Common use of Data Security and Confidentiality Clause in Contracts

Data Security and Confidentiality. The Contractor will use at least the same degree of care as required by the Payment Card Industry (PCI), not inconsistent with standards and practices codified as ISO 27001 and 27002, to prevent disclosing to third parties the Confidential Information of State of Florida Eligible Users as it employs to avoid unauthorized disclosure, publication or dissemination of its own Confidential Information of like character, but in no event less than reasonable care. 7.3.1 The Contractor shall maintain and secure adequate back-up files of all system and software documentation utilized to process data submissions. The Contractor shall develop data security procedures to ensure only authorized access to data submissions and databases by personnel for contracted activities. The Contractor shall develop data security procedures to ensure no unauthorized access to data submissions and databases by other individuals other than authorized by the Contract or designated representatives of the State. All data security procedures at a minimum must be in accordance with PCI standards including at rest and secure transmission encryption. 7.3.2 The Contractor will only divulge to a third party, including any regulatory agency or Subcontractor, any Confidential Information obtained by the Contractor or its agents, distributors, resellers, Subcontractors, officers, or employees as it deems necessary in the course of performing Contract work. The Contractor will make the State Data available only to individuals and entities who are assigned by the Contractor to perform the Services and only to the extent necessary for those individuals and entities to perform the specific responsibilities assigned to them in connection with the Contractor’s provision of the Services. All employees, Subcontractors, or agents performing work under the Contract must comply with applicable provisions in Sections 7 and 8 of these Special Contract Conditions and specifically the section below titled “Payment Card Industry/Data Security Standard Certifications and Requirements”. The Contractor must maintain policies and procedures on who has access to secure data, how access is controlled, and the daily operation and management of systems consistent with PCard data management and security standards. 7.3.3 Payment Card Industry / Data Security Standard (“DSS”) Certifications and Requirements 7.3.3.1 The Contractor shall maintain PCI DSS accreditation and provide Attestation of Compliance (AOC) or proof thereof on a yearly basis and within sixty days of issuance. 7.3.3.2 The Contractor will provide options to protect cardholder information in accordance with PCI standards as follows: