Common use of Security Incidents Clause in Contracts

Security Incidents. 1. Security Incidents on Supplier Information Systems must be logged, reviewed on a periodic basis (minimum quarterly), secured, and maintained for a minimum of twelve (12) months. 2. Supplier must develop and maintain an up-to-date incident management plan designed to promptly identify, prevent, investigate, and mitigate any Security Incidents and perform any required recovery actions to remedy the impact. 3. Supplier shall notify Company within a reasonable period, in no event to exceed seventy-two (72) hours after discovery, or shorter if required by applicable law or regulation, of any Security Incident experienced by Supplier involving any Company Data. Supplier shall report any Security Incidents to the Cyber Incident Response Team at xxxxxx@xx.xxx or 1-800-4GE- CIRT, or at such contact information communicated to Supplier from time to time. Supplier shall reasonably cooperate with Company in its investigation of an incident, whether discovered by Supplier, Company, or a third party, which shall include providing Company a detailed description of the Security Incident, the type of data that was the subject of the Security Incident, the identity of each affected person, and any other information Company reasonably may request concerning such affected persons and the details of the Security Incident, as soon as such information can be collected or otherwise becomes available. Supplier shall designate an individual responsible for management of the Security Incident, and shall identify such individual to Company promptly. 4. If requested by Company or its Affiliate, and at Company’s direction, Supplier shall send Security Notices regarding a Security Incident. Unless prohibited by applicable law or regulation, Supplier shall provide Company or its Affiliate with reasonable notice of, and the opportunity to comment on and approve, the content of such Security Notices prior to any publication or communication thereof to any third party, except neither Company nor its Affiliate shall have the right to reject any content in a Security Notice that must be included in order to comply with applicable law or regulation. Should Company or its Affiliate elect to send a Security Notice regarding a Security Incident, Supplier shall provide all reasonable and timely information relating to the content and distribution of that Security Notice as permitted by applicable law or regulation pursuant to the Security Notice. 5. Other than approved Security Notices, or to law enforcement or as otherwise required by law or regulation, Supplier may not make or permit any public statements concerning Company’s involvement with any such Security Incident to any third-party without the explicit written authorization of Company’s Legal Department.

Security Incidents. 19.1. Service Provider agrees to notify Company without undue delay but in all cases within twenty- four (24) hours of discovery of any actual or suspected Security Incidents on Supplier Information Systems must be loggedIncident of which it becomes aware, reviewed on a periodic basis (minimum quarterly)including those occurring at its Subprocessors. Service Provider agrees to take such reasonable, secured, remedial actions warranted to investigate and maintained for a minimum halt the root cause of twelve (12) monthssuch incident to the extent it is ongoing. 29.2. Supplier must develop In the course of notification to Company, Service Provider will provide to Company, as feasible, sufficient information for Company to assess the Security Incident and maintain an up-to-date incident management plan designed to promptly identify, prevent, investigate, and mitigate any Security Incidents and perform make any required recovery actions notification to remedy any Government Authority within the impact. 3. Supplier shall notify Company within a reasonable period, in no event to exceed seventy-two (72) hours after discovery, or shorter if timeline required by applicable law or regulationApplicable Law. Such information must include, of any Security Incident experienced by Supplier involving any Company Data. Supplier shall report any Security Incidents to the Cyber Incident Response Team at xxxxxx@xx.xxx or 1-800-4GE- CIRT, or at such contact information communicated to Supplier from time to time. Supplier shall reasonably cooperate with Company in its investigation of an incident, whether discovered by Supplier, Company, or a third party, which shall include providing Company a detailed description of the Security Incident, the type of data that was the subject of the Security Incident, the identity of each affected person, and any other information Company reasonably may request concerning such affected persons and the details of the Security Incident, as soon as such information can be collected or otherwise becomes available. Supplier shall designate an individual responsible for management but is not necessarily limited to: A. The nature of the Security Incident, and shall identify such individual to Company promptly.the categories and approximate number of data subjects and Personal Data records involved; 4. If requested by Company or its Affiliate, and at Company’s direction, Supplier shall send Security Notices regarding a Security Incident. Unless prohibited by applicable law or regulation, Supplier shall provide Company or its Affiliate with reasonable notice of, and B. The likely consequences of the opportunity to comment on and approve, the content of such Security Notices prior to any publication or communication thereof to any third party, except neither Company nor its Affiliate shall have the right to reject any content in a Security Notice that must be included in order to comply with applicable law or regulation. Should Company or its Affiliate elect to send a Security Notice regarding a Security Incident, Supplier shall provide all reasonable and timely information relating in so far as consequences are able to be determined; and C. Any measures taken or proposed to be taken to address or mitigate the content and distribution of that Security Notice as permitted by applicable law or regulation pursuant to the Security Noticeincident. 59.3. Other than approved Security Notices, or Company will decide on the basis of all available information and Applicable Law if notification to law enforcement or as otherwise Data Subjects and/or Government Authorities is required by law or regulationdeemed prudent by Company. Where Company determines that notice should be provided, Supplier may not make or permit any public statements concerning Service Provider shall reimburse Company for all reasonable costs associated with providing notice to affected individuals and Government Authorities, unless Service Provider demonstrates that the breach was caused by Company’s involvement negligence or willful misconduct. 9.4. In the event of a Security Incident relating to the Personal Data collected or received under this Underlying Agreement, Service Provider agrees to assist and fully cooperate as instructed by Company with any internal investigation or external investigation by third parties, such as law enforcement, through the provision of information, employees, interviews, materials, databases, or any and all other items required to fully investigate and resolve any such incidents and provide information necessary to provide required notifications. Service Provider agrees to take such remedial actions as the Parties mutually agree is warranted, such agreement not to be unreasonably withheld by Service Provider. 9.5. Service Provider shall not disclose, without Company’s prior written approval, any information related to the suspected Security Incident to any thirdthird party other than a vendor hired to investigate/mitigate such Security Incident and bound by confidentiality and non-party without disclosure obligations, except as required by Applicable Law. 9.6. Notwithstanding any other limitation of liability or other indemnification obligation contained in the explicit written authorization of Company’s Legal DepartmentUnderlying Agreement, Service Provider agrees to indemnify Company for all losses resulting from any Security Incident due to negligence or willful misconduct by Service Provider, its agents, its affiliates, or any Subprocessor retained by Service Provider, including but not limited to costs associated with investigating the Security Incident, attorney and consultant fees, expenses associated with making notices to Data Subjects or Government Authorities, providing support (including credit monitoring and call centers) to impacted Data Subjects, legal damages, government penalties, and/or mitigation expenses.

Security Incidents. 19.1. Service Provider agrees to notify Company without undue delay but in all cases within twenty- four (24) hours of discovery of any actual or suspected Security Incidents on Supplier Information Systems must be loggedIncident of which it becomes aware, reviewed on a periodic basis (minimum quarterly)including those occurring at its Subprocessors. Service Provider agrees to take such reasonable, securedremedial actions warranted to investigate and halt the root cause of such incident to the extent it is ongoing.‌ 9.2. In the course of notification to Company, Service Provider will provide to Company, as feasible, sufficient information for Company to assess the Security Incident and maintained for a minimum of twelve (12) months. 2. Supplier must develop and maintain an up-to-date incident management plan designed to promptly identify, prevent, investigate, and mitigate any Security Incidents and perform make any required recovery actions notification to remedy any Government Authority within the impact. 3. Supplier shall notify Company within a reasonable period, in no event to exceed seventy-two (72) hours after discovery, or shorter if timeline required by applicable law or regulationApplicable Law. Such information must include, of any Security Incident experienced by Supplier involving any Company Data. Supplier shall report any Security Incidents to the Cyber Incident Response Team at xxxxxx@xx.xxx or 1-800-4GE- CIRT, or at such contact information communicated to Supplier from time to time. Supplier shall reasonably cooperate with Company in its investigation of an incident, whether discovered by Supplier, Company, or a third party, which shall include providing Company a detailed description of the Security Incident, the type of data that was the subject of the Security Incident, the identity of each affected person, and any other information Company reasonably may request concerning such affected persons and the details of the Security Incident, as soon as such information can be collected or otherwise becomes available. Supplier shall designate an individual responsible for management but is not necessarily limited to: A. The nature of the Security Incident, and shall identify such individual to Company promptly.the categories and approximate number of data subjects and Personal Data records involved; 4. If requested by Company or its Affiliate, and at Company’s direction, Supplier shall send Security Notices regarding a Security Incident. Unless prohibited by applicable law or regulation, Supplier shall provide Company or its Affiliate with reasonable notice of, and B. The likely consequences of the opportunity to comment on and approve, the content of such Security Notices prior to any publication or communication thereof to any third party, except neither Company nor its Affiliate shall have the right to reject any content in a Security Notice that must be included in order to comply with applicable law or regulation. Should Company or its Affiliate elect to send a Security Notice regarding a Security Incident, Supplier shall provide in so far as consequences are able to be determined; and C. Any measures taken or proposed to be taken to address or mitigate the incident.‌ 9.3. Company will decide on the basis of all reasonable available information and timely information relating Applicable Law if notification to the content and distribution of that Security Notice as permitted by applicable law or regulation pursuant to the Security Notice. 5. Other than approved Security Notices, or to law enforcement or as otherwise Data Subjects and/or Government Authorities is required by law or regulationdeemed prudent by Company. Where Company determines that notice should be provided, Supplier may not make or permit any public statements concerning Service Provider shall reimburse Company for all reasonable costs associated with providing notice to affected individuals and Government Authorities, unless Service Provider demonstrates that the breach was caused by Company’s involvement negligence or willful misconduct. 9.4. In the event of a Security Incident relating to the Personal Data collected or received under this Underlying Agreement, Service Provider agrees to assist and fully cooperate as instructed by Company with any internal investigation or external investigation by third parties, such as law enforcement, through the provision of information, employees, interviews, materials, databases, or any and all other items required to fully investigate and resolve any such incidents and provide information necessary to provide required notifications. Service Provider agrees to take such remedial actions as the Parties mutually agree is warranted, such agreement not to be unreasonably withheld by Service Provider. 9.5. Service Provider shall not disclose, without Company’s prior written approval, any information related to the suspected Security Incident to any thirdthird party other than a vendor hired to investigate/mitigate such Security Incident and bound by confidentiality and non-party without disclosure obligations, except as required by Applicable Law. 9.6. Notwithstanding any other limitation of liability or other indemnification obligation contained in the explicit written authorization of Company’s Legal DepartmentUnderlying Agreement, Service Provider agrees to indemnify Company for all losses resulting from any Security Incident due to negligence or willful misconduct by Service Provider, its agents, its affiliates, or any Subprocessor retained by Service Provider, including but not limited to costs associated with investigating the Security Incident, expenses associated with making notices or providing support to impacted Data Subjects, legal damages, government penalties, and/or mitigation expenses.

Security Incidents. 19.1. Service Provider agrees to notify Company without undue delay but in all cases within twenty‐ four (24) hours of discovery of any actual or suspected Security Incidents on Supplier Information Systems must be loggedIncident of which it becomes aware, reviewed on a periodic basis (minimum quarterly)including those occurring at its Subprocessors. Service Provider agrees to take such reasonable, secured, remedial actions warranted to investigate and maintained for a minimum halt the root cause of twelve (12) monthssuch incident to the extent it is ongoing. 29.2. Supplier must develop In the course of notification to Company, Service Provider will provide to Company, as feasible, sufficient information for Company to assess the Security Incident and maintain an up-to-date incident management plan designed to promptly identify, prevent, investigate, and mitigate any Security Incidents and perform make any required recovery actions notification to remedy any Government Authority within the impact. 3. Supplier shall notify Company within a reasonable period, in no event to exceed seventy-two (72) hours after discovery, or shorter if timeline required by applicable law or regulationApplicable Law. Such information must include, of any Security Incident experienced by Supplier involving any Company Data. Supplier shall report any Security Incidents to the Cyber Incident Response Team at xxxxxx@xx.xxx or 1-800-4GE- CIRT, or at such contact information communicated to Supplier from time to time. Supplier shall reasonably cooperate with Company in its investigation of an incident, whether discovered by Supplier, Company, or a third party, which shall include providing Company a detailed description of the Security Incident, the type of data that was the subject of the Security Incident, the identity of each affected person, and any other information Company reasonably may request concerning such affected persons and the details of the Security Incident, as soon as such information can be collected or otherwise becomes available. Supplier shall designate an individual responsible for management but is not necessarily limited to: A. The nature of the Security Incident, and shall identify such individual to Company promptly.the categories and approximate number of data subjects and Personal Data records involved; 4. If requested by Company or its Affiliate, and at Company’s direction, Supplier shall send Security Notices regarding a Security Incident. Unless prohibited by applicable law or regulation, Supplier shall provide Company or its Affiliate with reasonable notice of, and B. The likely consequences of the opportunity to comment on and approve, the content of such Security Notices prior to any publication or communication thereof to any third party, except neither Company nor its Affiliate shall have the right to reject any content in a Security Notice that must be included in order to comply with applicable law or regulation. Should Company or its Affiliate elect to send a Security Notice regarding a Security Incident, Supplier shall provide all reasonable and timely information relating in so far as consequences are able to be determined; and C. Any measures taken or proposed to be taken to address or mitigate the content and distribution of that Security Notice as permitted by applicable law or regulation pursuant to the Security Noticeincident. 59.3. Other than approved Security Notices, or Company will decide on the basis of all available information and Applicable Law if notification to law enforcement or as otherwise Data Subjects and/or Government Authorities is required by law or regulationdeemed prudent by Company. Where Company determines that notice should be provided, Supplier may not make or permit any public statements concerning Service Provider shall reimburse Company for all reasonable costs associated with providing notice to affected individuals and Government Authorities, unless Service Provider demonstrates that the breach was caused by Company’s involvement negligence or willful misconduct. 9.4. In the event of a Security Incident relating to the Personal Data collected or received under this Underlying Agreement, Service Provider agrees to assist and fully cooperate as instructed by Company with any internal investigation or external investigation by third parties, such as law enforcement, through the provision of information, employees, interviews, materials, databases, or any and all other items required to fully investigate and resolve any such incidents and provide information necessary to provide required notifications. Service Provider agrees to take such remedial actions as the Parties mutually agree is warranted, such agreement not to be unreasonably withheld by Service Provider. 9.5. Service Provider shall not disclose, without Company’s prior written approval, any information related to the suspected Security Incident to any third-third party without other than a vendor hired to investigate/mitigate such Security Incident and bound by confidentiality and non‐disclosure obligations, except as required by Applicable Law. 9.6. Notwithstanding any other limitation of liability or other indemnification obligation contained in the explicit written authorization of Company’s Legal DepartmentUnderlying Agreement, Service Provider agrees to indemnify Company for all losses resulting from any Security Incident due to negligence or willful misconduct by Service Provider, its agents, its affiliates, or any Subprocessor retained by Service Provider, including but not limited to costs associated with investigating the Security Incident, expenses associated with making notices or providing support to impacted Data Subjects, legal damages, government penalties, and/or mitigation expenses.