, but not limited toamong things, attempting to recover records, revoking access, access and/or correcting weaknesses in security. . 31.2.1.3 Report to COUNTY the nature of the Security basis, will determine what actions are necessary in response to the Security Xxxxxx and who will perform these actions. Actions may include, but are not limited to, notifications; investigation and remediation costs, including 31.2.2 The COUNTY, at its sole discretion and on a case-by-case prevent future similar unauthorized use or disclosure. Breach, the COUNTY data used or disclosed, the person who made the unauthorized use or received the unauthorized disclosure, what CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 The COUNTY, at its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actions.

Security Breach Notification. 32.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably DocuSign Envelope ID: F72AAA7D-5C0A-40BD-8888-7D72E527E8FB foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, or acquisition of COUNTY data (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the unauthorized use or received the unauthorized disclosure, what CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 The COUNTY, at its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actions.

Security Breach Notification. 32.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, or acquisition of COUNTY data (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the unauthorized use or received the unauthorized disclosure, what CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 The COUNTY, at its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actions.credit

Security Breach Notification. 32.2.1 CONTRACTOR 21.2.1 OCDE shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance CONTRACTOR OCDE experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, or acquisition of COUNTY data (“"Security Breach”"), CONTRACTOR OCDE shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR OCDE shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the DocuSign Envelope ID: 4D20609F-4E83-46F2-B93C-2A3D020D3101 unauthorized use or received the unauthorized disclosure, what CONTRACTOR OCDE has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR OCDE has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 21.2.2 The COUNTY, at its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR OCDE will conduct additional action(s), CONTRACTOR OCDE shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR OCDE shall reimburse COUNTY for costs associated to legally required actions.

Security Breach Notification. 32.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, or acquisition of COUNTY data (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the unauthorized use or received the unauthorized disclosure, what CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 . The COUNTY, at its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actions.

Security Breach Notification. 32.2.1 31.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data through unauthorized use, disclosure, or acquisition of COUNTY data (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the unauthorized use or received the unauthorized disclosure, what CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 31.2.2 The COUNTY, at its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actions.

Security Breach Notification. 32.2.1 CONTRACTOR shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In the event of any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance CONTRACTOR experiences or learns of that either compromises or could reasonably be expected to comprise COUNTY data (WJP0221) Page 32 of 41 (May 17, 2021) through unauthorized use, disclosure, or acquisition of COUNTY data (“Security Breach”), CONTRACTOR shall immediately notify COUNTY of its discovery. After such notification, CONTRACTOR shall, at its own expense, immediately: Investigate to determine the nature and extent of the Security Breach. Contain the incident by taking necessary action, including, but not limited to, attempting to recover records, revoking access, and/or correcting weaknesses in security. Report to COUNTY the nature of the Security Breach, the COUNTY data used or disclosed, the person who made the unauthorized use or received the unauthorized disclosure, what CONTRACTOR has done or will do to mitigate any harmful effect of the unauthorized use or disclosure, and the corrective action CONTRACTOR has taken or will take to prevent future similar unauthorized use or disclosure. 32.2.2 The COUNTY, at its sole discretion and on a case-by-case basis, will determine what actions are necessary in response to the Security Breach and who will perform these actions. Actions may include, but are not limited to: notifications; investigation and remediation costs, including notification of all whose personal information was disclosed; outside investigation; forensics; counsel; crisis management; and credit monitoring. In the event COUNTY determines CONTRACTOR will conduct additional action(s), CONTRACTOR shall bear the costs. In the event COUNTY conducts additional actions(s) arising out of or in connection with a Security Breach, CONTRACTOR shall reimburse COUNTY for costs associated to legally required actions.