Documenting and Reporting Breaches 6.1 Business Associate shall report to Covered Entity any Breach of Unsecured PHI, including Breaches reported to it by a Subcontractor, as soon as it (or any of its employees or agents) becomes aware of any such Breach, and in no case later than two (2) business days after it (or any of its employees or agents) becomes aware of the Breach, except when a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security.
6.2 Business Associate shall provide Covered Entity with the names of the individuals whose Unsecured PHI has been, or is reasonably believed to have been, the subject of the Breach and any other available information that is required to be given to the affected individuals, as set forth in 45 CFR § 164.404(c), and, if requested by Covered Entity, information necessary for Covered Entity to investigate the impermissible use or disclosure. Business Associate shall continue to provide to Covered Entity information concerning the Breach as it becomes available to it. Business Associate shall require its Subcontractor(s) to agree to these same terms and conditions.
6.3 When Business Associate determines that an impermissible acquisition, use or disclosure of PHI by a member of its workforce is not a Breach, as that term is defined in 45 CFR § 164.402, and therefore does not necessitate notice to the impacted individual(s), it shall document its assessment of risk, conducted as set forth in 45 CFR § 402(2). When requested by Covered Entity, Business Associate shall make its risk assessments available to Covered Entity. It shall also provide Covered Entity with 1) the name of the person(s) making the assessment, 2) a brief summary of the facts, and 3) a brief statement of the reasons supporting the determination of low probability that the PHI had been compromised. When a breach is the responsibility of a member of its Subcontractor’s workforce, Business Associate shall either 1) conduct its own risk assessment and draft a summary of the event and assessment or 2) require its Subcontractor to conduct the assessment and draft a summary of the event. In either case, Business Associate shall make these assessments and reports available to Covered Entity.
6.4 Business Associate shall require, by contract, a Subcontractor to report to Business Associate and Covered Entity any Breach of which the Subcontractor becomes aware, no later than two (2) business days after becomes aware of the Breach.
Data Breaches Contractor shall notify the School District in writing as soon as commercially practicable, however no later than forty-eight (48) hours, after Contractor has either actual or constructive knowledge of a breach which affects the School District’s Data (an “Incident”) unless it is determined by law enforcement that such notification would impede or delay their investigation. Contractor shall have actual or constructive knowledge of an Incident if Contractor actually knows there has been an Incident or if Contractor has reasonable basis in facts or circumstances, whether acts or omissions, for its belief that an Incident has occurred. The notification required by this section shall be made as soon as commercially practicable after the law enforcement agency determines that notification will not impede or compromise the investigation. Contractor shall cooperate with law enforcement in accordance with applicable law provided however, that such cooperation shall not result in or cause an undue delay to remediation of the Incident. Contractor shall promptly take appropriate action to mitigate such risk or potential problem at Contractor’s or OPERATOR’s expense. In the event of an Incident, Contractor shall, at its sole cost and expense, restore the Confidential Information, to as close its original state as practical, including, without limitation any and all Data, and institute appropriate measures to prevent any recurrence of the problem as soon as is commercially practicable. Contractor will conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. Contractor will also have a written incident response plan, to include prompt notification of the District in the event of a security or privacy incident, as well as best practices for responding to a breach of PII.
TERMINATION AND BREACH 9.1 Either party may terminate the Licence upon giving the other not less than 3 months written notice served so as to expire on any anniversary of the Commencement Date.
9.2 If the Licensee commits any material breach of any of the provisions of this Licence and remains in breach fourteen (14) days after receiving notice to remedy such breach (where the breach is remediable) then CLA, without prejudice to any of its other rights, may by notice either terminate the Licence or suspend the Licence until CLA shall be satisfied such breaches will not recur.
9.3 Either party may terminate the Licence by notice in writing to the other if and when a supervisor, receiver, administrator, administrative receiver or other encumbrancer takes possession of, or is appointed over, the whole or any substantial part of the other party’s assets or if and when the other party enters into any arrangement or composition with or for the benefit of its creditors (including any voluntary arrangement under the Insolvency Act 1986) or if and when a petition is presented for the purpose of the making of an administration order or the winding-up of the other party which is not discharged within seven (7) days of the presentation of such a petition or if the other party is placed into liquidation or administration or if the other party is dissolved or if a resolution for the winding-up of the other party is passed (other than a voluntary liquidation for the purpose of reconstruction in which all creditors’ claims will be discharged in full) or if a bankruptcy petition is presented against the other party which is not discharged within seven (7) days of its presentation.
Reporting and Monitoring Please provide a brief description of the mechanisms proposed for this project for reporting to the UNDP and partners, including a reporting schedule.
Data Breach In the event of an unauthorized release, disclosure or acquisition of Student Data that compromises the security, confidentiality or integrity of the Student Data maintained by the Provider the Provider shall provide notification to LEA within seventy-two (72) hours of confirmation of the incident, unless notification within this time limit would disrupt investigation of the incident by law enforcement. In such an event, notification shall be made within a reasonable time after the incident. Provider shall follow the following process:
(1) The security breach notification described above shall include, at a minimum, the following information to the extent known by the Provider and as it becomes available:
i. The name and contact information of the reporting LEA subject to this section.
ii. A list of the types of personal information that were or are reasonably believed to have been the subject of a breach.
iii. If the information is possible to determine at the time the notice is provided, then either
(1) the date of the breach, (2) the estimated date of the breach, or (3) the date range within which the breach occurred. The notification shall also include the date of the notice.
iv. Whether the notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided; and
v. A general description of the breach incident, if that information is possible to determine at the time the notice is provided.
(2) Provider agrees to adhere to all federal and state requirements with respect to a data breach related to the Student Data, including, when appropriate or required, the required responsibilities and procedures for notification and mitigation of any such data breach.
(3) Provider further acknowledges and agrees to have a written incident response plan that reflects best practices and is consistent with industry standards and federal and state law for responding to a data breach, breach of security, privacy incident or unauthorized acquisition or use of Student Data or any portion thereof, including personally identifiable information and agrees to provide ▇▇▇, upon request, with a summary of said written incident response plan.
(4) LEA shall provide notice and facts surrounding the breach to the affected students, parents or guardians.
(5) In the event of a breach originating from ▇▇▇’s use of the Service, Provider shall cooperate with ▇▇▇ to the extent necessary to expeditiously secure Student Data.