1. “Vendor Personal Information” means all Personal Identifiable Information of customers, employees or other persons of Vendor or Vendor Customers.
  2. “Personal Identifiable Information” means an individual’s first name and last name, or first initial and last name, in combination with any one or more of the following data that relate to such individual: (1) Social Security number, (2) Driver’s license number or state-issued identification card number; or (3) Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account. Personal Information shall not include information lawfully obtained from publicly available information.
  3. “Security Incident” is when Company knows or has reason to know that: (i) Company has experienced an incident resulting in the unauthorized acquisition or unauthorized use of unencrypted Vendor Personal Information, or encrypted Vendor Personal Information and the confidential process or key that is capable of compromising the security, confidentiality or integrity of Vendor Personal Information that creates a substantial risk of identity theft or fraud; or (ii) Vendor Personal Information was acquired or used by an unauthorized person or used for an unauthorized purpose.
  4. “Use” means receipt, storage, maintenance, processing or accessing.

General Requirements.

In addition to and not in lieu of the confidentiality obligations set forth in the Agreement, such Section shall apply to Vendor Personal Information.

Representation and Warranty of Compliance.

  1. Company represents and warrants that in connection with its Use of Vendor Personal Information, Company will at all times comply with (i) all applicable laws, rules, and/or regulations applicable to the privacy and security of Vendor Personal Information; and (ii) all Vendor or Vendor Customer policies applicable to the privacy of Vendor Personal Information (together, the “Privacy and Data Security Requirements”).
  2. Company agrees, without further consideration and at Company’s expense, to take such actions necessary to protect Vendor Personal Information and to execute and deliver such documents as may be necessary to comply with all Privacy and Data Security Requirements.

Privacy Requirements. Without limiting the generality of Section c above, Company agrees that:

  1. it shall not disclose or use any Vendor Personal Information except to the extent necessary to carry out its obligations under this Agreement; and
  2. it shall not disclose Vendor Personal Information to any third party, including, without limitation, its third party advisors, affiliates, agents, or contractors, without Vendor’s prior written consent (in each instances) and subject to a written agreement with the third party, consistent with the requirements of this Agreement, to use or disclose Vendor Personal Information only to the extent necessary to carry out Company’s obligations under this Agreement;

Safeguarding Vendor Personal Information.

  1. Company represents and warrants that it shall maintain a comprehensive written information security program and computer system security requirements sufficient to comply with the all applicable state and federal laws (“Company Security Policies and Procedures”). Company shall review the Company Security Policies and Procedures on a regular basis and update them as necessary to comply with legal and regulatory changes and the risk facing Company and the Vendor Personal Information in its possession. Company shall provide Vendor with such details and information regarding the Company Security Policies and Procedures, as Vendor may reasonably request from time to time.
  2. To the extent that Company’s advisors, affiliates, agents or contractors have access to the Vendor Personal Information, Company shall maintain written agreements with such entities that are consistent with the requirements of this Agreement and that require such entities to (i) protect the security of the Vendor Personal Information in a manner that complies with all applicable law and (ii) comply with all terms and conditions of this Agreement related to Vendor Personal Information.
  3. Company will ensure that no Vendor Personal Information is disclosed to or accessed by any third parties except as expressly permitted by this Agreement or expressly authorized by Vendor in writing. Company will not, and will ensure that none of its personnel, affiliates, agents or contractors break, bypass, or circumvent, or attempt to break, bypass or circumvent, any security system of Vendor, Vendor’s affiliates, Vendor Customer, Vendor Customer’s affiliates and/or service providers, or obtain, or attempt to obtain, access to any Vendor Personal Information or Vendor Confidential Information, except as expressly authorized by this Agreement.
  4. Computer System Security Requirements. Company shall implement and maintain computer system security requirements to protect all Vendor Personal Information.

Security Incident Response.

Company will notify Vendor immediately either in writing or via telephone, of any actual, suspected or threatened Security Incident involving Vendor Personal Information. The notification provided to Vendor shall include, if known, and to Company’s knowledge as of the time of notice: (i) the general circumstances and extent of any unauthorized access to Vendor Personal Information or intrusion into the computer systems or facilities on or in which Vendor Personal Information is maintained; (ii) which categories of Vendor Personal Information where involved; (iii) the identities of all individuals whose Vendor Personal Information was affected; and (iv) steps taken to secure the data and preserve information for any necessary investigation. The notification required to be delivered to Vendor under this Section shall be delivered promptly and in no event later than twenty-four (24) hours after Company learns of any such actual, suspected or threatened Security Incident. Company shall not delay its notification to Vendor for any reason, including, without limitation, investigation purposes. Company shall cooperate fully with Vendor in investigating and responding to each successful or attempted security breach including allowing immediate access to Company’s facility by Vendor or Vendor’s investigator, to investigate, and obtain copies of data as provided herein.

Control, Return and Destruction of Vendor Personal Information.

As between Vendor and Company, all Vendor Personal Information is and shall remain the exclusive property of Vendor. Upon Vendor’s request and at Vendor’s expense and direction, Company shall promptly, within three (3) days of Vendor’s request, provide copies of all Vendor Personal Information (or such portions as may be specified by Vendor), in Company’s possession or under its control, in an industry standard format, including logs, where such logs can reasonably be redacted to prevent disclosure of information of other Company customers, or other electronically stored information concerning Vendor Personal Information or access thereto, and using such media as Vendor may request. At any time during the term of this Agreement, Vendor may request, in writing, that Company destroy or erase all copies of the Vendor Personal Information in Company’s possession or under its control and Company shall comply with all such requests. Under no circumstances shall Company withhold any Vendor Personal Information. Notwithstanding any other provision in this Agreement, Company shall not possess or assert any lien against or to Vendor Personal Information.