Data Security and Confidentiality:
Revised 6/25/2013As used herein, the term “WSU” shall mean “Client” and the term “Vendor” shall mean “XXXXX”. In this Agreement, the party receiving information is generically referred to as the “Receiving Party,” and the party disclosing the information is generically referred to as the “Disclosing Party.”
- Confidential Information DefinedIn performance of this Agreement, parties may directly or indirectly disclose confidential information, proprietary information, or confidential data (“Confidential Information”).“Confidential Information” shall include any data and/or information that is identified by either party as confidential (either orally or in writing) or is of such a nature that a reasonable person would understand such information to be confidential, including, but not limited to: (1) personal information of customers, employees, students, and/or donors, including but not limited to, images, names, addresses, Social Security numbers, e-mail addresses, telephone numbers, financial profiles, credit card information, driver’s license numbers, medical data, law enforcement records, educational records or other information identifiable to a specific individual that relates to any of these types of information (“Personal Information”); (2) business methods, plans, and practices, financial data, or customers lists; (3) trade secrets, inventions, methodologies, research plans, products, product plans, patent applications, and other proprietary rights, and any specifications, tools, computer programs, source code, object code, documentation, or technical information; or (4) any other proprietary information or data the Disclosing Party maintains in confidence.Confidential Information shall not include information the Receiving Party can prove by clear and convincing written contemporaneous evidence is: (1) publicly known through no fault or negligence of the Receiving Party; (2) rightfully possessed by the Receiving Party prior to disclosure by the Disclosing Party; (3) rightfully obtained by the Receiving Party from a third party in lawful possession of such Confidential Information without obligation of confidentiality; (4) independently developed by the Receiving Party without reference to or use of Confidential Information; (5) required to be disclosed by law; or (6) necessary to disclose to prevent severe physical injury to or loss of life of an individual.
- Use and Non-Disclosure of Confidential Information; ExceptionsEach party agrees to use the Confidential Information received from the other party only as expressly permitted in this Agreement or when reasonably necessary to perform the party’s duties under this Agreement so long as such disclosure is in accordance with applicable law. To the extent permitted by law, neither party will disclose to any third party the other party’s Confidential Information, in whole or in part, without the prior written consent of the party, or as provided for in this Agreement and in compliance with all applicable state and federal laws; provided however, Vendor may disclose Personal Information of WSU Students to third party with the written consent of that Student. Notwithstanding the foregoing, either party may disclose the Confidential Information or portions thereof to their respective attorneys or accountants when seeking legal or financial advice.Vendor specifically warrants and represents that except as otherwise permitted herein, it will not in any manner disclose, disseminate, copy, sell, resell, sublicense, transmit, assign, or otherwise make available any of WSU’s Confidential Information to any third party without the prior written permission of WSU, and further warrants and represents that it will take all reasonable steps necessary to ensure that its authorized agents, employees, contractors or subcontractors having access to the Confidential Information shall not copy, disclose or transmit any of the Confidential Information, or any portion thereof, in any form, to a third party except as necessary to perform the Services under the Agreement.Vendor acknowledges that WSU, as a state agency, is at all times subject to the Washington Public Records Act, RCW 42.56.010 et seq. as now existing or as amended. If WSU receives a public records request for this Agreement and/or for documents and/or materials provided to WSU under this Agreement, generally such information will be a public record and must be disclosed to the public records requester. However, WSU agrees to notify Vendor if it receives such a public records request and the date WSU plans to release the records. If Vendor fails to obtain a protective order from the applicable court prior to the time WSU releases the records to the public records requester, Vendor gives WSU full authority to release the records on the date specified, and Vendor understands it shall hold WSU harmless with respect to such disclosure.
- Obligations to Secure Confidential InformationVendor warrants and represents that it will implement the necessary industry-standard physical, electronic, and managerial safeguards to ensure the confidentiality, integrity, and availability of WSU Confidential Information, including but not limited to, the environment in which the WSU Confidential Information is stored, processed, and transmitted. Vendor further warrants and represents that such safeguards will in no event be less than the level of security Vendor uses to protect its own Confidential Information. Vendor shall require its contractors and subcontractors authorized to access WSU’s Confidential Information pursuant to this Agreement to take similar industry-standard precautions in safeguarding the Confidential Information.Vendor agrees to comply with all applicable state and federal statutes and regulations governing unauthorized access and disclosure of the Confidential Information including, but not limited to: (1) personally identifiable information from education records as defined in The Family Educational Rights and Privacy Act (“FERPA”) (20 U.S.C. § 1232g; 34 CFR Part 99), and regulations promulgated thereunder; (2) information that is subject to the security provisions of the Gramm-Leach-Bliley Act, 15 U.S.C., Subchapter 1, Sections 6801-6809 (Disclosure of Nonpublic Personal Information); (3) individually identifiable “personal health information” as defined in the Health Information Portability and Accountability Act (“HIPAA”) regulations, 45 CFR Parts 160 and 164; and (4) the Washington State Office of the CIO (“OCIO”) Standard No. 141.10 “ Securing Information Technology Assets” (available at http://www.ofm.wa.gov/ocio/policies/documents/141.10.pdf) or comparable standard. Any transmission, storage, or transportation of WSU Confidential Information outside of the U.S.A. is prohibited without prior written authorization from the WSU.Prior to execution of this Agreement and once per calendar year, Vendor will provide WSU with the most current SSAE 16 Report or comparable, 3rd party information security assessment report. WSU shall have the right, at its own expense and upon reasonable prior notice to Vendor, to review Vendor’s security measures and information security program.If Vendor will accept and process payment by credit cards or any other form of electronic payment on behalf of WSU pursuant to this Agreement, Vendor agrees to provide evidence of certification for the Payment Card Industries Data Security Standard (“PCI DSS”). Proof of compliance shall be provided to WSU by Vendor on an annual basis for the duration of this Agreement. WSU reserves the right to monitor, audit or investigate said certification. If Vendor fails to achieve or maintain PCI DSS compliant status, Vendor will cease the acceptance and processing of payment cards or any other form of electronic payment on behalf of WSU pursuant to this Agreement, as well as the acceptance of any other Confidential Data or other proprietary data on behalf of WSU.
- Obligations upon Breach of SecurityThe Confidential Information, including any Personal Information, is subject to the provisions of RCW 19.255.010 and RCW 42.56.590 and Vendor will comply with those laws. Vendor will report to WSU any breach of security resulting in the unauthorized disclosure, misappropriation or unauthorized access of WSU Confidential Information (“Breach”). Vendor will promptly investigate any Breach affecting WSU Confidential Information and take reasonable measures to identify the Breach’s root cause(s), mitigate its effects, and prevent a recurrence. Unless prohibited by law, Vendor will provide WSU with a detailed description of the Breach, the type of data that was the subject of the incident, the identity of each affected person, and other information WSU may reasonably request concerning the affected persons. The parties agree to coordinate in good faith on developing the content of any related public statements or any required notices for the affected persons. If a data compromise and/or identity theft occurs and is found to be the result of Vendor’s non-compliance with the obligations to secure WSU Confidential Information, Vendor will assume complete responsibility for customer notification, and be liable for all associated costs incurred by WSU in responding to or recovering from that Breach.
- Survival of ObligationsThe obligation to maintain the confidentiality of the Confidential Information received by the other party will survive termination or expiration of this Agreement, and shall survive for a period of five (5) years thereafter. Except as otherwise set forth below, within sixty (60) days of the expiration or termination of this Agreement, Vendor shall, at Vendor’s option: (1) certify to WSU that Vendor has destroyed all WSU Confidential Information in its possession; or (2) return all media containing all WSU Confidential Information to WSU; or (3) take whatever other steps WSU requires of Vendor to protect WSU’s Confidential Information. WSU reserves the right to audit, or investigate the use of WSU Confidential Information collected, used, or acquired by Vendor or its employees, contractors or subcontractors pursuant to this Agreement. Any costs of such audit or investigation are the sole responsibility of WSU.
At all times this Agreement is in effect, Vendor shall maintain the following insurance:
Commercial General Liability Insurance on an occurrence basis, with combined single limits (CSL) of not less than $3,000,000 per occurrence and $5,000,000 in the annual aggregate. The policy shall include coverage for dram shop or liquor liability. The policy shall contain, or be endorsed with, language that WSU, its officers, agents, and employees are additional insured’s, that the policy shall not be canceled or modified without thirty (30) days prior written notice, that the policy will provide primary coverage to WSU and be non-contributory, and that the policy has a severability of interest clause.
Workers’ Compensation Insurance in the statutorily required amounts providing benefits to Vendor’s employees in accordance with Title 51, Revised Code of Washington, Industrial Insurance.
Automobile Liability Insurance for vehicles used in the performance of this Agreement with limits of not less than $1,000,000 per accident combined single limit (CSL). The policy shall contain, or be endorsed with, language that WSU, its officers, agents, and employees are additional insured’s, that the policy shall not be canceled or modified without thirty (30) days prior written notice, that the policy will provide primary coverage to WSU and be non-contributory, and that the policy has a severability of interest clause.
Commercial Crime Insurance which includes, without limitation, employee dishonesty, in the amount of $XXXXXXX and coverage for theft, disappearance and destruction of monies and securities in or on the Premises in the amount of $XXXXX and outside the Premises in the amount of $XXXXX.
WSU shall be named as an additional insured on all the above insurance coverage, and this coverage shall be primary and non-contributory to any self-insurance or insurance policy available to WSU. Vendor shall provide to WSU a certificate of insurance coverage for the above insurance prior to commencement of the Agreement, and shall maintain the above insurance at all times this Agreement is in effect. WSU reserves the right to change the coverage limits of the insurance policies set forth above as WSU may deem advisable, in WSU’s sole and absolute discretion. Vendor shall make no claims against WSU for any claim for which Vendor is covered by the insurance described herein.