Common use of Data Breach Notification Clause in Contracts

Data Breach Notification. a. The Breach or potential compromise of Data must be reported to the HCA Privacy Officer at ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇.▇▇.▇▇▇ and the County Program Manager within 2 business days of discovery. If the Contractor does not have full details, it will report what information it has, and provide full details within 15 business days of discovery. To the extent possible, these reports must include the following: i. The identification of each individual whose PHI has been or may have been improperly accessed, acquired, used, or disclosed; ii. The nature of the unauthorized use or disclosure, including a brief description of what happened, the date of the event(s), and the date of discovery; iii. A description of the types of PHI involved; iv. The investigative and remedial actions the Contractor took or will take to prevent and mitigate harmful effects, and protect against recurrence; v. Any details necessary for a determination of the potential harm to individuals whose PHI is believed to have been used or disclosed and the steps those individuals should take to protect themselves; and vi. Any other information HCA or the County reasonably requests. b. The Contractor must take actions to mitigate the risk of loss and comply with any notification or other requirements imposed by law or HCA including but not limited to 45 C.F.R. Part 164, Subpart D, RCW 42.56.590; RCW 19.255.010; or WAC ▇▇▇-▇▇-▇▇▇. c. If notification of the Breach or possible Breach must, in judgement of HCA or the County, be made under the HIPAA Breach Notification Rule, or RCW 42.56.590 or RCW 19.255.010; or other law or rule, then: i. HCA or the County may choose to make any required notifications to the individuals, to the U.S. Department of Health and Human Services (DSHS) Secretary, and to the media, or direct Contractor to make them or any of them. ii. In any case, Contractor will pay reasonable costs of notification to individuals, media, and governmental agencies and of other actions HCA or the County reasonably considers appropriate to protect HCA clients, such as paying for their regular credit watches in some cases. iii. Contractor will compensate HCA clients for ▇▇▇▇▇ caused to them by any Breach or possible Breach. d. Contractor is responsible for all costs incurred in connection with a security incident, privacy Breach, or potential compromise of Data, including: i. Computer forensics assistance to assess the impact of a Data Breach, determine root cause, and help determine whether and the extend to which notification must be provide to comply with Breach notification laws; ii. Notification and call center services for individuals affected by a security incident, or privacy Breach; iii. Breach resolution and mitigation services for individuals affected by a security incident or privacy Breach, including fraud prevention, credit monitoring, and identify theft assistance; and iv. Regulatory defense, fines, and penalties from any claim in the form of a regulatory proceeding resulting from a violation of any applicable privacy or security law(s) or regulation(s). e. Any breach of this clause may result in termination of the Contractor and the demand for return or disposition, as described above in Section 5, of all Confidential Information. f. Contractor’s obligations regarding Breach notification survive the termination of this Contract and continue for as long as Contractor maintains the Confidential Information and for any Breach or possible preach at any time.

Data Breach Notification. a. A. The Breach or potential compromise of Data must be reported to the HCA Privacy Officer at ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇.▇▇.▇▇▇ and the County Program Manager within 2 business days one (1) Business Day of discovery. If the Contractor does not have full details, it Contractor will report what information it hasContractor has available, and provide full details of the breach within 15 business days Business Days of discovery. To the extent possible, these reports must include the following: i. The identification of each individual whose PHI has been or may have been improperly accessed, acquired, used, or disclosed; ii. The nature of the unauthorized use or disclosure, including a brief description of what happened, the date of the event(s), and the date of discovery; iii. A description of the types of PHI involved; iv. The investigative and remedial actions the Contractor or its Subcontractor took or will take to prevent and mitigate harmful effects, and protect against recurrence; v. Any details necessary for a determination of the potential harm to individuals Enrollees whose PHI is believed to have been used or disclosed and the steps those individuals Enrollees should take to protect themselves; and vi. Any other information HCA or the County reasonably requests. b. B. The Contractor must take actions to mitigate the risk of loss and comply with any notification or other requirements imposed by law or HCA including but not limited to 45 C.F.R. Part 164, Subpart D, ; RCW 42.56.590; RCW 19.255.010; or WAC ▇▇▇-▇▇-▇▇▇. c. If notification C. The Contractor must notify HCA in writing, as described in the General Terms and Conditions section, Notices, within two (2) Business Days of the Breach or possible Breach must, in judgement of HCA or the County, be made under the HIPAA Breach Notification Rule, or RCW 42.56.590 or RCW 19.255.010; or other law or rule, then: i. HCA or the County may choose to make any required notifications to the individuals, to the U.S. Department of Health and Human Services (DSHS) Secretary, and to the media, or direct Contractor to make them or any of them. ii. In any case, Contractor will pay reasonable costs of notification to individuals, media, and governmental agencies and of other actions HCA or the County reasonably considers appropriate to protect HCA clients, such as paying for their regular credit watches in some cases. iii. Contractor will compensate HCA clients for ▇▇▇▇▇ caused to them by any Breach or possible Breach. d. Contractor is responsible for all costs incurred in connection with a security incident, privacy Breach, or potential compromise of Data, including: i. Computer forensics assistance to assess the impact of a Data Breach, determine root cause, and help determine whether and the extend to which determining notification must be provide sent to comply with Breach notification laws; ii. Notification and call center services for individuals affected by a security incident, or privacy Breach; iii. Breach resolution and mitigation services for individuals affected by a security incident or privacy Breach, including fraud prevention, credit monitoring, and identify theft assistance; and iv. Regulatory defense, fines, and penalties from any claim in the form of a regulatory proceeding resulting from a violation of any applicable privacy or security law(s) or regulation(s)Enrollees. e. Any breach of this clause may result in termination D. At HCA’s request, the Contractor will provide draft Enrollee notification to HCA at least five (5) Business Days prior to notification and allow HCA an opportunity to review and comment on the notifications. E. At HCA’s request, the Contractor will coordinate its investigation and notifications with HCA and the Office of the Contractor and the demand for return or dispositionState of Washington Chief Information Officer (OCIO), as described above in Section 5, of all Confidential Informationapplicable. f. Contractor’s obligations regarding Breach notification survive the termination of this Contract and continue for as long as Contractor maintains the Confidential Information and for any Breach or possible preach at any time.

Data Breach Notification. a. 9.1. The Breach or potential compromise of Data must be reported to the HCA Privacy Officer at ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇.▇▇.▇▇▇ and the County Program Manager within 2 business days of discovery. If the Contractor does not have full details, it will report what information it has, and provide full details within 15 business days of discovery. To the extent possible, these reports must include the following: i. 9.1.1. The identification of each individual whose PHI has been or may have been improperly accessed, acquired, used, or disclosed; ii9.1.2. The nature of the unauthorized use or disclosure, including a brief description of what happened, the date of the event(s), and the date of discovery; iii9.1.3. A description of the types of PHI involved; iv9.1.4. The investigative and remedial actions the Contractor or its Subcontractor took or will take to prevent and mitigate harmful effects, and protect against recurrence; v. 9.1.5. Any details necessary for a determination of the potential harm to individuals whose PHI is believed to have been used or disclosed and the steps those individuals should take to protect themselves; and vi9.1.6. Any other information HCA or the County reasonably requests. b. 9.2. The Contractor must take actions to mitigate the risk of loss and comply with any notification or other requirements imposed by law or HCA including but not limited to 45 C.F.R. Part 164, Subpart D, ; RCW 42.56.590; RCW 19.255.010; or WAC ▇▇▇-▇▇-▇▇▇. c. 9.3. If notification of the Breach or possible Breach must, in the judgement of HCA or the CountyHCA, be made under the HIPAA Breach Notification Rule, or RCW 42.56.590 or RCW 19.255.010; , or other law or rule, then: i. 9.3.1. HCA or the County may choose to make any required notifications to the individuals, to the U.S. Department of Health and Human Services (DSHSDHHS) Secretary, and to the media, or direct Contractor to make them or any of them. ii9.3.2. In any case, Contractor will pay the reasonable costs of notification to individuals, media, and governmental agencies and of other actions HCA or the County reasonably considers appropriate to protect HCA clients, such as paying for their regular credit watches in some cases. iii9.3.3. Contractor will compensate HCA clients for ▇▇▇▇▇ caused to them by any Breach or possible Breach. d. Contractor is responsible for all costs incurred in connection with a security incident, privacy Breach, or potential compromise of Data, including: i. Computer forensics assistance to assess the impact of a Data Breach, determine root cause, and help determine whether and the extend to which notification must be provide to comply with Breach notification laws; ii9.4. Notification and call center services for individuals affected by a security incident, or privacy Breach; iii. Breach resolution and mitigation services for individuals affected by a security incident or privacy Breach, including fraud prevention, credit monitoring, and identify theft assistance; and iv. Regulatory defense, fines, and penalties from any claim in the form of a regulatory proceeding resulting from a violation of any applicable privacy or security law(s) or regulation(s). e. Any breach of this clause may result in termination of the Contractor and the demand for return or disposition, as described above in Section 5Error! Reference source not found., of all Confidential Information. f. 9.5. Contractor’s obligations regarding Breach notification survive the termination of this Contract and continue for as long as Contractor maintains the Confidential Information and for any Breach or possible preach Breach at any time.

Data Breach Notification. a. A. The Breach or potential compromise of Data must be reported to the HCA Privacy Officer at ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇.▇▇.▇▇▇ and the County Program Manager within 2 five (5) business days of discovery. If the Contractor does not have full details, it will report what information it has, and provide full details within 15 business days of discovery. To the extent possible, these reports must include the following: i. The identification of each individual whose PHI has been or may have been improperly accessed, acquired, used, or disclosed; ii. The nature of the unauthorized use or disclosure, including a brief description of what happened, the date of the event(s), and the date of discovery; iii. A description of the types of PHI involved; iv. The investigative and remedial actions the Contractor or its Subcontractor took or will take to prevent and mitigate harmful effects, and protect against recurrence; v. Any details necessary for a determination of the potential harm to individuals Enrollees whose PHI is believed to have been used or disclosed and the steps those individuals Enrollees should take to protect themselves; and vi. Any other information HCA or the County reasonably requests. b. B. The Contractor must take actions to mitigate the risk of loss and comply with any notification or other requirements imposed by law or HCA including but not limited to 45 C.F.R. Part 164, Subpart D, ; RCW 42.56.590; RCW 19.255.010; or WAC ▇▇▇284-▇▇-▇▇▇04- 625. c. If notification C. The Contractor must notify HCA in writing, as described in the General Terms and Conditions section, Notices, within two (2) business days of the Breach or possible Breach must, in judgement of HCA or the County, be made under the HIPAA Breach Notification Rule, or RCW 42.56.590 or RCW 19.255.010; or other law or rule, then: i. HCA or the County may choose to make any required notifications to the individuals, to the U.S. Department of Health and Human Services (DSHS) Secretary, and to the media, or direct Contractor to make them or any of them. ii. In any case, Contractor will pay reasonable costs of notification to individuals, media, and governmental agencies and of other actions HCA or the County reasonably considers appropriate to protect HCA clients, such as paying for their regular credit watches in some cases. iii. Contractor will compensate HCA clients for ▇▇▇▇▇ caused to them by any Breach or possible Breach. d. Contractor is responsible for all costs incurred in connection with a security incident, privacy Breach, or potential compromise of Data, including: i. Computer forensics assistance to assess the impact of a Data Breach, determine root cause, and help determine whether and the extend to which determining notification must be sent to enrollees. D. At HCA’s request, the Contractor will provide draft Enrollee notification to comply with Breach notification laws; ii. Notification and call center services for individuals affected by a security incident, or privacy Breach; iii. Breach resolution and mitigation services for individuals affected by a security incident or privacy Breach, including fraud prevention, credit monitoringHCA at least five (5) business days prior to notification, and identify theft assistance; and iv. Regulatory defense, fines, allow HCA an opportunity to review and penalties from any claim in comment on the form of a regulatory proceeding resulting from a violation of any applicable privacy or security law(s) or regulation(s)notifications. e. Any breach of this clause may result in termination E. At HCA’s request, the Contractor will coordinate its investigation and notifications with HCA and the Office of the Contractor and the demand for return or dispositionState of Washington Chief Information Officer (OCIO), as described above in Section 5, of all Confidential Informationapplicable. f. Contractor’s obligations regarding Breach notification survive the termination of this Contract and continue for as long as Contractor maintains the Confidential Information and for any Breach or possible preach at any time.

Data Breach Notification. a. A. The Breach or potential compromise of Data must be reported to the HCA Privacy Officer at ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇.▇▇.▇▇▇ and the County Program Manager within 2 business days of discovery. If the Contractor does not have full details, it will report what information it has, and provide full details within 15 business days of discovery. To the extent possible, these reports must include the following: i. a. The identification of each individual whose PHI has been or may have been improperly accessed, acquired, used, or disclosed; ii. b. The nature of the unauthorized use or disclosure, including a brief description of what happened, the date of the event(s), and the date of discovery; iii. c. A description of the types of PHI involved; iv. d. The investigative and remedial actions the Contractor or its Subcontractor took or will take to prevent and mitigate harmful effects, and protect against recurrence; v. e. Any details necessary for a determination of the potential harm to individuals whose PHI is believed to have been used or disclosed and the steps those individuals should take to protect themselves; and vi. f. Any other information HCA or the County reasonably requests. b. B. The Contractor must take actions to mitigate the risk of loss and comply with any notification or other requirements imposed by law or HCA including but not limited to 45 C.F.R. Part 164, Subpart D, ; RCW 42.56.590; RCW 19.255.010; or WAC ▇▇▇-▇▇-▇▇▇. c. C. If notification of the Breach or possible Breach must, in the judgement of HCA or the CountyHCA, be made under the HIPAA Breach Notification Rule, or RCW 42.56.590 or RCW 19.255.010; , or other law or rule, then: i. a. HCA or the County may choose to make any required notifications to the individuals, to the U.S. Department of Health and Human Services (DSHSDHHS) Secretary, and to the media, or direct Contractor to make them or any of them. ii. b. In any case, Contractor will pay the reasonable costs of notification to individuals, media, and governmental agencies and of other actions HCA or the County reasonably considers appropriate to protect HCA clients, such as paying for their regular credit watches in some cases. iii. c. Contractor will compensate HCA clients for ▇▇▇▇▇ caused to them by any Breach or possible Breach. d. Contractor is responsible for all costs incurred in connection with a security incident, privacy Breach, or potential compromise of Data, including: i. Computer forensics assistance to assess the impact of a Data Breach, determine root cause, and help determine whether and the extend to which notification must be provide to comply with Breach notification laws; ii. Notification and call center services for individuals affected by a security incident, or privacy Breach; iii. Breach resolution and mitigation services for individuals affected by a security incident or privacy Breach, including fraud prevention, credit monitoring, and identify theft assistance; and iv. Regulatory defense, fines, and penalties from any claim in the form of a regulatory proceeding resulting from a violation of any applicable privacy or security law(s) or regulation(s). e. D. Any breach of this clause may result in termination of the Contractor and the demand for return or disposition, as described above in Section 55.3, of all Confidential Information. f. E. Contractor’s obligations regarding Breach notification survive the termination of this Contract and continue for as long as Contractor maintains the Confidential Information and for any Breach or possible preach Breach at any time.

Data Breach Notification. a. 9.1. The Breach or potential compromise of Data must be reported to the HCA Privacy Officer at ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇.▇▇.▇▇▇ and the County Program Manager within 2 business days of discovery. If the Contractor does not have full details, it will report what information it has, and provide full details within 15 business days of discovery. To the extent possible, these reports must include the following: i. 9.1.1. The identification of each individual whose PHI has been or may have been improperly accessed, acquired, used, or disclosed; ii9.1.2. The nature of the unauthorized use or disclosure, including a brief description of what happened, the date of the event(s), and the date of discovery; iii9.1.3. A description of the types of PHI involved; iv9.1.4. The investigative and remedial actions the Contractor or its Subcontractor took or will take to prevent and mitigate harmful effects, and protect against recurrence; v. 9.1.5. Any details necessary for a determination of the potential harm to individuals whose PHI is believed to have been used or disclosed and the steps those individuals should take to protect themselves; and vi9.1.6. Any other information HCA or the County reasonably requests. b. 9.2. The Contractor must take actions to mitigate the risk of loss and comply with any notification or other requirements imposed by law or HCA including but not limited to 45 C.F.R. Part 164, Subpart D, ; RCW 42.56.590; RCW 19.255.010; or WAC ▇▇▇-▇▇-▇▇▇. c. 9.3. If notification of the Breach or possible Breach must, in the judgement of HCA or the CountyHCA, be made under the HIPAA Breach Notification Rule, or RCW 42.56.590 or RCW 19.255.010; , or other law or rule, then: i. 9.3.1. HCA or the County may choose to make any required notifications to the individuals, to the U.S. Department of Health and Human Services (DSHSDHHS) Secretary, and to the media, or direct Contractor to make them or any of them. ii9.3.2. In any case, Contractor will pay the reasonable costs of notification to individuals, media, and governmental agencies and of other actions HCA or the County reasonably considers appropriate to protect HCA clients, such as paying for their regular credit watches in some casessomecases. iii9.3.3. Contractor will compensate HCA clients for ▇▇▇▇▇ caused to them by any Breach or possible Breach. d. Contractor is responsible for all costs incurred in connection with a security incident, privacy Breach, or potential compromise of Data, including: i. Computer forensics assistance to assess the impact of a Data Breach, determine root cause, and help determine whether and the extend to which notification must be provide to comply with Breach notification laws; ii9.4. Notification and call center services for individuals affected by a security incident, or privacy Breach; iii. Breach resolution and mitigation services for individuals affected by a security incident or privacy Breach, including fraud prevention, credit monitoring, and identify theft assistance; and iv. Regulatory defense, fines, and penalties from any claim in the form of a regulatory proceeding resulting from a violation of any applicable privacy or security law(s) or regulation(s). e. Any breach of this clause may result in termination of the Contractor and the demand for return or disposition, as described above in Section 55.3, of all Confidential Information. f. 9.5. Contractor’s obligations regarding Breach notification survive the termination of this Contract and continue for as long as Contractor maintains the Confidential Information and for any Breach or possible preach Breach at any time.