Laserfiche WebLink
5.4. Breach Responsibilities. This section only applies when a Data Breach occurs with respect to <br />Personal Data or Non-Public Data within the possession or control of Vendor. <br />Vendor, unless stipulated otherwise, shall immediately notify the appropriate City <br />Identified Contact by telephone in accordance with the agreed upon security plan or <br />security procedures if it reasonably believes there has been a Security Incident. <br />Vendor, unless stipulated otherwise, shall promptly notify the appropriate City Identified <br />Contact within 48 hours or sooner by telephone, unless shorter time is required by <br />applicable law, if it confirms that there is, or reasonably believes that there has been a <br />Data Breach. Vendor shall (1) cooperate with the City as reasonably requested by the City <br />to investigate and resolve the Data Breach, (2) promptly implement necessary remedial <br />measures, if necessary, and (3) document responsive actions taken related to the Data <br />Breach, including any post-incident review of events and actions taken to make changes <br />in business practices in providing the Services, if necessary. <br />Unless otherwise stipulated, if a Data Breach is a direct result of Vendor’s breach of its <br />contractual obligation to encrypt Personal Data or otherwise prevent its release, Vendor <br />shall bear the costs associated with (1) the investigation and resolution of the Data Breach; <br />(2) notifications to individuals, regulators or others required by state law; (3) a credit <br />monitoring service required by state (or federal) law; (4) a website or a toll-free number and <br />call center for affected individuals required by state law — all not to exceed the average per <br />record per person cost calculated for data breaches in the United States (currently $225 per <br />record/person) in the most recent Cost of Data Breach Study: Global Analysis published by the <br />Ponemon Institute at the time of the Data Breach; and (5) complete all corrective actions as <br />reasonably determined by Vendor based on root cause. <br />5.5. Definitions. For purposes of this Purchase Agreement, the following definitions apply: <br />“Data Breach” means the unauthorized access by a non-authorized person/s that results <br />in the use, disclosure or theft of City’s unencrypted Personal Data or Non-Public Data. <br />“Non-Public Data” means data, other than Personal Data, that is not subject to distribution <br />to the public as public information. It is deemed to be sensitive and confidential by the <br />City because it contains information that is exempt by statute, ordinance or administrative <br />rule from access by the general public as public information. <br />“Personal Data” means data that includes information relating to a person that identifies <br />the person by name and has any of the following personally identifiable information (PII): <br />government-issued identification numbers (e.g., Social Security, driver’s license, passport, <br />library account numbers); financial account information, including account number, credit <br />or debit card numbers; or Protected Health Information (PHI) relating to a person. Personal <br />Data also means any other information identified as “personal information” by California <br />Civil Code Sections 1798.29, 1789.81.5 or 1798.82, as may be amended from time to time. <br />“Protected Health Information” (PHI) means individually identifiable health information <br />transmitted by electronic media, maintained in electronic media, or transmitted or <br />maintained in any other form or medium. PHI excludes education records covered by as <br />amended, 20 U.S.C. 1232g, records described at 20 U.S.C. 1232g(a)(4)(B)(iv) and <br />employment records held by a covered entity in its role as employer. <br />ATTY/AGR.2022.299/Axon Enterprises, Inc. (RCPD Axon Fleet Cameras) (Page 14 of 32)