Common use of Data Breach Response Clause in Contracts

Data Breach Response. a. If the nature of the Work involves Vendor Group equipment, software, product(s), host(s), network(s), or environment(s) that may expose University Data to a potential Data Breach, then Vendor shall have an appropriate incident response plan. University may, at its discretion, require Vendor to participate in response planning for Data Breach scenarios and/or “lessons learned” activities following an event that was or might have been a Data Breach. b. If Vendor has reason to believe that Data Breach(es) may have occurred on any of Vendor Groups’ equipment, software, products, host(s), network(s), or environment(s), then Vendor shall promptly (and shall not exceed the time periods as may be required by applicable law) alert the University while also taking such immediate actions as may be necessary to preserve relevant evidence, identity the nature of the event, and contain any Data Breach. As soon as becomes practicable, Vendor shall provide the University a written notice describing the Data Breach incident, and provide University further information updates to help University understand the nature and scope of the event. Vendor shall advise University as to what information and assistance is needed from University in order to eliminate the cause, and mitigate the adverse effects of any Data Breach. Vendor shall prioritize devoting sufficient resources as may be required for this effort. c. University may direct Vendor to provide notice and credit monitoring, at Vendor’s expense, to the third parties (such as private individuals, entities, and official bodies) determined by University to require notification, or University may do so itself. Unless Vendor is compelled by law to provide notification to third parties in a particular manner, University shall control the time, place, and manner of such notification. d. If recovery from the adverse effects of the Data Breach necessitates Vendor’s assistance in the reinstallation of Vendor Group’s technology product(s) (including hardware or software) that are connected with the Work, then Vendor shall cause such assistance in reinstallation to be provided. If Vendor Group is responsible for the Data Breach, then reinstallation assistance shall be at no cost to the University. e. If it appears to the University, in its sole discretion, that services or technology provided by the Vendor are a source of the Data Breach, and present an unreasonable risk, then the University may opt to discontinue use of that source of the Data Breach and the University’s corresponding payment obligations under the Contract shall be adjusted equitably.

Data Breach Response. a. If the nature of the Work involves Vendor Group equipment, software, product(s), host(s), network(s), or environment(s) that may expose University Data to a potential Data Breach, then Vendor 1. The Contractor shall have an appropriate incident response plan. University maysufficient capabilities for detecting, at its discretionidentifying, require Vendor and responding to participate in response planning for Data Breach scenarios and/or “lessons learned” activities following an event that was or might have been a Data Breach. b. 2. If Vendor the Contractor has reason to believe that a Data Breach(es) Breach has occurred, then, without undue delay, the Contractor shall notify the University of said Data Breach. Such notification to the University shall include sufficient information to enable the University to meet its obligations under applicable law. 3. In the event of a Data Breach, the Contractor shall cooperate with the University and immediately: a. Investigate and identify the nature of the Data Breach; b. Preserve relevant evidence; c. Contain, remediate, and mitigate the Data Breach; and d. Notify the University of any additional or newly-emerged information beyond the initial Data Breach notification to the University described in § H.2. 4. In the event of a Data Breach caused in whole or part by the Contractor: a. The University may have occurred on any of Vendor Groups’ equipmentinstruct the Contractor, softwareat the Contractor’s expense, products, host(s), network(s), or environment(s), then Vendor shall promptly (and shall not exceed the time periods as may be to provide: i. Notice when required by applicable law) alert , or when a Data Breach could result in harm to individuals and/or risk to the University; and/or ii. Services such as credit monitoring or identity theft protection to individuals when the absence of such services could result in harm to individuals and/or individuals would have a reasonable expectation that such services be provided. b. Alternatively, the University while also taking such immediate actions as may be necessary elect to preserve relevant evidence, identity the nature of the event, and contain any Data Breach. As soon as becomes practicable, Vendor shall provide the University a written aforementioned notice describing the Data Breach incident, and provide University further information updates to help University understand the nature and scope of the event. Vendor shall advise University as to what information and assistance is needed from University in order to eliminate the cause, and mitigate the adverse effects of any Data Breach. Vendor shall prioritize devoting sufficient resources as may be required for this effortservices itself. c. University may direct Vendor to provide notice and credit monitoring5. Notwithstanding the foregoing, at Vendor’s expense, to unless the third parties (such as private individuals, entities, and official bodies) determined by University to require notification, or University may do so itself. Unless Vendor Contractor is compelled required by law to provide notification to third parties the aforementioned notice and/orservices in a particular manner, the University shall control the time, place, content, and manner of such notificationnotice and services. d. If recovery from the adverse effects of the Data Breach necessitates Vendor’s assistance in the reinstallation of Vendor Group’s technology product(s) (including hardware or software) that are connected with the Work, then Vendor shall cause such assistance in reinstallation to be provided. If Vendor Group is responsible for the Data Breach, then reinstallation assistance shall be at no cost to the University. e. If it appears to the University, in its sole discretion, that services or technology provided by the Vendor are a source of the Data Breach, and present an unreasonable risk, then the University may opt to discontinue use of that source of the Data Breach and the University’s corresponding payment obligations under the Contract shall be adjusted equitably.

Data Breach Response. a. If the nature of the Work involves Vendor Contractor Group equipment, software, product(s), host(s), network(s), or environment(s) that may expose University Data to a potential Data Breach, then Vendor Contractor shall have an appropriate incident response plan. University may, at its discretion, require Vendor request Contractor to participate in response planning for Data Breach scenarios and/or “lessons learned” activities following an event that was or might have been a Data Breach. b. If Vendor the Contractor has reason to believe that a Data Breach(es) may have occurred on Breach has occurred, then, without undue delay, the CONTRACTOR shall notify the University of said Data Breach. Such notification to the University shall include sufficient information to enable the University to meet its obligations under applicable law. c. In the event of a Data Breach, the CONTRACTOR shall cooperate with the University to: i. Investigate and identify the nature of the Data Breach; ii. Preserve relevant evidence; iii. Contain, remediate, and mitigate the Data Breach; and iv. Notify the University of any additional or newly-emerged information beyond the initial Data Breach notification to the University described above. d. In the event of Vendor Groups’ equipmenta Data Breach caused in whole or part by the CONTRACTOR, softwarethe University may i. instruct the CONTRACTOR, productsat the CONTRACTOR’s expense, host(s), network(s), or environment(s), then Vendor shall promptly (and shall not exceed the time periods as may be to provide notice when required by applicable law) alert , or when a Data Breach could result in harm to individuals and/or risk to the University; ii. and/or Services such as credit monitoring or identity theft protection to individuals when the absence of such services could result in harm to individuals and/or individuals would have a reasonable expectation that such services be provided. iii. Alternatively, the University while also taking such immediate actions as may be necessary elect to preserve relevant evidence, identity the nature of the event, and contain any Data Breach. As soon as becomes practicable, Vendor shall provide the University a written aforementioned notice describing the Data Breach incident, and provide University further information updates to help University understand the nature and scope of the event. Vendor shall advise University as to what information and assistance is needed from University in order to eliminate the cause, and mitigate the adverse effects of any Data Breach. Vendor shall prioritize devoting sufficient resources as may be required for this effortservices itself. c. University may direct Vendor to provide notice and credit monitoring, at Vendor’s expense, to the third parties (such as private individuals, entities, and official bodies) determined by University to require notification, or University may do so itself. Unless Vendor is compelled by law to provide notification to third parties in a particular manner, University shall control the time, place, and manner of such notification. d. e. If recovery from the adverse effects of the Data Breach necessitates VendorContractor’s assistance in the reinstallation of Vendor Contractor Group’s technology product(s) (including hardware or software) that are connected with the Work, then Vendor Contractor shall cause such assistance in reinstallation to be provided. If Vendor Contractor Group is responsible for the Data Breach, then reinstallation assistance shall be at no cost to the University. e. f. If it appears to the University, in its sole discretion, that services or technology provided by the Vendor Contractor are a source of the Data Breach, and present an unreasonable risk, then the University may opt to discontinue use of that source of the Data Breach and the University’s corresponding payment obligations under the Contract shall be adjusted equitably.