Common use of DATA SECURITY AND COMPLIANCE Clause in Contracts

DATA SECURITY AND COMPLIANCE. 11.1 The Consultant shall employ appropriate security practices to protect USNH data under the “Consultant’s Control”, here defined as data on the Consultant’s networks and on the servers and other devices connected to Consultant’s network, while on Consultant’s personal computers and backups, in Consultant’s e-mail, while being transmitted or transported by the consultant, and while stored in Consultant’s office or other facilities. The Consultant understands that “Restricted Information”, as defined by USNH, requires protection mandated by legal requirements and that as a service provider to or representative of USNH, the Consultant has the same duty to protect that information as does USNH. The Consultant agrees to fill out the UNH Technology Vendor Questionnaire and to include the answers as an exhibit in the signed contract. USNH reserves the final determination whether the answers provided by the consultant are applicable and sufficient. The Consultant affirms that the Consultant is aware of and understands all laws and regulations that are applicable to the services provided under this contract. These laws and regulations may include, but are not limited to FERPA, HIPAA, GLB, FTC Red Flags Rule and NH RSA 359-C:20. 11.2 The Consultant shall be responsible for compliance with all notification, reporting, and other legal requirements relating to any unauthorized release of data under the Consultant’s Control, or other breach of security including but not limited to NH RSA 359-C:20, entitled “Notification of Security Breach Required.” Consultant shall also be responsible for compliance with all notification, reporting, and other legal requirements relating to any unauthorized release of data or other breach of security that arises out of any act or failure to act on the part of Consultant, regardless of whether such act or failure to act was negligent, grossly negligent, or intentional. Under any circumstance covered by this section, USNH, at its sole discretion, may also comply with any notification, reporting, or other legal requirement, provided, however, that USNH’s compliance shall not relieve Consultant of any of its responsibilities set forth in this section or otherwise existing under applicable law. 11.3 USNH has developed an Identity Theft Prevention Program pursuant to the Federal Trade Commission’s (FTC) Red Flags Rule, which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003. The Consultant is or shall become familiar with the Red Flags Rule. That can be done through the following link to the FTC web site video: ▇▇▇▇://▇▇▇.▇▇▇.▇▇▇/bcp/edu/microsites/redflagsrule/video.shtm. The Consultant shall train self and employees to look for Red Flags. Whether or not the Consultant’s services are directly subject to the Red Flags Rule, if the Consultant encounters a potential Red Flag such as but not limited to a person presenting identifying information or materials that do not belong to them, or repeatedly presenting incorrect authentication credentials such as incorrect passwords, the Consultant shall take steps to stop inappropriate access to services and/or information, and shall notify USNH immediately by contacting the hiring administrator who signed this agreement.

DATA SECURITY AND COMPLIANCE. 11.1 The Consultant shall employ appropriate security practices to protect USNH data under the “Consultant’s Control”, here defined as data on the Consultant’s networks and on the servers and other devices connected to Consultant’s network, while on Consultant’s personal computers and backups, in Consultant’s e-mail, while being transmitted or transported by the consultant, and while stored in Consultant’s office or other facilities. The Consultant understands that “Restricted Information”, as defined by USNH, requires protection mandated by legal requirements and that as a service provider to or representative of USNH, the Consultant has the same duty to protect that information as does USNH. The Consultant agrees to fill out provide the UNH Technology information necessary to complete the USNH Vendor Questionnaire and to include Security Assessment Review process, if required based on the answers as an exhibit in the signed contractinstitutional information involved. USNH reserves the final determination whether the answers information provided by the consultant are Consultant is applicable and sufficientsufficient to ensure appropriate cybersecurity practices and controls will be used to protect the institutional information. The Consultant affirms that the Consultant is aware of and understands all laws and regulations that are applicable to the services provided under this contract. These laws and regulations may include, but are not limited to FERPA, HIPAA, GLB, FTC Red Flags Rule and NH RSA 359-C:20. 11.2 The Consultant shall be responsible for compliance with all notification, reporting, and other legal requirements relating to any unauthorized release of data under the Consultant’s Control, or other breach of security including but not limited to NH RSA 359-C:20, entitled “Notification of Security Breach Required.” Consultant shall also be responsible for compliance with all notification, reporting, and other legal requirements relating to any unauthorized release of data or other breach of security that arises out of any act or failure to act on the part of Consultant, regardless of whether such act or failure to act was negligent, grossly negligent, or intentional. Under any circumstance covered by this section, USNH, at its sole discretion, may also comply with any notification, reporting, or other legal requirement, provided, however, that USNH’s compliance shall not relieve Consultant of any of its responsibilities set forth in this section or otherwise existing under applicable law. 11.3 USNH has developed an Identity Theft Prevention Program pursuant to the Federal Trade Commission’s (FTC) Red Flags Rule, which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003. The Consultant is or shall become familiar with the Red Flags Rule. That can be done through the following link to the FTC web site video: ▇▇▇▇://▇▇▇.▇▇▇.▇▇▇/bcp/edu/microsites/redflagsrule/video.shtm. The Consultant shall train self and employees to look for Red Flags. Whether or not the Consultant’s services are directly subject to the Red Flags Rule, if the Consultant encounters a potential Red Flag such as but not limited to a person presenting identifying information or materials that do not belong to them, or repeatedly presenting incorrect authentication credentials such as incorrect passwords, the Consultant shall take steps to stop inappropriate access to services and/or information, and shall notify USNH immediately by contacting the hiring administrator who signed this agreement.