Data Breach Notification Seller will promptly notify Buyer of any actual or potential exposure or misappropriation of Buyer data ("breach") that comes to Seller's attention. Seller will cooperate with ▇▇▇▇▇ and in investigating any such breach, at ▇▇▇▇▇▇'s expense. Seller will likewise cooperate with Buyer and, as applicable, with law enforcement agencies in any effort to notify injured or potentially injured parties, and such cooperation will be at Seller's expense, except to the extent that the breach was caused by ▇▇▇▇▇. The remedies and obligations set forth in this subsection are in addition to any others Buyer may have, including, but not limited to, any requirements in the “Privacy, Confidentiality, and Security” provisions of this Agreement.
Breach Notification a. In the event of a Breach of unsecured PHI or disclosure that compromises the privacy or security of PHI obtained from DSHS or involving DSHS clients, Business Associate will take all measures required by state or federal law.
b. Business Associate will notify DSHS within one (1) business day by telephone and in writing of any acquisition, access, Use or disclosure of PHI not allowed by the provisions of this Contract or not authorized by HIPAA Rules or required by law of which it becomes aware which potentially compromises the security or privacy of the Protected Health Information as defined in 45 CFR 164.402 (Definitions).
c. Business Associate will notify the DSHS Contact shown on the cover page of this Contract within one (1) business day by telephone or e-mail of any potential Breach of security or privacy of PHI by the Business Associate or its Subcontractors or agents. Business Associate will follow telephone or e-mail notification with a faxed or other written explanation of the Breach, to include the following: date and time of the Breach, date Breach was discovered, location and nature of the PHI, type of Breach, origination and destination of PHI, Business Associate unit and personnel associated with the Breach, detailed description of the Breach, anticipated mitigation steps, and the name, address, telephone number, fax number, and e-mail of the individual who is responsible as the primary point of contact. Business Associate will address communications to the DSHS Contact. Business Associate will coordinate and cooperate with DSHS to provide a copy of its investigation and other information requested by DSHS, including advance copies of any notifications required for DSHS review before disseminating and verification of the dates notifications were sent.
d. If DSHS determines that Business Associate or its Subcontractor(s) or agent(s) is responsible for a Breach of unsecured PHI:
(1) requiring notification of Individuals under 45 CFR § 164.404 (Notification to Individuals), Business Associate bears the responsibility and costs for notifying the affected Individuals and receiving and responding to those Individuals’ questions or requests for additional information;
(2) requiring notification of the media under 45 CFR § 164.406 (Notification to the media), Business Associate bears the responsibility and costs for notifying the media and receiving and responding to media questions or requests for additional information;
(3) requiring notification of the U.S. Department of Health and Human Services Secretary under 45 CFR § 164.408 (Notification to the Secretary), Business Associate bears the responsibility and costs for notifying the Secretary and receiving and responding to the Secretary’s questions or requests for additional information; and
(4) DSHS will take appropriate remedial measures up to termination of this Contract.
Security Breach Notification In addition to the information enumerated in Article V, Section 4(1) of the DPA Standard Clauses, any Security Breach notification provided by the Provider to the LEA shall include:
a. A list of the students whose Student Data was involved in or is reasonably believed to have been involved in the breach, if known; and
b. The name and contact information for an employee of the Provider whom parents may contact to inquire about the breach.
Personal Data Breach Notification SAP will notify Customer without undue delay after becoming aware of any Personal Data Breach and provide reasonable information in its possession to assist Customer to meet Customer’s obligations to report a Personal Data Breach as required under Data Protection Law. SAP may provide such information in phases as it becomes available. Such notification shall not be interpreted or construed as an admission of fault or liability by SAP.
Procedures for Third Party Claims In the case of any claim for indemnification arising from a claim of a third-party other than an Infringement Claim subject to Section 13.3 above (a “Third-Party Claim”), a party seeking indemnification hereunder (each an “Indemnified Party”) shall give prompt written notice, following such Indemnified Party’s receipt of such claim or demand, to the party from which indemnity is sought (each an “Indemnifying Party”) of any claim or demand of which such Indemnified Party has knowledge and as to which it may request indemnification hereunder; provided, however, that failure to give such notice will not affect such Indemnified Party’s rights hereunder unless, and then solely to the extent that, the rights of the Indemnifying Parties from whom indemnity is sought are prejudiced as a result of such failure. The Indemnifying Party shall have the right (and if it elects to exercise such right, shall do so within twenty (20) days after receiving such notice from the Indemnified Party) to defend and to direct the defense against any such claim or demand, in its name or in the name of the Indemnified Party, as the case may be, at the expense of the Indemnifying Party, and with counsel selected by the Indemnifying Party; provided, that the Indemnifying Party shall be entitled to assume control of the defense of such action only if the Indemnifying Party acknowledges in writing its indemnity obligations and assumes and holds the Indemnified Party harmless from and against all Losses resulting from such Third-Party Claim; and provided further that the Indemnifying Party shall not be entitled to assume control of such defense if (i) the Indemnifying Party shall not have notified the Indemnified Party of its exercise of its right to defend such Third-Party claim within such twenty (20) day period; (ii) such claim or demand seeks an injunction or other equitable relief against the Indemnified Party, (iii) the Indemnified Party shall have reasonably concluded that (x) there is a conflict of interest between the Indemnified Party and the Indemnifying Party in the conduct of the defense of such claim or demand or (y) the Indemnified Party has one or more defenses not available to the Indemnifying Party, (iv) such claim relates to or arises in connection with any criminal proceeding, action, indictment, allegation or investigation, or (v) the appropriate court rules that the Indemnifying Party failed or is failing to vigorously prosecute or defend such Third-Party Claim. Notwithstanding anything in this Agreement to the contrary, the Indemnified Party shall, at the expense of the Indemnifying Party, cooperate with the Indemnifying Party, and keep the Indemnifying Party fully informed, in the defense of such claim or demand. The Indemnified Party shall have the right to participate in the defense of any claim or demand with counsel employed at its own expense; provided, however, that, in the case of any claim or demand described in clause (i) or (ii) of the second preceding sentence or as to which the Indemnifying Party shall not in fact have employed counsel to assume the defense of such claim or demand, the reasonable fees and disbursements of such counsel shall be at the expense of the Indemnifying Party. The Indemnifying Party shall have no indemnification obligations with respect to any such claim or demand which shall be settled by the Indemnified Party without the prior written consent of the Indemnifying Party, which consent shall not be unreasonably withheld, delayed or conditioned. The Indemnifying Party shall not settle any such claim without the prior written consent of the Indemnified Party (which consent shall not be unreasonably withheld, delayed or conditioned if such settlement is accompanied by a document releasing the Indemnified Party from all liability with respect to the matter in controversy that is binding, valid and enforceable against all applicable Parties). Notwithstanding the foregoing, if the Indemnified Party fails to object to the settlement within five (5) Business Days of receipt of a written notice from the Indemnifying Party containing the terms and condition of such settlement, the Indemnified Party shall be deemed to have consented to the settlement.