Laserfiche WebLink
6.D. - Page 129 of 179 <br />shall bear the costs associated with (1) the investigation and resolution of the Data <br />Breach; (2) notifications to individuals, regulators or others required by state law; (3) a <br />credit monitoring service required by state (or federal) law; (4) a website or a toll-free <br />number and call center for affected individuals required by state law — all not to exceed <br />the average per record per person cost calculated for data breaches in the United States <br />(currently $225 per record/person) in the most recent Cost of Data Breach Study: Global <br />Analysis published by the Ponemon Institute at the time of the Data Breach; and (5) <br />complete all corrective actions as reasonably determined by Vendor based on root cause. <br />5.5. Definitions. For purposes of this Purchase Agreement, the following definitions apply: <br />• "Data Breach" means the unauthorized access by a non -authorized person/s that results <br />in the use, disclosure or theft of City's unencrypted Personal Data or Non -Public Data. <br />• "Non -Public Data" means data, other than Personal Data, that is not subject to <br />distribution to the public as public information. It is deemed to be sensitive and <br />confidential by the City because it contains information that is exempt by statute, <br />ordinance or administrative rule from access by the general public as public information. <br />• "Personal Data" means data that includes information relating to a person that identifies <br />the person by name and has any of the following personally identifiable information (1311): <br />government -issued identification numbers (e.g., Social Security, driver's license, passport, <br />library account numbers); financial account information, including account number, <br />credit or debit card numbers; or Protected Health Information (PHI) relating to a person. <br />Personal Data also means any other information identified as "personal information" by <br />California Civil Code Sections 1798.29, 1789.81.5 or 1798.82, as may be amended from <br />time to time. <br />• "Protected Health Information" (PHI) means individually identifiable health information <br />transmitted by electronic media, maintained in electronic media, or transmitted or <br />maintained in any other form or medium. PHI excludes education records covered by as <br />amended, 20 U.S.C. 1232g, records described at 20 U.S.C. 1232g(a)(4)(B)(iv) and <br />employment records held by a covered entity in its role as employer. <br />• "City Data" means all data created or in any way originating with the City, and all data <br />that is the output of computer processing of or other electronic manipulation of any data <br />that was created by or in any way originated with the City, whether such data or output is <br />stored on the City's hardware, Vendor's hardware or exists in any system owned, <br />maintained or otherwise controlled by the City or by Vendor. City Data includes <br />Cardholder data, including credit card account numbers, addresses, telephone numbers, <br />CVV data, and other data related to a cardholder. <br />• "City Identified Contact" means the person or persons designated in writing by the City to <br />receive Security Incident or Data Breach notification. <br />• "Security Incident" means the potentially unauthorized access by non -authorized persons <br />to Personal Data or Non -Public Data Vendor believes could reasonably result in the use, <br />disclosure or theft of City's unencrypted Personal Data or Non -Public Data within the <br />possession or control of Vendor. A Security Incident may or may not turn into a Data <br />Breach. <br />O7P FORM 4000/2 <br />168 <br />