Common use of Security of Customer Information Clause in Contracts

Security of Customer Information. a) To effect the purposes of this Master Agreement, COMPANY, BPPR or one of their respective Subsidiaries may from time to time provide EVERTEC with information or access to information concerning COMPANY, BPPR, or one of their respective Subsidiaries and persons or entities who obtain financial products or services from COMPANY, BPPR, or their respective Subsidiaries, including without limitation, client account information (“Customer Information”). EVERTEC acknowledges that its right to use the Customer Information may be limited by obligations of Company, BPPR or one of their respective Subsidiaries under the ▇▇▇▇▇-▇▇▇▇▇-▇▇▇▇▇▇ Act of 1999 (Public Law 106-102, 113 Stat. 1138) (the “Gramm Act”) and its implementing regulations (e.g., Federal Reserve Regulation P, Securities and Exchange Commission Regulation S-P) and other federal and state laws and regulations regarding privacy and the confidentiality of customer records. EVERTEC shall be responsible for establishing and maintaining an information security program that complies with the Legal Requirements. To protect the privacy of the Customer Information, EVERTEC shall: (i) limit access to the Customer Information to its employees and agents who have a need to know to carry out the purposes for which the Customer Information was disclosed; and (ii) use the Customer Information only for purposes of carrying out its obligations hereunder. Furthermore, EVERTEC agrees to (i) protect and hold all Customer Information in strict confidence and to take all reasonable steps necessary to protect the Customer Information from unauthorized and/or inadvertent disclosure; (ii) give immediate verbal and written notification to COMPANY or BPPR, or one of their respective Subsidiaries, as applicable of any court order or legal action requiring the disclosure of Customer Information and, to the extent allowable under the law, hold the Customer Information in confidence while COMPANY, BPPR or one of their respective Subsidiaries seeks a protective order; (iii) give prompt notification of any unauthorized or inadvertent disclosure of the Customer Information; (iv) upon request of COMPANY, BPPR or one of their respective Subsidiaries promptly return or destroy all Customer Information belonging to COMPANY, BPPR, or one of their respective Subsidiaries, as applicable, including all copies thereof; and (v) implement security measures designed to (a) ensure the security, integrity and confidentiality of the Customer Information; (b) protect against any anticipated threats or hazards to the security or integrity of the Customer Information; and (c) protect against unauthorized access to or use of the Customer Information.

Security of Customer Information. a) To effect the purposes of this Master Agreement, COMPANY, BPPR or one of their respective Subsidiaries may from time to time provide EVERTEC with information or access to information concerning COMPANY, BPPR, or one of their respective Subsidiaries BPPR and persons or entities who obtain financial products or services from COMPANY, BPPR, or their respective Subsidiaries, including without limitation, client account information (“Customer Information”). EVERTEC acknowledges that its right to use the Customer Information may be limited by obligations of Company, BPPR or one of their respective Subsidiaries under the ▇▇▇▇▇-▇▇▇▇▇-▇▇▇▇▇▇ Act of 1999 (Public Law 106-102, 113 Stat. 1138) (the “Gramm Act”) and its implementing regulations (e.g., Federal Reserve Regulation P, Securities and Exchange Commission Regulation S-P) and other federal and state laws and regulations regarding privacy and the confidentiality of customer records. EVERTEC shall be responsible for establishing and maintaining an information security program that complies with the Legal Requirements. To protect the privacy of the Customer Information, EVERTEC shall: (i) limit access to the Customer Information to its employees and agents who have a need to need-to-know to carry out the purposes for which the Customer Information was disclosed; and (ii) use the Customer Information only for purposes of carrying out its obligations hereunder. Furthermore, EVERTEC agrees to (i) protect and hold all Customer Information in strict confidence and to take all reasonable steps necessary to protect the Customer Information from unauthorized and/or inadvertent disclosure; (ii) give immediate verbal and written notification to COMPANY or BPPR, or one of their respective Subsidiaries, as applicable of any court order or legal action requiring the disclosure of Customer Information and, to the extent allowable under the law, hold the Customer Information in confidence while COMPANY, BPPR or one of their respective Subsidiaries seeks a protective order; (iii) give prompt notification of any unauthorized or inadvertent disclosure of the Customer Information; (iv) upon request of COMPANYBPPR, BPPR or one of their respective Subsidiaries promptly return or destroy all Customer Information belonging to COMPANY, BPPR, or one of their respective Subsidiaries, as applicable, including all copies thereof; and (v) implement security measures designed to (a) ensure the security, integrity and confidentiality of the Customer Information; (b) protect against any anticipated threats or hazards to the security or integrity of the Customer Information; and (c) protect against unauthorized access to or use of the Customer Information. b) Interagency Guidelines. EVERTEC acknowledges the requirements of the Interagency Guidelines Establishing Standards for Safeguarding Customer Information issued by bank regulatory agencies on February 1, 2001, regarding the implementation of security measures to safeguard customer information. EVERTEC represents and warrants to BPPR that it has in place a comprehensive written security program that includes administrative, technical and physical safeguards to protect the security, confidentiality and integrity of Customer Information. Furthermore, EVERTEC agrees that BPPR and any Third Party auditor reasonably designated by BPPR may, in a manner that is consistent with practices and procedures of the parties prior to the date hereof, at any time (i) solicit a copy of the aforementioned security program and (ii) review, monitor and audit EVERTEC to confirm it has satisfied its obligations pursuant to this paragraph. c) Unauthorized Access. EVERTEC also acknowledges the requirements of the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice issued by bank regulatory agencies on March 29, 2005, regarding implementing effective notification procedures in the event of unauthorized access to Customer Information. As such, the parties acknowledge and agree that EVERTEC shall be responsible for the unauthorized or fraudulent application for, access to or use of the Customer Information by any entity caused by the negligent acts or omissions of EVERTEC, its employees, subcontractors or agents. If EVERTEC becomes aware of any actual or suspected security breach involving unauthorized access (i.e., physical trespass on a secure facility, computing systems intrusion/hacking, loss/theft of a PC (laptop or desktop), loss/theft of printed materials, etc.) to the Customer Information, that either compromises or in EVERTEC’s reasonable judgment may have compromised the Customer Information, EVERTEC shall report such incident within forty-eight (48) hours in writing to BPPR and describe in reasonable detail the circumstances surrounding such unauthorized access (including, without limitation, a description of the causes of such breach). Any report under this Section shall include a brief summary of the steps being taken by EVERTEC to remedy such breach. Except as may be strictly required by Legal Requirements, EVERTEC agrees that it will not inform any Third Party of any such security breach without BPPR’s prior written consent; however, if such disclosure is required by Legal Requirements, EVERTEC agrees to reasonably cooperate with BPPR regarding the content of such disclosure so as to minimize any potential adverse impact upon BPPR and its clients and customers.

Security of Customer Information. a) To effect the purposes of this Master Agreement, COMPANY, BPPR or one of their respective Subsidiaries may from time to time provide EVERTEC with information or access to information concerning COMPANY, BPPR, or one of their respective Subsidiaries BPPR and persons or entities who obtain financial products or services from COMPANY, BPPR, or their respective Subsidiaries, including without limitation, client account information (“Customer Information”). EVERTEC acknowledges that its right to use the Customer Information may be limited by obligations of Company, BPPR or one of their respective Subsidiaries under the ▇▇▇▇▇Gramm-▇▇Le▇▇▇-▇▇▇▇▇▇ Act of ▇▇▇ ▇▇ 1999 (Public Law 106-102, 113 Stat. 1138) (the “Gramm Act”) and its implementing regulations (e.g., Federal Reserve Regulation P, Securities and Exchange Commission Regulation S-P) and other federal and state laws and regulations regarding privacy and the confidentiality of customer records. EVERTEC shall be responsible for establishing and maintaining an information security program that complies with the Legal Requirements. To protect the privacy of the Customer Information, EVERTEC shall: (i) limit access to the Customer Information to its employees and agents who have a need to know need‑to‑know to carry out the purposes for which the Customer Information was disclosed; and (ii) use the Customer Information only for purposes of carrying out its obligations hereunder. Furthermore, EVERTEC agrees to (i) protect and hold all Customer Information in strict confidence and to take all reasonable steps necessary to protect the Customer Information from unauthorized and/or inadvertent disclosure; (ii) give immediate verbal and written notification to COMPANY or BPPR, or one of their respective Subsidiaries, as applicable of any court order or legal action requiring the disclosure of Customer Information and, to the extent allowable under the law, hold the Customer Information in confidence while COMPANY, BPPR or one of their respective Subsidiaries seeks a protective order; (iii) give prompt notification of any unauthorized or inadvertent disclosure of the Customer Information; (iv) upon request of COMPANYBPPR, BPPR or one of their respective Subsidiaries promptly return or destroy all Customer Information belonging to COMPANY, BPPR, or one of their respective Subsidiaries, as applicable, including all copies thereof; and (v) implement security measures designed to (a) ensure the security, integrity and confidentiality of the Customer Information; (b) protect against any anticipated threats or hazards to the security or integrity of the Customer Information; and (c) protect against unauthorized access to or use of the Customer Information. -8- b) Interagency Guidelines. EVERTEC acknowledges the requirements of the Interagency Guidelines Establishing Standards for Safeguarding Customer Information issued by bank regulatory agencies on February 1, 2001, regarding the implementation of security measures to safeguard customer information. EVERTEC represents and warrants to BPPR that it has in place a comprehensive written security program that includes administrative, technical and physical safeguards to protect the security, confidentiality and integrity of Customer Information. Furthermore, EVERTEC agrees that BPPR and any Third Party auditor reasonably designated by BPPR may, in a manner that is consistent with practices and procedures of the parties prior to the date hereof, at any time (i) solicit a copy of the aforementioned security program and (ii) review, monitor and audit EVERTEC to confirm it has satisfied its obligations pursuant to this paragraph. c) Unauthorized Access. EVERTEC also acknowledges the requirements of the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice issued by bank regulatory agencies on March 29, 2005, regarding implementing effective notification procedures in the event of unauthorized access to Customer Information. As such, the parties acknowledge and agree that EVERTEC shall be responsible for the unauthorized or fraudulent application for, access to or use of the Customer Information by any entity caused by the negligent acts or omissions of EVERTEC, its employees, subcontractors or agents. If EVERTEC becomes aware of any actual or suspected security breach involving unauthorized access (i.e., physical trespass on a secure facility, computing systems intrusion/hacking, loss/theft of a PC (laptop or desktop), loss/theft of printed materials, etc.) to the Customer Information, that either compromises or in EVERTEC’s reasonable judgment may have compromised the Customer Information, EVERTEC shall report such incident within forty-eight (48) hours in writing to BPPR and describe in reasonable detail the circumstances surrounding such unauthorized access (including, without limitation, a description of the causes of such breach). Any report under this Section shall include a brief summary of the steps being taken by EVERTEC to remedy such breach. Except as may be strictly required by Legal Requirements, EVERTEC agrees that it will not inform any Third Party of any such security breach without BPPR’s prior written consent; however, if such disclosure is required by Legal Requirements, EVERTEC agrees to reasonably cooperate with BPPR regarding the content of such disclosure so as to minimize any potential adverse impact upon BPPR and its clients and customers.