Information Requirements The Company covenants that, if at any time before the end of the Effectiveness Period the Company is not subject to the reporting requirements of the Exchange Act, it will cooperate with any Holder and take such further reasonable action as any Holder may reasonably request in writing (including, without limitation, making such reasonable representations as any such Holder may reasonably request), all to the extent required from time to time to enable such Holder to sell Registrable Securities without registration under the Securities Act within the limitation of the exemptions provided by Rule 144 and Rule 144A under the Securities Act and customarily taken in connection with sales pursuant to such exemptions. Upon the written request of any Holder, the Company shall deliver to such Holder a written statement as to whether it has complied with such filing requirements, unless such a statement has been included in the Company’s most recent report filed pursuant to Section 13 or Section 15(d) of Exchange Act. Notwithstanding the foregoing, nothing in this Section 7 shall be deemed to require the Company to register any of its securities (other than the Common Stock) under any section of the Exchange Act.
Compliance with Safeguarding Customer Information Requirements The Servicer has implemented and will maintain security measures designed to meet the objectives of the Interagency Guidelines Establishing Standards for Safeguarding Customer Information published in final form on February 1, 2001, 66 Fed. Reg. 8616, and the rules promulgated thereunder, as amended from time to time (the “Guidelines”). The Servicer shall promptly provide the Seller information regarding the implementation of such security measures upon the reasonable request of the Seller.
New Hampshire Specific Data Security Requirements The Provider agrees to the following privacy and security standards from “the Minimum Standards for Privacy and Security of Student and Employee Data” from the New Hampshire Department of Education. Specifically, the Provider agrees to:
(1) Limit system access to the types of transactions and functions that authorized users, such as students, parents, and LEA are permitted to execute;
(2) Limit unsuccessful logon attempts;
(3) Employ cryptographic mechanisms to protect the confidentiality of remote access sessions;
(4) Authorize wireless access prior to allowing such connections;
(5) Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity;
(6) Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions;
(7) Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles;
(8) Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services;
(9) Enforce a minimum password complexity and change of characters when new passwords are created;
(10) Perform maintenance on organizational systems;
(11) Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance;
(12) Ensure equipment removed for off-site maintenance is sanitized of any Student Data in accordance with NIST SP 800-88 Revision 1;
(13) Protect (i.e., physically control and securely store) system media containing Student Data, both paper and digital;
(14) Sanitize or destroy system media containing Student Data in accordance with NIST SP 800-88 Revision 1 before disposal or release for reuse;
(15) Control access to media containing Student Data and maintain accountability for media during transport outside of controlled areas;
(16) Periodically assess the security controls in organizational systems to determine if the controls are effective in their application and develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems;
(17) Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems;
(18) Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception);
(19) Protect the confidentiality of Student Data at rest;
(20) Identify, report, and correct system flaws in a timely manner;
(21) Provide protection from malicious code (i.e. Antivirus and Antimalware) at designated locations within organizational systems;
(22) Monitor system security alerts and advisories and take action in response; and
(23) Update malicious code protection mechanisms when new releases are available.
Public Records Requirements Pursuant to Section 119.0701, F.S Solely for the purpose of this section, the Department’s Contract Manager is the agency custodian of public records. If, under the Term Contract, the Contractor is providing services and is acting on behalf of the public agency, as provided in section 119.0701, F.S., the Contractor shall:
i. Keep and maintain public records required by the Department to perform the service.
ii. Upon request from the Department’s custodian of public records, provide the Department with a copy of the requested records or allow the records to be inspected or copied within a reasonable time at a cost that does not exceed the cost provided in Chapter 119, F.S., or as otherwise provided by law.
iii. Ensure that public records that are exempt or confidential and exempt from public records disclosure are not disclosed except as authorized by law for the duration of the Term Contract term and following the completion of the Term Contract if the Contractor does not transfer the records to the Department.
iv. Upon completion of the Term Contract, transfer, at no cost, to the Department all public records in possession of the Contractor or keep and maintain public records required by the Department to perform the service. If the Contractor transfers all public records to the Department upon completion of the contract, the Contractor shall destroy any duplicate public records that are exempt or confidential and exempt from public records disclosure requirements. If the Contractor keeps and maintains public records upon completion of the Term Contract, the Contractor shall meet all applicable requirements for retaining public records. All records stored electronically must be provided to the Department, upon request from the Department’s custodian of public records, in a format that is compatible with the information technology systems of the Department. IF THE CONTRACTOR HAS QUESTIONS REGARDING THE APPLICATION OF CHAPTER 119, FLORIDA STATUTES, TO THE CONTRACTOR’S DUTY TO PROVIDE PUBLIC RECORDS RELATING TO THIS TERM CONTRACT, CONTACT THE DEPARTMENT’S CUSTODIAN OF PUBLIC RECORDS AT ▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇.▇▇.▇▇▇, (▇▇▇) ▇▇▇-▇▇▇▇ OR ▇▇▇▇ ▇▇▇▇▇▇▇▇▇ ▇▇▇,
Permitted and Required Uses/Disclosures of PHI 3.1 Except as limited in this Agreement, Business Associate may use or disclose PHI to perform Services, as specified in the underlying grant or contract with Covered Entity. The uses and disclosures of Business Associate are limited to the minimum necessary, to complete the tasks or to provide the services associated with the terms of the underlying agreement. Business Associate shall not use or disclose PHI in any manner that would constitute a violation of the Privacy Rule if used or disclosed by Covered Entity in that manner. Business Associate may not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law.
3.2 Business Associate may make PHI available to its employees who need access to perform Services provided that Business Associate makes such employees aware of the use and disclosure restrictions in this Agreement and binds them to comply with such restrictions. Business Associate may only disclose PHI for the purposes authorized by this Agreement: (a) to its agents and Subcontractors in accordance with Sections 9 and 17 or, (b) as otherwise permitted by Section 3.
3.3 Business Associate shall be directly liable under HIPAA for impermissible uses and disclosures of the PHI it handles on behalf of Covered Entity, and for impermissible uses and disclosures, by Business Associate’s Subcontractor(s), of the PHI that Business Associate handles on behalf of Covered Entity and that it passes on to Subcontractors.