Data Security (Customer-Friendly)

[Attachment __, Data Management, Privacy, and Security, continued]

K. General Security. Without limiting the generality of its obligations elsewhere in this Attachment __, Provider shall exercise commercially reasonably efforts to prevent unauthorized exposure or disclosure of Customer Data. 

L. InfoSec Program. Provider shall maintain, implement, and comply with a written data and information security program (the “InfoSec Program”) that requires administrative, technical, and physical safeguards appropriate: (1) to protect the security and confidentiality of Customer Data; (2) to protect against anticipated threats or hazards to the security or integrity of Customer Data; and (3) to protect against unauthorized access to or use of Customer Data. Provider shall likewise ensure that the InfoSec Program includes and requires compliance with the following (without limitation): (4) guidelines on the proper disposal of Customer Data after it is no longer needed to carry out the purposes of this Agreement, consistent with the requirements Section J (Deletion) of this Attachment __; (5) access controls on electronic systems used to maintain, access, or transmit Customer Data; (6) access restrictions at physical locations containing Customer Data; (7) encryption of electronic Customer Data consistent with then-current nationally-recognized encryption standards; (8) least privilege principles for access to Customer Data, supplemented either by dual control procedures or segregation of duties; (9) regular testing and monitoring of electronic systems accessing or storing Customer Data; and (10) procedures to detect actual and attempted attacks on or intrusions into the systems containing or accessing Customer Data. Provider shall review the InfoSec Program and all other Customer Data security precautions regularly, but no less than annually, and update them to comply with applicable laws, regulations, technology changes, and best practices.

M. Employees and Subcontractors. Provider shall not permit any of its employees, subcontractors, or subcontractor employees to access Customer Data except to the extent that such individual or company needs access to facilitate the System and is subject to a reasonable written agreement with Provider, or in case of employees, a reasonable written employment policy, protecting such data, with terms consistent with those of this Attachment __. Further, Provider shall not allow any individual to access Customer Data except to the extent that he or she has received a clean report with regard to each of the following: (1) verifications of education and work history; (2) a 7-year all residence criminal offender record information check; and (3) a 7-year federal criminal offender record information check. (A clean report refers to a report with no discrepancies in education or work history and no criminal investigations or convictions related to felonies or to crimes involving identity theft or other misuse of sensitive information.) However, Subsections M(2) and M(3) do not apply to the extent that applicable law forbids the required record information check, provided Provider notifies Customer of such restriction. Without limiting the generality of Provider’s obligations related to subcontractors and their employees, Provider shall exercise reasonable efforts to ensure that each subcontractor complies with the terms of this Agreement related to Customer Data. As between Provider and Customer, Provider shall pay any fees or costs related to each subcontractor’s compliance with such terms.