Common use of Security Breach Notification Clause in Contracts

Security Breach Notification. In the event Contractor becomes aware of any act, error or omission, negligence, misconduct, or security incident including unsecure or improper data disposal, theft, loss, unauthorized use and disclosure or access, that compromises or is suspected to compromise the security, availability, confidentiality, and/or integrity of County data or the physical, technical, administrative, or organizational safeguards required under this Contract that relate to the security, availability, confidentiality, and/or integrity of County data, Contractor shall, at its own expense, (1) immediately (or within 24 hours of potential or CPS0221-03-A4 Page 4 of 7 April 17, 2024 suspected breach), notify the County’s Chief Information Security Officer and County Privacy Officer of such occurrence; (2) perform a root cause analysis of the actual, potential, or suspected breach; (3) provide a remediation plan that is acceptable to County within 30 days of verified breach, to address the occurrence of the breach and prevent any further incidents; (4) conduct a forensic investigation to determine what systems, data, and information have been affected by such event; and (5) cooperate with County and any law enforcement or regulatory officials investigating such occurrence, including but not limited to making available all relevant records, forensics, investigative evidence, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by County and/or any law enforcement or regulatory officials, and (6) perform or take any other actions required to comply with applicable law as a result of the occurrence (at the direction of County). County shall make the final decision on notifying County officials, entities, employees, service providers, and/or the general public of such occurrence, and the implementation of the remediation plan. If notification to particular persons is required under any law or pursuant to any of County’s privacy or security policies, then notifications to all persons and entities who are affected by the same event shall be considered legally required. Contractor shall reimburse County for all notification and related costs incurred by County arising out of or in connection with any such occurrence due to Contractor’s acts, errors or omissions, negligence, and/or misconduct resulting in a requirement for legally required notifications. In the case of a breach, Contractor shall provide third-party credit and identity monitoring services to each of the affected individuals for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no less than twelve (12) months following the date of notification to such individuals. Contractor shall indemnify, defend with counsel approved in writing by County, and hold County and County Indemnitees harmless from and against any and all claims, including reasonable attorney’s fees, costs, and expenses incidental thereto, which may be suffered by, accrued against, charged to, or recoverable from County in connection with the occurrence. ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇, MBA, CISSP Chief Information Security Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ Santa Ana, CA 92701 Phone: (▇▇▇) ▇▇▇-▇▇▇▇ County Privacy Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ Phone: (▇▇▇) ▇▇▇-▇▇▇▇ County of Orange Social Services Agency Contracts Services ▇▇▇ ▇. ▇▇▇▇▇ ▇▇▇▇▇▇▇ ▇▇▇▇, ▇▇▇▇▇ ▇▇▇ ▇▇▇▇▇▇, ▇▇ ▇▇▇▇▇ CPS0221-03-A4 Page 5 of 7 April 17, 2024

Security Breach Notification. In the event Contractor becomes aware of any act, error or omission, negligence, misconduct, or security incident including unsecure or improper data disposal, theft, loss, unauthorized use and disclosure or access, that compromises or is suspected to compromise the security, availability, confidentiality, and/or integrity of County data or the physical, technical, administrative, or organizational safeguards required under this Contract that relate to the security, availability, confidentiality, and/or integrity of County data, Contractor shall, at its own expense, (1) immediately (or within 24 hours of potential or CPS0221-03-A4 Page 4 of 7 April 17, 2024 suspected breach), notify the County’s Chief Information Security Officer and County Privacy Officer of such occurrence; (2) perform a root cause analysis of the actual, potential, or CPS0221-05-A1 Page 4 of 7 April 17, 2024 suspected breach; (3) provide a remediation plan that is acceptable to County within 30 days of verified breach, to address the occurrence of the breach and prevent any further incidents; (4) conduct a forensic investigation to determine what systems, data, and information have been affected by such event; and (5) cooperate with County and any law enforcement or regulatory officials investigating such occurrence, including but not limited to making available all relevant records, forensics, investigative evidence, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by County and/or any law enforcement or regulatory officials, and (6) perform or take any other actions required to comply with applicable law as a result of the occurrence (at the direction of County). County shall make the final decision on notifying County officials, entities, employees, service providers, and/or the general public of such occurrence, and the implementation of the remediation plan. If notification to particular persons is required under any law or pursuant to any of County’s privacy or security policies, then notifications to all persons and entities who are affected by the same event shall be considered legally required. Contractor shall reimburse County for all notification and related costs incurred by County arising out of or in connection with any such occurrence due to Contractor’s acts, errors or omissions, negligence, and/or misconduct resulting in a requirement for legally required notifications. In the case of a breach, Contractor shall provide third-party credit and identity monitoring services to each of the affected individuals for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no less than twelve (12) months following the date of notification to such individuals. Contractor shall indemnify, defend with counsel approved in writing by County, and hold County and County Indemnitees harmless from and against any and all claims, including reasonable attorney’s fees, costs, and expenses incidental thereto, which may be suffered by, accrued against, charged to, or recoverable from County in connection with the occurrence. ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇, MBA, CISSP Chief Information Security Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ Santa Ana, CA 92701 Phone: (▇▇▇) ▇▇▇-▇▇▇▇ County Privacy Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ Phone: (▇▇▇) ▇▇▇-▇▇▇▇ County of Orange Social Services Agency Contracts Services ▇▇▇ ▇. ▇▇▇▇▇ ▇▇▇▇▇▇▇ ▇▇▇▇, ▇▇▇▇▇ ▇▇▇ ▇▇▇▇▇▇, ▇▇ ▇▇▇▇▇ CPS0221-0305-A4 A1 Page 5 of 7 April 17, 2024

Security Breach Notification. In the event Contractor becomes aware of any act, error or omission, negligence, misconduct, or security incident including unsecure or improper data disposal, theft, loss, unauthorized use and disclosure or access, that compromises or is suspected to compromise the security, availability, confidentiality, and/or integrity of County data or the physical, technical, administrative, or organizational safeguards required under this Contract that relate to the security, availability, confidentiality, and/or integrity of County data, Contractor shall, at its own expense, (1) immediately (or within 24 hours of potential or CPS0221-03-A4 Page 4 of 7 April 17, 2024 suspected breach), notify the County’s Chief Information Security Officer and County Privacy Officer of such occurrence; (2) perform a root cause analysis of the actual, potential, or suspected breach; (3) provide a remediation plan that is acceptable to County within 30 days of verified breach, to address the occurrence of the breach and prevent any further incidents; (4) conduct a forensic investigation to determine what systems, data, and information have been affected by such event; and (5) cooperate with County and any law enforcement or regulatory officials investigating such occurrence, including but not limited to making available all relevant records, forensics, investigative evidence, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by County and/or any law enforcement or regulatory officials, and (6) perform or take any other actions required to comply with applicable law as a result of the occurrence (at the direction of County). County shall make the final decision on notifying County officials, entities, employees, service providers, and/or the general public of such occurrence, and the implementation of the remediation plan. If notification to particular persons is required under any law or pursuant to any of County’s privacy or security policies, then notifications to all persons and entities who are affected by the same event shall be considered legally required. Contractor shall reimburse County for all notification and related costs incurred by County arising out of or in connection with any such occurrence due to Contractor’s acts, errors or omissions, negligence, and/or misconduct resulting in a requirement for legally required notifications. In the case of a breach, Contractor shall provide third-party credit and identity monitoring services to each of the affected individuals for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no less than twelve (12) months following the date of notification to such individuals. Contractor shall indemnify, defend with counsel approved in writing by County, and hold County and County Indemnitees harmless from and against any and all claims, including reasonable attorney’s fees, costs, and expenses incidental thereto, which may be suffered by, accrued against, charged to, or recoverable from County in connection with the occurrence. ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇, MBA, CISSP Chief Information Security Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ Santa Ana, CA 92701 PhoneNotification shall be sent to: (▇▇▇) ▇▇▇-▇▇▇▇ County Privacy Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ Phone: (▇▇▇) ▇▇▇-▇▇▇▇ County of Orange Social Services Agency Contracts Services ▇▇▇ ▇. ▇▇▇▇▇ ▇▇▇▇▇▇▇ ▇▇▇▇, ▇▇▇▇▇ ▇▇▇ ▇▇▇▇▇▇, ▇▇ ▇▇▇▇▇ CPS0221-03-A4 Page 5 of 7 April 17, 2024Attachment C Staffing Plan

Security Breach Notification. In the event Contractor becomes aware of any act, error or omission, negligence, misconduct, or security incident including unsecure or improper data disposal, theft, loss, unauthorized use and disclosure or access, that compromises or is suspected to compromise the security, availability, confidentiality, and/or integrity of County data or the physical, technical, administrative, or organizational safeguards required under this Contract that relate to the security, availability, confidentiality, and/or integrity of County data, Contractor shall, at its own expense, (1) immediately (or within 24 hours of potential or CPS0221-03-A4 Page 4 of 7 April 17, 2024 suspected breach), notify the County’s Chief Information Security Officer and County Privacy Officer of such occurrence; (2) perform a root cause analysis of the actual, potential, or suspected breach; (3) provide a remediation plan that is acceptable to County within 30 days of verified breach, to address the occurrence of the breach and prevent any further incidents; (4) conduct a forensic investigation to determine what systems, data, and information have been affected by such event; and (5) cooperate with County and any law enforcement or regulatory officials investigating such occurrence, including but not limited to making available all relevant records, forensics, investigative evidence, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by County and/or any law enforcement or regulatory officials, and (6) perform or take any other actions required to comply with applicable law as a result of the occurrence (at the direction of County). County shall make the final decision on notifying County officials, entities, employees, service providers, and/or the general public of such occurrence, and the implementation of the remediation plan. If notification to particular persons is required under any law or pursuant to any of County’s privacy or security policies, then notifications to all persons and entities who are affected by the same event shall be considered legally required. Contractor shall reimburse County for all notification and related costs incurred by County arising out of or in connection with any such occurrence due to Contractor’s acts, errors or omissions, negligence, and/or misconduct resulting in a requirement for legally required notifications. In the case of a breach, Contractor shall provide third-party credit and identity monitoring services to each of the affected individuals for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no less than twelve (12) months following the date of notification to such individuals. Contractor shall indemnify, defend with counsel approved in writing by County, and hold County and County Indemnitees harmless from and against any and all claims, including reasonable attorney’s fees, costs, and expenses incidental thereto, which may be suffered by, accrued against, charged to, or recoverable from County in connection with the occurrence. ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇, MBA, CISSP ▇ Chief Information Security Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ Santa Ana▇▇▇▇▇ ▇▇▇, CA 92701 ▇▇ ▇▇▇▇▇ Phone: (▇▇▇) ▇▇▇-▇▇▇▇ ▇▇▇▇▇▇.▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇ ▇▇, CHPC, CHC, CHP County Privacy Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ Phone: (▇▇▇) ▇▇▇-▇▇▇▇ County of Orange Social Services Agency Contracts Services ▇▇▇ ▇. ▇▇▇▇▇ ▇▇▇▇▇.▇▇ ▇@▇▇▇▇, ▇▇▇▇▇ ▇▇▇ .▇▇▇▇▇▇, ▇▇ .▇▇▇▇▇ CPS0221-03-A4 Page 5 of 7 April 17, 2024

Security Breach Notification. In the event Contractor becomes aware of any act, error or omission, negligence, misconduct, or security incident including unsecure or improper data disposal, theft, loss, unauthorized use and disclosure or access, that compromises or is suspected to compromise the security, availability, confidentiality, and/or integrity of County data or the physical, technical, administrative, or organizational safeguards required under this Contract that relate to the security, availability, confidentiality, and/or integrity of County data, Contractor shall, at its own expense, (1) immediately (or within 24 hours of potential or CPS0221-03-A4 Page 4 of 7 April 17, 2024 suspected breach), notify the County’s Chief Information Security Officer and County Privacy Officer of such occurrence; (2) perform a root cause analysis of the actual, potential, or suspected breach; (3) provide a remediation plan that is acceptable to County within 30 days of verified breach, to address the occurrence of the breach and prevent any further incidents; (4) conduct a forensic investigation to determine what systems, data, and information have been affected by such event; and (5) cooperate with County and any law enforcement or regulatory officials investigating such occurrence, including but not limited to making available all relevant records, forensics, investigative evidence, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by County and/or any law enforcement or regulatory officials, and (6) perform or take any other actions required to comply with applicable law as a result of the occurrence (at the direction of County). County shall make the final decision on notifying County officials, entities, employees, service providers, and/or the general public of such occurrence, and the implementation of the remediation plan. If notification to particular persons is required under any law or pursuant to any of County’s privacy or security policies, then notifications to all persons and entities who are affected by the same event shall be considered legally required. Contractor shall reimburse County for all notification and related costs incurred by County arising out of or in connection with any such occurrence due to Contractor’s acts, errors or omissions, negligence, and/or misconduct resulting in a requirement for legally required notifications. In the case of a breach, Contractor shall provide third-party credit and identity monitoring services to each of the affected individuals for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no less than twelve (12) months following the date of notification to such individuals. Contractor shall indemnify, defend with counsel approved in writing by County, and hold County and County Indemnitees harmless from and against any and all claims, including reasonable attorney’s fees, costs, and expenses incidental thereto, which may be suffered by, accrued against, charged to, or recoverable from County in connection with the occurrence. Notification shall be sent to: ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇, MBA, CISSP Chief Information Security Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ Santa AnaSt. Suite 200 Orange, CA 92701 92868 Phone: (▇▇▇) ▇▇▇-▇▇▇▇ ▇▇▇▇▇ ▇▇, CHPC, CHC, CHP County Privacy Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇St. Suite 200 Orange, ▇▇ ▇▇▇▇▇ CA 92868 Phone: (▇▇▇) ▇▇▇-▇▇▇▇ County of Orange Social Services Agency Contracts Services ▇▇▇ ▇. ▇▇▇▇▇ ▇▇▇▇▇▇▇ ▇▇▇▇, ▇▇▇▇▇ ▇▇▇ ▇▇▇▇▇▇, ▇▇ ▇▇▇▇▇ CPS0221-03-A4 Page 5 of 7 April 17, 2024

Security Breach Notification. In the event Contractor becomes aware of any act, error or omission, negligence, misconduct, or security incident including unsecure or improper data disposal, theft, loss, unauthorized use and disclosure or access, that compromises or is suspected to compromise the security, availability, confidentiality, and/or integrity of County data or the physical, technical, administrative, or organizational safeguards required under this Contract that relate to the security, availability, confidentiality, and/or integrity of County data, Contractor shall, at its own expense, (1) immediately (or within 24 hours of potential or CPS0221-03-A4 Page 4 of 7 April 17, 2024 suspected breach), notify the County’s Chief Information Security Officer and County Privacy Officer of such occurrence; (2) perform a root cause analysis of the actual, potential, or CPS0221-01-A4 Page 4 of 7 April 17, 2024 suspected breach; (3) provide a remediation plan that is acceptable to County within 30 days of verified breach, to address the occurrence of the breach and prevent any further incidents; (4) conduct a forensic investigation to determine what systems, data, and information have been affected by such event; and (5) cooperate with County and any law enforcement or regulatory officials investigating such occurrence, including but not limited to making available all relevant records, forensics, investigative evidence, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by County and/or any law enforcement or regulatory officials, and (6) perform or take any other actions required to comply with applicable law as a result of the occurrence (at the direction of County). County shall make the final decision on notifying County officials, entities, employees, service providers, and/or the general public of such occurrence, and the implementation of the remediation plan. If notification to particular persons is required under any law or pursuant to any of County’s privacy or security policies, then notifications to all persons and entities who are affected by the same event shall be considered legally required. Contractor shall reimburse County for all notification and related costs incurred by County arising out of or in connection with any such occurrence due to Contractor’s acts, errors or omissions, negligence, and/or misconduct resulting in a requirement for legally required notifications. In the case of a breach, Contractor shall provide third-party credit and identity monitoring services to each of the affected individuals for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no less than twelve (12) months following the date of notification to such individuals. Contractor shall indemnify, defend with counsel approved in writing by County, and hold County and County Indemnitees harmless from and against any and all claims, including reasonable attorney’s fees, costs, and expenses incidental thereto, which may be suffered by, accrued against, charged to, or recoverable from County in connection with the occurrence. ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇, MBA, CISSP Chief Information Security Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ Santa Ana, CA 92701 Phone: (▇▇▇) ▇▇▇-▇▇▇▇ County Privacy Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ Phone: (▇▇▇) ▇▇▇-▇▇▇▇ County of Orange Social Services Agency Contracts Services ▇▇▇ ▇. ▇▇▇▇▇ ▇▇▇▇▇▇▇ ▇▇▇▇, ▇▇▇▇▇ ▇▇▇ ▇▇▇▇▇▇, ▇▇ ▇▇▇▇▇ CPS0221-0301-A4 Page 5 of 7 April 17, 2024

Security Breach Notification. In the event Contractor becomes aware of any act, error or omission, negligence, misconduct, or security incident including unsecure or improper data disposal, theft, loss, unauthorized use and disclosure or access, that compromises or is suspected to compromise the security, availability, confidentiality, and/or integrity of County data or the physical, technical, administrative, or organizational safeguards required under this Contract that relate to the security, availability, confidentiality, and/or integrity of County data, Contractor shall, at its own expense, , (1) immediately (or within 24 hours of potential or CPS0221-03-A4 Page 4 of 7 April 17, 2024 suspected breach), notify the County’s 's Chief Information Security Officer and County Privacy Officer of such occurrence; (2) perform a root cause analysis of the actual, potential, or suspected breach; (3) provide a remediation plan that is acceptable to County within 30 days of verified breach, to address the occurrence of the breach and prevent any further incidents; (4) conduct a forensic investigation to determine what systems, data, and information have been affected by such event; and (5) cooperate with County and any law enforcement or regulatory officials investigating such occurrence, including but not limited to making available all relevant records, forensics, investigative evidence, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by County and/or any law enforcement or regulatory officials, and (6) perform or take any other actions required to comply with applicable law as a result of the occurrence (at the direction of County). County shall make the final decision on notifying County officials, entities, employees, service providers, and/or the general public of such occurrence, and the implementation of the remediation plan. If notification to particular persons is required under any law or pursuant to any of County’s 's privacy or security policies, then notifications to all persons and entities who are affected by the same event shall be considered legally required. Contractor shall reimburse County for all notification and related costs incurred by County arising out of or in connection with any such occurrence due to Contractor’s 's acts, errors or omissions, negligence, and/or misconduct resulting in a requirement for legally required notifications. In the case of a breach, Contractor shall provide third-party credit and identity monitoring services to each of the affected individuals for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no less than twelve (12) months following the date of notification to such individuals. Contractor shall indemnify, defend with counsel approved in writing by County, and hold County and County Indemnitees harmless from and against any and all claims, including reasonable Docusign Envelope ID: 61D2AC74-1C84-4DED-8759-17AC0B3D29D5 attorney’s 's fees, costs, and expenses incidental thereto, which may be suffered by, accrued against, charged to, or recoverable from County in connection with the occurrence. Notification shall be sent to: ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇, MBA, CISSP ▇ Chief Information Security Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ Santa Ana, CA 92701 Phone: (▇▇▇) ▇▇▇-▇▇▇▇ ▇▇▇▇▇ ▇▇, CHPC, CHC, CHP County Privacy Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ Phone: (▇▇▇) ▇▇▇-▇▇▇▇ County of Orange Social Services Agency Contracts Services ▇▇▇ ▇. ▇▇▇▇▇ ▇▇▇▇▇.▇▇ ▇@▇▇▇▇, ▇▇▇▇▇ ▇▇▇ .▇▇▇▇▇▇, ▇▇ .▇▇▇▇▇ CPS0221-03-A4 Page 5 of 7 April 17, 2024

Security Breach Notification. In the event Contractor becomes aware of any act, error or omission, negligence, misconduct, or security incident including unsecure or improper data disposal, theft, loss, unauthorized use and disclosure or access, that compromises or is suspected to compromise the security, availability, confidentiality, and/or integrity of County data or the physical, technical, administrative, or organizational safeguards required under this Contract that relate to the security, availability, confidentiality, and/or integrity of County data, Contractor shall, at its own expense, (1) immediately (or within 24 hours of potential or CPS0221-03-A4 Page 4 of 7 April 17, 2024 suspected breach), notify the County’s Chief Information Security Officer and County Privacy Officer of such occurrence; (2) perform a root cause analysis of the actual, potential, or suspected breach; (3) provide a remediation plan that is acceptable to County within 30 days of verified breach, to address the occurrence of the breach and prevent any further incidents; (4) conduct a forensic investigation to determine what systems, data, and information have been affected by such event; and (5) cooperate with County and any law enforcement or regulatory officials investigating such occurrence, including but not limited to making available all relevant records, forensics, investigative evidence, logs, files, data reporting, and CJB3222-A1 Page 11 of 13 March 27, 2024 other materials required to comply with applicable law or as otherwise required by County and/or any law enforcement or regulatory officials, and (6) perform or take any other actions required to comply with applicable law as a result of the occurrence (at the direction of County). County shall make the final decision on notifying County officials, entities, employees, service providers, and/or the general public of such occurrence, and the implementation of the remediation plan. If notification to particular persons is required under any law or pursuant to any of County’s privacy or security policies, then notifications to all persons and entities who are affected by the same event shall be considered legally required. Contractor shall reimburse County for all notification and related costs incurred by County arising out of or in connection with any such occurrence due to Contractor’s acts, errors or omissions, negligence, and/or misconduct resulting in a requirement for legally required notifications. In the case of a breach, Contractor shall provide third-party credit and identity monitoring services to each of the affected individuals for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no less than twelve (12) months following the date of notification to such individuals. Contractor shall indemnify, defend with counsel approved in writing by County, and hold County and County Indemnitees harmless from and against any and all claims, including reasonable attorney’s fees, costs, and expenses incidental thereto, which may be suffered by, accrued against, charged to, or recoverable from County in connection with the occurrence. ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇, MBA, CISSP Chief Information Security Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ Santa Ana▇▇▇▇▇ ▇▇▇, CA 92701 ▇▇ ▇▇▇▇▇ Phone: (▇▇▇) ▇▇▇-▇▇▇▇ ▇▇▇▇▇▇.▇▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇ ▇▇, CHPC, CHC, CHP County Privacy Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ Phone: (▇▇▇) ▇▇▇-▇▇▇▇ ▇▇▇▇▇.▇▇@▇▇▇▇.▇▇▇▇▇.▇▇▇ County of Orange Social Services Agency Contracts Services ▇▇▇ ▇. ▇▇▇▇▇ ▇▇▇▇▇▇▇ ▇▇▇▇, ▇▇▇▇▇ ▇▇▇ ▇▇▇▇▇▇, ▇▇ ▇▇▇▇▇ CPS0221714-03541-A4 Page 5 of 7 April 17, 20247785 ▇▇▇▇▇.▇▇@▇▇▇.▇▇▇▇▇.▇▇▇

Security Breach Notification. In the event Contractor becomes aware of any act, error or omission, negligence, misconduct, or security incident including unsecure or improper data disposal, theft, loss, unauthorized use and disclosure or access, that compromises or is suspected to compromise the security, availability, confidentiality, and/or integrity of County data or the physical, technical, administrative, or organizational safeguards required under this Contract that relate to the security, availability, confidentiality, and/or integrity of County data, Contractor shall, at its own expense, (1) immediately (or within 24 72 hours of potential or CPS0221-03-A4 Page 4 of 7 April 17, 2024 suspected breach), notify the County’s Chief Information Security Officer and County Privacy Officer of such occurrence; (2) perform a root cause analysis of the actual, potential, or suspected breach; (3) provide a remediation plan that is acceptable to County within 30 days of verified breach, to address the occurrence of the breach and prevent any further incidents; (4) conduct a forensic investigation to determine what systems, data, and information have been affected by such event; and (5) cooperate with County and any law enforcement or regulatory officials investigating such occurrence, including but not limited to making available all relevant records, forensics, investigative evidence, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by County and/or any law enforcement or regulatory officials, and (6) perform or take any other actions required to comply with applicable law as a result of the occurrence (at the direction of County). County shall make the final decision on notifying County officials, entities, employees, service providers, and/or the general public of such occurrence, and the implementation of the remediation plan. If notification to particular persons is required under any law or pursuant to any of County’s privacy or security policies, then notifications to all persons and entities who are affected by the same event shall be considered legally required. Contractor shall reimburse County for all notification and related costs incurred by County arising out of or in connection with any such occurrence due to Contractor’s acts, errors or omissions, negligence, and/or misconduct resulting in a requirement for legally required notifications. In the case of a breach, Contractor shall provide third-party credit and identity monitoring services to each of the affected individuals for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no less than twelve (12) months following the date of notification to such individuals. Contractor shall indemnify, defend with counsel approved in writing by County, and hold County and County Indemnitees harmless from and against any and all claims, including reasonable attorney’s fees, costs, and expenses incidental thereto, which may be suffered by, accrued against, charged to, or recoverable from County in connection with the occurrence. ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇, MBA, CISSP Notification shall be sent to: DocuSign Envelope ID: DFDCCE54-5078-4B9F-8718-13BBD8AD7054 Interim Chief Information Security Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ Santa Ana▇▇▇▇▇ ▇▇▇, CA 92701 ▇▇ ▇▇▇▇▇ Phone: (▇▇▇) ▇▇▇-▇▇▇▇ County Privacy Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ Phone: (▇▇▇) ▇▇▇-▇▇▇▇ County of Orange Social Services Agency Contracts Services ▇▇▇ ▇. ▇▇▇▇▇ ▇▇▇▇▇▇▇ ▇▇▇▇, ▇▇▇▇▇ ▇▇▇ ▇▇▇▇▇▇, ▇▇ ▇▇▇▇▇ CPS0221-03-A4 Page 5 of 7 April 17, 2024

Security Breach Notification. In the event Contractor becomes aware of any act, error or omission, negligence, misconduct, or security incident including unsecure or improper data disposal, theft, loss, unauthorized use and disclosure or access, that compromises or is suspected to compromise the security, availability, confidentiality, and/or integrity of County data or the physical, technical, administrative, or organizational safeguards required under this Contract that relate to the security, availability, confidentiality, and/or integrity of County data, Contractor shall, at its own expense, (1) immediately (or within 24 hours of potential or CPS0221-03-A4 Page 4 of 7 April 17, 2024 suspected breach), notify the County’s Chief Information Security Officer and County Privacy Officer of such occurrence; (2) perform a root cause analysis of the actual, potential, or CPS0221-02-A4 Page 4 of 7 April 17, 2024 suspected breach; (3) provide a remediation plan that is acceptable to County within 30 days of verified breach, to address the occurrence of the breach and prevent any further incidents; (4) conduct a forensic investigation to determine what systems, data, and information have been affected by such event; and (5) cooperate with County and any law enforcement or regulatory officials investigating such occurrence, including but not limited to making available all relevant records, forensics, investigative evidence, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by County and/or any law enforcement or regulatory officials, and (6) perform or take any other actions required to comply with applicable law as a result of the occurrence (at the direction of County). County shall make the final decision on notifying County officials, entities, employees, service providers, and/or the general public of such occurrence, and the implementation of the remediation plan. If notification to particular persons is required under any law or pursuant to any of County’s privacy or security policies, then notifications to all persons and entities who are affected by the same event shall be considered legally required. Contractor shall reimburse County for all notification and related costs incurred by County arising out of or in connection with any such occurrence due to Contractor’s acts, errors or omissions, negligence, and/or misconduct resulting in a requirement for legally required notifications. In the case of a breach, Contractor shall provide third-party credit and identity monitoring services to each of the affected individuals for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no less than twelve (12) months following the date of notification to such individuals. Contractor shall indemnify, defend with counsel approved in writing by County, and hold County and County Indemnitees harmless from and against any and all claims, including reasonable attorney’s fees, costs, and expenses incidental thereto, which may be suffered by, accrued against, charged to, or recoverable from County in connection with the occurrence. ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇, MBA, CISSP Chief Information Security Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ Santa Ana, CA 92701 Phone: (▇▇▇) ▇▇▇-▇▇▇▇ County Privacy Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ Phone: (▇▇▇) ▇▇▇-▇▇▇▇ County of Orange Social Services Agency Contracts Services ▇▇▇ ▇. ▇▇▇▇▇ ▇▇▇▇▇▇▇ ▇▇▇▇, ▇▇▇▇▇ ▇▇▇ ▇▇▇▇▇▇, ▇▇ ▇▇▇▇▇ CPS0221-0302-A4 Page 5 of 7 April 17, 2024

Security Breach Notification. In the event Contractor becomes aware of any act, error or omission, negligence, misconduct, or security incident including unsecure or improper data disposal, theft, loss, unauthorized use and disclosure or access, that compromises or is suspected to compromise the security, availability, confidentiality, and/or integrity of County data or the physical, technical, administrative, or organizational safeguards required under this Contract that relate to the security, availability, confidentiality, and/or integrity of County data, Contractor shall, at its own expense, (1) immediately (or within 24 twenty-four [24] hours of potential or CPS0221-03-A4 Page 4 of 7 April 17, 2024 suspected breach), notify the County’s Chief Information Security Officer and County Privacy Officer of such occurrence; (2) perform a root cause analysis of the actual, potential, or suspected breach; (3) provide a remediation plan that is reasonably acceptable to County within 30 thirty (30) days of verified breach, to address the occurrence of the breach and prevent any further incidents; (4) conduct a forensic investigation to determine what systems, data, and information have been affected by such event; and (5) cooperate with County and any law enforcement or regulatory officials investigating such occurrence, including but not limited to making available all relevant records, forensics, investigative evidence, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by County and/or any law enforcement or regulatory officials, and (6) perform or take any other commercially reasonable actions required to comply with applicable law as a result of the occurrence (at the direction of County). Docusign Envelope ID: F05240E6-2D08-4CA2-83E0-A38DCDBCDCC1 County shall make the final decision on notifying County officials, entities, employees, service providers, and/or the general public of such occurrence, and the implementation of the remediation plan. If notification to particular persons is required under any law or pursuant to any of County’s privacy or security policies, then notifications to all persons and entities who are affected by the same event shall be considered legally required. Contractor shall reimburse County for all notification and related costs incurred by County arising out of or in connection with any such occurrence due to Contractor’s acts, errors or omissions, negligence, and/or misconduct resulting in a requirement for legally required notifications. In the case of a breach, Contractor shall provide third-party credit and identity monitoring services to each of the affected individuals for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no less than twelve (12) months following the date of notification to such individuals. Contractor shall indemnify, defend with counsel approved in writing by County, and hold County and County Indemnitees harmless from and against any and all claims, including reasonable attorney’s fees, fees and other third-party costs, and expenses incidental thereto, which may be suffered by, accrued against, charged to, or recoverable from County in connection with the occurrence. Notification shall be sent to: ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇, MBA, CISSP Chief Information Security Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ Santa AnaSt. Suite 200 Orange, CA 92701 92868 Phone: (▇▇▇) ▇▇▇-▇▇▇▇ ▇▇▇▇▇ ▇▇, CHPC, CHC, CHP County Privacy Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇St. Suite 200 Orange, ▇▇ ▇▇▇▇▇ CA 92868 Phone: (▇▇▇) ▇▇▇-▇▇▇▇ County of Orange Social Services Agency Contracts Services ▇▇▇ ▇. ▇▇▇▇▇ ▇▇▇▇▇▇▇ ▇▇▇▇, ▇▇▇▇▇ ▇▇▇ ▇▇▇▇▇▇, ▇▇ ▇▇▇▇▇ CPS0221-03-A4 Page 5 of 7 April 17, 2024

Security Breach Notification. In the event Contractor becomes aware of any act, error or omission, negligence, misconduct, or security incident including unsecure or improper data disposal, theft, loss, unauthorized use and disclosure or access, that compromises or is suspected to compromise the security, availability, confidentiality, and/or integrity of County data or the physical, technical, administrative, or organizational safeguards required under this Contract that relate to the security, availability, confidentiality, and/or integrity of County data, Contractor shall, at its own expense, (1) immediately promptly (or within 24 hours 10 days of potential or CPS0221-03-A4 Page 4 of 7 April 17, 2024 suspected breach), notify the County’s Chief Information Security Officer and County Privacy Officer of such occurrence; (2) perform a root cause analysis of the actual, potential, or suspected breach; (3) provide a remediation plan that is acceptable to County within 30 days of verified breach, to address the occurrence of the breach and prevent any further incidents; (4) conduct a forensic investigation to determine what systems, data, and information have been affected by such event; and (5) cooperate with County and any law enforcement or regulatory officials investigating such occurrence, including but not limited to making available all relevant records, forensics, investigative evidence, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by County and/or any law enforcement or regulatory officials, and (6) perform or take any other actions required to comply with applicable law as a result of the occurrence (at the direction of County)occurrence. County shall make the final decision on notifying County officials, entities, employees, service providers, and/or the general public of such occurrence, and the implementation of the remediation plan. If notification to particular persons is required under any law or pursuant to any of County’s privacy or security policieslaw, then notifications to all persons and entities who are affected by the same event shall be considered legally required. Contractor shall reimburse County for all notification and directly related costs incurred by County arising out of or in connection with any such occurrence due to Contractor’s acts, errors or omissions, negligence, and/or misconduct resulting in a requirement for legally required notifications. In the case of a breach, Contractor shall provide third-party credit and identity monitoring services to each of the affected individuals for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no less than twelve (12) months following the date of notification to such individuals. Contractor shall indemnify, defend with counsel approved in writing by County, and hold County and County Indemnitees harmless from and against any and all claims, including reasonable attorney’s fees, costs, and expenses incidental thereto, which may be suffered by, accrued against, charged to, or recoverable from County in connection with the occurrence. Notification shall be sent to: ▇▇▇▇▇ ▇▇, CHPC, CHC, CHP County Privacy Officer ▇▇▇ ▇. ▇▇▇▇▇▇ St., Suite 200 Orange, CA 92868 ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇, MBA, CISSP Chief Information Security Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ Santa AnaSt., Suite 200 Orange, CA 92701 Phone92868 Office: (▇▇▇) ▇▇▇-▇▇▇▇ County Privacy Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ Email: ▇▇▇▇▇ ▇.▇▇@▇▇▇▇▇ ▇▇▇, ▇▇ .▇▇▇▇▇.▇▇▇ PhoneOffice: (▇▇▇) ▇▇▇-▇▇▇▇ County of Orange Social Services Agency Contracts Services ▇▇▇ ▇. ▇▇▇▇▇ Email: ▇▇▇▇▇▇▇ ▇▇▇▇, ▇▇▇▇▇ ▇▇▇ .▇▇▇▇▇▇, ▇▇ ▇@▇▇▇▇.▇▇▇▇▇.▇▇▇ CPS0221Docusign Envelope ID: 589EFEA4-03C448-A4 Page 5 of 7 April 17, 20244FC7-A588-84111CBB9CF4

Security Breach Notification. In the event Contractor becomes aware of any act, error or omission, negligence, misconduct, or security incident including unsecure or improper data disposal, theft, loss, unauthorized use and disclosure or access, that compromises or is suspected to compromise the security, availability, confidentiality, and/or integrity of County data Data or the physical, technical, administrative, or organizational safeguards required under this Contract that relate to the security, availability, confidentiality, and/or integrity of County data, Contractor shall, at its own expense, , (1) immediately (or within 24 48 hours of potential or CPS0221-03-A4 Page 4 of 7 April 17, 2024 suspected breach), notify the County’s Chief Information Security Officer and County Privacy Officer of such occurrence; (2) perform a root cause analysis of the actual, potential, or suspected breach; (3) provide a remediation plan that is acceptable to County within 30 thirty (30) calendar days of verified breach, to address the occurrence of the breach and prevent any further incidents; (4) conduct a forensic investigation to determine what systems, data, and information have been affected by such event; and (5) cooperate with County and any law enforcement or regulatory officials investigating such occurrence, including but not limited to making available all relevant records, forensics, investigative evidence, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by County and/or any law enforcement or regulatory officials, and (6) perform or take any other actions required to comply with applicable law as a result of the occurrence (at the direction of County). County shall make the final decision on notifying County officials, entities, employees, service providers, and/or the general public of such occurrence, and the implementation of the remediation plan. If notification to particular persons is required under any law or pursuant to any of County’s privacy or security policies, then notifications to all persons and entities who are affected by the same event shall be considered legally required. Contractor shall reimburse County for all notification and related costs incurred by County arising out of or in connection with any such occurrence due to Contractor’s acts, errors or omissions, negligence, and/or misconduct resulting in a requirement for legally required notifications. In the case of a breach, Contractor shall provide third-party credit and identity monitoring services to each of the affected individuals for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no less than Docusign Envelope ID: F314F737-3853-467D-9DB7-8584E6CFEABF twelve (12) months following the date of notification to such individuals. Contractor shall indemnify, defend with counsel approved in writing by County, and hold County and County Indemnitees harmless from and against any and all claims, including reasonable attorney’s fees, costs, and expenses incidental thereto, which may be suffered by, accrued against, charged to, or recoverable from County in connection with the occurrence. Notification shall be sent to: ▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇▇▇, MBA, CISSP Chief Information Security Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ Santa Ana, CA 92701 Phone: (▇▇▇) ▇▇▇-▇▇▇▇ County Privacy Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ PhoneOffice: (▇▇▇) ▇▇▇-▇▇▇▇ County of Orange Social Services Agency Contracts Services E-Mail: dcastellanos@▇▇▇▇▇.▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇.▇▇▇ ▇. 1501E. St. ▇▇▇▇▇▇▇ Place, 2nd Fl. Santa Ana, CA 92705 Office: (▇▇▇) ▇▇▇-▇▇▇▇ E-mail: ▇▇▇▇▇.▇▇@▇▇▇▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇▇▇ ▇▇▇▇, ▇▇▇▇▇ ▇▇▇ ▇▇▇▇▇▇, ▇▇ ▇▇▇▇▇ CPS0221-03-A4 Page 5 of 7 April 17, 2024▇▇▇@▇▇▇▇▇.▇▇▇▇▇.▇▇▇

Security Breach Notification. In the event Contractor becomes aware of any act, error or omission, negligence, misconduct, or security incident including unsecure or improper data disposal, theft, loss, unauthorized use and disclosure or access, that compromises or is suspected to compromise the security, availability, confidentiality, and/or integrity of County data or the physical, technical, administrative, or organizational safeguards required under this Contract that relate to the security, availability, confidentiality, and/or integrity of County data, Contractor shall, at its own expense, (1) immediately (or within 24 hours of potential or CPS0221-03-A4 Page 4 of 7 April 17, 2024 suspected breach), notify the County’s Chief Information Security Officer and County Privacy Officer of such occurrence; (2) perform a root cause analysis of the actual, potential, or suspected breach; (3) provide a remediation plan that is acceptable to County within 30 days of verified breach, to address the occurrence of the breach and prevent any further incidents; (4) conduct a forensic investigation to determine what systems, data, and information have been affected by such event; and (5) cooperate with County and any law enforcement or regulatory officials investigating such occurrence, including but not limited to making available all relevant records, forensics, investigative evidence, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by County and/or any law enforcement or regulatory officials, and (6) perform or take any other actions required to comply with applicable law as a result of the occurrence (at the direction of County). County shall make the final decision on notifying County officials, entities, employees, service providers, and/or the general public of such occurrence, and the implementation of the remediation plan. If notification to particular persons is required under any law or pursuant to any of County’s privacy or security policies, then notifications to all persons and entities who are affected by the same event shall be considered legally required. Contractor shall reimburse County for all notification and related costs incurred by County arising out of or in connection with any such occurrence due to Contractor’s acts, errors or omissions, negligence, and/or misconduct resulting in a requirement for legally required notifications. In the case of a breach, Contractor shall provide third-party credit and identity monitoring services to each of the affected individuals for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no less than twelve (12) months following the date of notification to such individuals. Contractor shall indemnify, defend with counsel approved in writing by County, and hold County and County Indemnitees harmless from and against any and all claims, including reasonable attorney’s fees, costs, and expenses incidental thereto, which may be suffered by, accrued against, charged to, or recoverable from County in connection with the occurrence. Notification shall be sent to: ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇, MBA, CISSP ▇ Chief Information Security Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ Santa Ana▇▇▇▇▇ ▇▇▇, CA 92701 ▇▇ ▇▇▇▇▇ Phone: (▇▇▇) ▇▇▇-▇▇▇▇ ▇▇▇▇▇▇.▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇▇▇.▇▇▇ ▇▇▇▇▇ ▇▇, CHPC, CHC, CHP County Privacy Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ Phone: (▇▇▇) ▇▇▇-▇▇▇▇ County of Orange Social Services Agency Contracts Services ▇▇▇ ▇. ▇▇▇▇▇ ▇▇▇▇▇.▇▇ ▇@▇▇▇▇, ▇▇▇▇▇ ▇▇▇ .▇▇▇▇▇▇, ▇▇ .▇▇▇▇▇ CPS0221-03-A4 Page 5 of 7 April 17, 2024

Security Breach Notification. In the event Contractor becomes aware of any act, error or omission, negligence, misconduct, or security incident including unsecure or improper data disposal, theft, loss, unauthorized use and disclosure or access, that compromises or is suspected to compromise the security, availability, confidentiality, and/or integrity of County data or the physical, technical, administrative, or organizational safeguards required under this Contract that relate to the security, availability, confidentiality, and/or integrity of County data, Contractor shall, at its own expense, (1) immediately (or within 24 hours of potential or CPS0221-03-A4 Page 4 of 7 April 17, 2024 suspected breach), notify the County’s Chief Information Security Officer and County Privacy Officer of such occurrence; (2) perform a root cause analysis of the actual, potential, or CPS0221-04-A1 Page 4 of 7 April 17, 2024 suspected breach; (3) provide a remediation plan that is acceptable to County within 30 days of verified breach, to address the occurrence of the breach and prevent any further incidents; (4) conduct a forensic investigation to determine what systems, data, and information have been affected by such event; and (5) cooperate with County and any law enforcement or regulatory officials investigating such occurrence, including but not limited to making available all relevant records, forensics, investigative evidence, logs, files, data reporting, and other materials required to comply with applicable law or as otherwise required by County and/or any law enforcement or regulatory officials, and (6) perform or take any other actions required to comply with applicable law as a result of the occurrence (at the direction of County). County shall make the final decision on notifying County officials, entities, employees, service providers, and/or the general public of such occurrence, and the implementation of the remediation plan. If notification to particular persons is required under any law or pursuant to any of County’s privacy or security policies, then notifications to all persons and entities who are affected by the same event shall be considered legally required. Contractor shall reimburse County for all notification and related costs incurred by County arising out of or in connection with any such occurrence due to Contractor’s acts, errors or omissions, negligence, and/or misconduct resulting in a requirement for legally required notifications. In the case of a breach, Contractor shall provide third-party credit and identity monitoring services to each of the affected individuals for the period required to comply with applicable law, or, in the absence of any legally required monitoring services, for no less than twelve (12) months following the date of notification to such individuals. Contractor shall indemnify, defend with counsel approved in writing by County, and hold County and County Indemnitees harmless from and against any and all claims, including reasonable attorney’s fees, costs, and expenses incidental thereto, which may be suffered by, accrued against, charged to, or recoverable from County in connection with the occurrence. ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇, MBA, CISSP Chief Information Security Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ Santa Ana, CA 92701 Phone: (▇▇▇) ▇▇▇-▇▇▇▇ County Privacy Officer ▇▇▇▇ ▇. ▇▇▇▇ ▇▇., ▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇ ▇▇▇, ▇▇ ▇▇▇▇▇ Phone: (▇▇▇) ▇▇▇-▇▇▇▇ County of Orange Social Services Agency Contracts Services ▇▇▇ ▇. ▇▇▇▇▇ ▇▇▇▇▇▇▇ ▇▇▇▇, ▇▇▇▇▇ ▇▇▇ ▇▇▇▇▇▇, ▇▇ ▇▇▇▇▇ CPS0221-0304-A4 A1 Page 5 of 7 April 17, 2024