Data Incidents (Customer-Friendly)

Q. Data Incidents. Provider shall implement and maintain a program for managing unauthorized disclosure of, access to, or use of Customer Data (“Data Incidents”). In case of a Data Incident, or if Provider suspects a Data Incident, Provider shall: (1) promptly, and in any case within 48 hours, notify Customer by telephone, in person, or by other real-time, in-person communication; (2) cooperate with Customer and law enforcement agencies, where applicable, to investigate and resolve the Data Incident, including without limitation by providing reasonable assistance to Customer in notifying injured third parties; and (3) otherwise comply with applicable laws governing data breach notification and response. In addition, if the Data Incident results from Provider’s breach of this Agreement or negligent or unauthorized act or omission, including without limitation those of its subcontractors or other agents, Provider shall (a) compensate Customer for any reasonable expense related to notification of consumers and (b) provide 1 year of credit monitoring service to any affected individual. Provider shall give Customer prompt access to such records related to a Data Incident as Customer may reasonably request, and such records will be Provider’s Confidential Information pursuant to Section __ (Confidential Information) of this Agreement’s main body; provided Provider is not required to give Customer access to records that might compromising the security of Provider’s other customers. This Section Q does not limit Customer’s other rights or remedies, if any, resulting from a Data Incident.