Common use of Breach Notification and Recovery Clause in Contracts

Breach Notification and Recovery. The PROVIDER must notify the State of Delaware at ▇▇▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇.▇▇▇ immediately or within 24 hours of any determination of the breach of security as defined in 6 Del. C. §12B-101(2) resulting in the destruction, loss, unauthorized disclosure, or alteration of State of Delaware data. The PROVIDER shall send a preliminary written report detailing the nature, extent, and root cause of any such data breach no later than two (2) business days following notice of such a breach. The PROVIDER will continue to send any and all reports subsequent to the preliminary written report. The PROVIDER shall meet and confer with representatives of DTI regarding required remedial action in relation to any such data breach without unreasonable delay. If data is not encrypted (see CS3, below), Delaware Code (6 Del. C. §12B-100 et seq.) requires public breach notification of any incident resulting in the loss or unauthorized disclosure of Delawareans’ Personally Identifiable Information (PII, as defined in Delaware’s Terms and Conditions Governing Cloud Services policy) by PROVIDER or its subcontractors. The PROVIDER will assist and be responsible for all costs to provide notification to persons whose information was breached without unreasonable delay but not later than sixty (60) days after determination of the breach, except 1) when a shorter time is required under federal law; 2) when law enforcement requests a delay; or 3) reasonable diligence did not identify certain residents, in which case notice will be delivered as soon as practicable. All such communication shall be coordinated with the State of Delaware. Should the PROVIDER or its contractors be liable for the breach, the PROVIDER shall bear all costs associated with investigation, response, and recovery from the breach. This includes, but is not limited to, credit monitoring services with a term of at least three (3) years, mailing costs, website, and toll-free telephone call center services. The State will retain all determining authority for breach accountability and responsibility. The State of Delaware shall not agree to any limitation on liability that relieves the PROVIDER or its subcontractors from its own negligence, or to the extent that it creates an obligation on the part of the State to hold a PROVIDER harmless. The PROVIDER shall not issue a media notice without the approval of the State.

Breach Notification and Recovery. The PROVIDER Vendor must notify the State of Delaware at ▇▇▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇.▇▇▇ immediately or within 24 hours of any determination of the breach of security as defined in 6 Del. C. §12B-101(2) incident resulting in the destruction, loss, unauthorized disclosure, or alteration of State of Delaware data. The PROVIDER shall send a preliminary written report detailing the nature, extent, and root cause of any such data breach no later than two (2) business days following notice of such a breach. The PROVIDER will continue to send any and all reports subsequent to the preliminary written report. The PROVIDER shall meet and confer with representatives of DTI regarding required remedial action in relation to any such data breach without unreasonable delay. If data is not encrypted (see CS3, below), Delaware Code (6 Del. C. §12B-100 et seq.) requires public breach notification of any incident resulting in the loss or unauthorized disclosure of Delawareans’ Personally Identifiable Information personally identifiable Contract # , between State of Delaware and dated 1 Publi c Data Non Public Data CLOUD SERVICES (PII, as defined in Delaware’s Terms and Conditions Governing Cloud Services policyCS) TERMS information by PROVIDER Vendor or its subcontractors. The PROVIDER Vendor will assist and be responsible for all costs to provide notification to persons whose information was breached without unreasonable delay but not later than sixty (60) 60 days after determination of the breach, except 1) when a shorter time is required under federal law; 2) when law enforcement requests a delay; or 3) reasonable diligence did not identify certain residents, in which case notice will be delivered as soon as practicable. All such communication shall be coordinated with the State of DelawareState. Should the PROVIDER Vendor or its contractors employees or subcontractors be liable for the breach, the PROVIDER Vendor shall bear all costs associated with investigation, response, and recovery from the breach. This includes, but is not limited to, credit monitoring services with a term of at least three (3) years, mailing costs, website, and toll-free telephone call center services. The State will retain all determining authority for breach accountability and responsibility. The State of Delaware shall not agree to any limitation on liability that relieves the PROVIDER Vendor or its subcontractors any person or entity from responsibility for its own negligencenegligence or conduct, or to the extent that it creates an obligation on the part of the State to hold a PROVIDER any person or entity harmless. The PROVIDER CS3 🞎 🞎 Data Encryption: Vendor shall not issue a media notice without encrypt all non-public data in transit, regardless of transit mechanism. For engagements where Vendor stores personally identifiable information or other sensitive, confidential information, it shall encrypt this non-public data at rest. Vendor’s encryption shall meet validated cryptography standards as specified by the approval National Institute of Standards and Technology in FIPS140-2 and subsequent security guidelines. Vendor and the State will negotiate mutually acceptable key location and key management details. Vendor shall maintain mandatory cyber security liability insurance coverage for the duration of the Agreement. CS4 🞎 🞎 Notification of Legal Requests: Vendor shall contact OST upon receipt of any electronic discovery, litigation holds, discovery searches, and expert testimonies related to, or which in any way might reasonably require access to the data of the State.. With regard to State data and processes, Vendor shall not respond to subpoenas, service of process, and other legal requests without first notifying OST, unless prohibited by law from providing such notice. The terms of this document shall be incorporated into the Agreement. Any conflict between this document and the aforementioned Agreement shall be resolved by giving priority to the Agreement. FOR OFFICIAL USE ⎦ ⎦ ⎦ CS1-A and CS4 (Non-Public Data) OR Δ CS1-B and CS1-C and CS4 (Non-public ⎦ CS3 (SaaS, PaaS – Non-public Data) VENDOR Name/Address (print): VENDOR Authorizing Official Name (print): VENDOR Authorizing Official Signature: Date: Contract # , between State of Delaware and

Breach Notification and Recovery. The PROVIDER Vendor must notify the State of Delaware at ▇▇▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇.▇▇▇ immediately or within 24 hours of promptlyof any determination of the breach of security as defined in 6 Del. C. §12B-101(2) incident resulting in the destruction, loss, unauthorized disclosure, or alteration of State of Delaware data. The PROVIDER shall send a preliminary written report detailing the nature, extent, and root cause of any such data breach no later than two (2) business days following notice of such a breach. The PROVIDER will continue to send any and all reports subsequent to the preliminary written report. The PROVIDER shall meet and confer with representatives of DTI regarding required remedial action in relation to any such data breach without unreasonable delay. If data is not encrypted (see CS3, below), Delaware Code (6 Del. C. §12B-100 12B- 100 et seq.) requires public breach notification of any incident resulting in resultingin the loss or unauthorized disclosure of Delawareans’ Personally Identifiable Information personally identifiable Contract # , between State of Delaware and dated 1 Publi c Data Non Public Data CLOUD SERVICES (PII, as defined in Delaware’s Terms and Conditions Governing Cloud Services policyCS) TERMS information by PROVIDER Vendor or its subcontractors. The PROVIDER Vendor will assist and be responsible for all costs to provide notification to persons whose information was breached without unreasonable delay but not later than sixty (60) 60 days after determination of the breach, except 1) when a shorter time is required under federal law; 2) when law enforcement requests a delay; or 3) reasonable diligence did not identify certain residents, in which case notice will be delivered as soon as practicable. All such communication shall be coordinated with the State of DelawareState. Should the PROVIDER Vendor or its contractors employees or subcontractors be liable for the breach, the PROVIDER Vendor shall bear all costs associated with investigation, response, and recovery from the breach. This includes, but is not limited to, credit monitoring services with a term of at least three one (331) yearsyearsyear, mailing costs, website, and toll-free telephone call center services. Except as provided in this Agreement, The the State will retain all determining authority for breach accountability and responsibility. The State of Delaware shall not agree to any toany limitation on liability that relieves the PROVIDER Vendor or its subcontractors any person or entity from responsibility for its own negligencenegligence or conduct, or to the extent that it creates an obligation on the part of the State to hold a PROVIDER holdany person or entity harmless. The PROVIDER CS3 🞎 🞎 Data Encryption: Vendor shall not issue a media notice without encrypt all non-public data in transit, regardless of transit mechanism. For engagements where Vendor stores personally identifiable information or other sensitive, confidential information, it shall encrypt this non-public data at rest. Vendor’s encryption shall meet validated cryptography standards as specified by the approval National Institute of Standards and Technology in FIPS140-2 and subsequent security guidelines. Vendor and the State will negotiate mutually acceptable key location and key management details. Vendor shall maintain mandatory cyber security liability insurance coverage for the duration of the Agreement. CS4 🞎 🞎 Notification of Legal Requests: Vendor shall contact OST upon receipt of any electronic discovery, litigation holds, discovery searches, and expert testimonies related to, or which in any way might reasonably require access to the data of the State.. With regard to State data and processes, Vendor shall not respond to subpoenas, service of process, and other legal requests without first notifying OST, unless prohibited by law from providing such notice. The terms of this document shall be incorporated into the Agreement. Any conflict between this document and the aforementioned Agreement shall be resolved by giving priority to the Agreement. FOR OFFICIAL USE CS1-A and CS4 (Non-Public Data) OR Δ CS1-B and CS1-C and CS4 (Non-public CS2 (Non-public Data) ⎦ CS3 (SaaS, PaaS – Non-public Data) VENDOR Name/Address (print): VENDOR Authorizing Official Name (print): VENDOR Authorizing Official Signature: Date: Contract # , between State of Delaware and

Breach Notification and Recovery. The PROVIDER must notify the State of Delaware at at: ▇▇▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇.▇▇▇ immediately or immediately, but no later than within 24 48 hours of PROVIDER’s confirmation of any determination of the breach of security as defined in 6 Del. C. §12B-101(2) incident resulting in the destruction, loss, unauthorized disclosure, or alteration of State of Delaware data. The PROVIDER shall send a preliminary written report detailing the nature, extent, and root cause of any such data breach no later than two (2) business days following notice of such a breach. The PROVIDER will continue to send any and all reports subsequent to the preliminary written report. The PROVIDER shall meet and confer with representatives of DTI regarding required remedial action in relation to any such data breach without unreasonable delay. If data is not encrypted (see CS3, below), Delaware Code (6 Del. C. §12B-100 et seq.) requires public breach notification of any incident resulting in the loss or unauthorized disclosure of Delawareans’ Personally Identifiable Information (PII, as defined in Delaware’s Terms and Conditions Governing Cloud Services policy) by PROVIDER or its subcontractors. The PROVIDER will assist and be responsible for all costs to provide notification to persons whose information was breached without unreasonable delay but not later than sixty (60) 60 days after determination of the breach, except 1) when a shorter time is required under federal law; 2) when law enforcement requests a delay; or 3) when reasonable diligence did not identify certain residents, in which case notice will be delivered as soon as practicable. All such communication shall be coordinated with the State of Delaware. Should the PROVIDER or its contractors be liable for the breach, the PROVIDER shall bear pay directly all reasonable and actual costs associated with investigation, response, and recovery from the breach. This includes, but is not limited to, credit monitoring services mayinclude creditmonitoringservices with a term of at least three (3) years, mailing costs, website, and toll-free telephone call center services. The State will retain all determining authority for breach accountability and responsibility. The State of Delaware shall not agree to any limitation on liability that relieves the PROVIDER or its subcontractors from its own negligence, or to the extent that it creates an obligation on the part of the State to hold a PROVIDER harmless. The STATE OF DELAWARE between State of Delaware and Cisco Systems, Inc. Public Data Non Public Data Cloud Services (CS) Terms PROVIDER shall not issue a media notice without the approval of the Statemust satisfy Clause CS1-A OR Clauses CS1-B and CS1-C, AND Clause CS4 for all engagements involving non-public data. Clause CS2 is mandatory for all engagements involving non-public data. Clause CS3 is only mandatory for SaaS or PaaS engagements involving non-public data.