Common use of Breach Notification and Recovery Clause in Contracts

Breach Notification and Recovery. Contractor is liable in the event of any Contractor-caused negligent act, error or omission, gross negligence, misconduct, or breach that compromises or is suspected to compromise the security, confidentiality, or integrity of County Data or the physical, technical, administrative, or organizational safeguards put in place by Contractor that relate to the protection of the security, confidentiality, or integrity of County Data. Contractor shall, as applicable: (a) notify County as soon as practicable but no later than twenty-four (24) hours of becoming aware of any occurrence of County Data being compromised; (b) cooperate with County in investigating the occurrence, including making available all relevant records, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by County; (c) in the case of personally identifiable information (PII), at County’s sole election, (i) notify the affected individuals who comprise the PII as soon as practicable but no later than is required to comply with applicable law, or, in the absence of any legally required notification period, within ten (10) calendar days of the occurrence or after an investigative security assessment report has been finalized, whichever is later; or, (ii) reimburse County for any costs in notifying the affected individuals, if, in County’s sole discretion, County notifies the affected individuals; (d) in the case of PII, provide third-party credit and identity monitoring services to each of the affected individuals whose PII has been compromised for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no less than twelve (12) months following the date of notification to such individuals; (e) perform or take any other actions required to comply with applicable law as a result of the occurrence; (f) without limiting County’s obligations of indemnification as further described in this Agreement, indemnify, defend, and hold harmless County for any and all losses, claims, liens, demands, and causes of action of every kind and character including, but not limited to, the amounts of judgments, penalties, interest, court costs, legal fees, and all other expenses incurred by County arising in favor of any party, , which may be suffered by, accrued against, charged to, or recoverable from County in connection with the occurrence; (g) be responsible for restoring lost County Data in the manner and on the schedule mutually agreed to by County and Contractor without charge to County; and, (h) provide to County a detailed plan within fifteen (15) calendar days of the occurrence describing the measures Contractor will undertake to prevent a future occurrence. Notification to affected individuals, as described above, shall comply with applicable law, be written in plain language, and contain, at a minimum: name and contact information of Contractor’s representative; a description of the nature of the loss; a list of the types of data involved; the known or approximate date of the loss; how such loss may affect the affected individual; what steps Contractor has taken to protect the affected individual; what steps the affected individual can take to protect himself or herself; contact information for major credit card reporting agencies; and, information regarding the credit and identity monitoring services to be provided by Contractor. This Section shall survive the termination of this Agreement.

Breach Notification and Recovery. Contractor is liable in the event of any Contractor-caused negligent act, error or omission, gross negligence, misconduct, or breach that compromises or is suspected to compromise the security, confidentiality, or integrity of County Data or the physical, technical, administrative, or organizational safeguards put in place by Contractor that relate to the protection of the security, confidentiality, or integrity of County Data. Contractor shall, as applicable: (ai) notify County as soon as practicable but no later than twenty-four (24) hours of becoming aware of any occurrence of County Data being compromisedsuch occurrence; (bii) cooperate with County in investigating the occurrence, including making available all relevant records, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by County; (ciii) in the case of personally identifiable information (PII), at County’s sole election, (ia) notify the affected individuals who comprise the PII as soon as practicable but no later than is required to comply with applicable law, or, in the absence of any legally required notification period, within ten five (105) calendar days of the occurrence or after an investigative security assessment report has been finalized, whichever is lateroccurrence; or, (iib) reimburse County for any costs in notifying the affected individuals, if, in County’s sole discretion, County notifies the affected individuals; (div) in the case of PII, provide third-party credit and identity monitoring services to each of the affected individuals whose who comprise the PII has been compromised for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no less than twelve (12) months following the date of notification to such individuals; (ev) perform or take any other actions required to comply with applicable law as a result of the occurrence; (fvi) without limiting County’s obligations of indemnification as further described in this Agreement, indemnify, defend, and hold harmless County for any and all lossesClaims (as defined herein), claimsincluding reasonable attorneys’ fees, liens, demandscosts, and causes of action of every kind and character including, but not limited to, the amounts of judgments, penalties, interest, court costs, legal fees, and all other expenses incurred by County arising in favor of any party, incidental thereto, which may be suffered by, accrued against, charged to, or recoverable from County in connection with the occurrence; (gvii) be responsible for restoring recreating lost County Data in the manner and on the schedule mutually agreed to set by County and Contractor without charge to County; and, (hviii) provide to County a detailed plan within fifteen ten (1510) calendar days of the occurrence describing the measures Contractor will undertake to prevent a future occurrence. Notification to affected individuals, as described above, shall comply with applicable law, be written in plain language, and contain, at a minimum: name and contact information of Contractor’s representative; a description of the nature of the loss; a list of the types of data involved; the known or approximate date of the loss; how such loss may affect the affected individual; what steps Contractor has taken to protect the affected individual; what steps the affected individual can take to protect himself or herself; contact information for major credit card reporting agencies; and, information regarding the credit and identity monitoring services to be provided by Contractor. This Section shall survive the termination of this Agreement.