The URL can be used to link to this page

Home My WebLink AboutAgreement A-23-659 with Navia Benefit Solutions Inc..pdf Agreement No. 23-659 1 AGREEMENT 2 3 THIS AGREEMENT is made and entered into effective January 1, 2024, by and 4 between the COUNTY OF FRESNO, hereinafter referred to as "COUNTY", and Navia Benefit 5 Solutions, Inc., a Washington state corporation, hereinafter referred to as "CONTRACTOR". 6 WITNESSETH: 7 WHEREAS, the COUNTY desires to obtain certain health benefit administrative 8 services, including processing COUNTY retirees' enrollment, billing and reporting, for County 9 retirees that are 65 years of age or older(hereinafter"post-65 retirees:); and 10 WHEREAS, the COUNTY participates in health insurance programs for its employees 11 and retirees under the age of 65, offered through its participation in the San Joaquin Valley 12 Insurance Authority (SJVIA); and 13 WHEREAS, the SJVIA offers additional administrative services including consolidated 14 eligibility and billing services through its separate agreement with CONTRACTOR; and 15 WHEREAS, the COUNTY desires to ensure consistency and efficiency in health 16 benefit administrative services offered through the SJVIA by matching pricing and services for its 17 post-65 retirees; and 18 WHEREAS, the CONTRACTOR represents that it is willing and able to provide the 19 health benefit administrative services as set forth in this Agreement. 20 NOW, THEREFORE, in consideration of the mutual covenants, terms and conditions 21 herein contained, the parties hereto agree as follows: 22 1. OBLIGATIONS OF THE CONTRACTOR 23 A. The CONTRACTOR shall provide health benefit administrative services as 24 set forth in Exhibit A, attached hereto and incorporated herein by this reference. 25 B. The CONTRACTOR shall provide the COUNTY with general administrative 26 services that include, but are not limited to: 27 1. Furnishing necessary training to County personnel to assist the 28 COUNTY in utilizing the CONTRACTOR'S services. 1 2. Furnishing the COUNTY with all available information from the 2 CONTRACTOR's records which the COUNTY, in its determination, may need and/or request. 3 3. Referral of participants to the COUNTY as reasonably necessary 4 for clarification of any enrollment or other service request made by any post-65 retiree. 5 The CONTRACTOR is responsible for compliance with the Internal Revenue 6 Code and other Federal, State or local laws applicable to the CONTRACTOR. 7 2. OBLIGATIONS OF THE COUNTY 8 A The COUNTY is solely responsible for compliance with the Internal 9 Revenue Code and other Federal, State or local laws applicable to the COUNTY. 10 B. The COUNTY is solely responsible for the accuracy and integrity of 11 COUNTY data. 12 3. TERM 13 This Agreement shall become effective on the 1 st day of January, 2024 and 14 shall terminate on the 31stday of December, 2024, unless otherwise terminated by COUNTY, as 15 provided herein. 16 4. TERMINATION 17 A Non-Allocation of Funds -The terms of this Agreement, and the services to 18 be provided thereunder, are contingent on the approval of funds by the COUNTY. Should 19 sufficient funds not be allocated, the services provided may be modified, or this Agreement 20 terminated, at any time by giving the CONTRACTOR thirty (30) days advance written notice. 21 B. Breach of Contract-The COUNTY may immediately suspend or terminate 22 this Agreement in whole or in part, where in the determination of the COUNTY there is: 23 1 . An illegal or improper use of funds; 24 2. A failure to comply with any term of this Agreement; 25 3. A substantially incorrect or incomplete report submitted to the 26 COUNTY; 27 4. Improperly performed service. 28 In no event shall any payment by the COUNTY constitute a waiver by the COUNTY 1 of any breach of this Agreement or any default which may then exist on the part of the 2 CONTRACTOR. Neither shall such payment impair or prejudice any remedy available to the 3 COUNTY with respect to the breach or default. The COUNTY shall have the right to demand of 4 the CONTRACTOR the repayment to the COUNTY of any funds disbursed to the CONTRACTOR 5 under this Agreement, which in the judgment of the COUNTY were not expended in accordance 6 with the terms of this Agreement. The CONTRACTOR shall promptly refund any such funds upon 7 demand. 8 9 C. Without Cause - Under circumstances other than those set forth above, 10 this Agreement may be terminated by COUNTY upon the giving of sixty (60) days advance written 11 notice of an intention to terminate to CONTRACTOR. 12 4. COMPENSATION: COUNTY agrees to pay CONTRACTOR and 13 CONTRACTOR agrees to receive compensation as follows: $2.00 Per Post-65 Retiree Per Month 14 (PRPM) paid monthly throughout the term of this Agreement per the compiled monthly 15 transmittals. The PRPM fee will be paid in arrears and is based on the actual number of eligible 16 Medicare retirees as determined by the COUNTY and as used for all eligibility purposes for the 17 specific contract month. 18 5. OWNERSHIP OF DATA: All data delivered by the COUNTY to 19 CONTRACTOR, or which is created by either party for the COUNTY in connection with the 20 performance of this Agreement, shall be the exclusive property of the COUNTY. CONTRACTOR 21 shall be the custodian of such data and will immediately make such data available to the COUNTY 22 upon request during normal working hours. CONTRACTOR shall return or destroy all 23 personnel/payroll raw data collected or generated in connection with the performance of the 24 Agreement within thirty (30) days of the termination of this Agreement upon written request of the 25 COUNTY and CONTRACTOR shall not access or use said data for any purpose other than in 26 connection with the performance of this Agreement or for CONTRACTOR'S administrative and 27 legal obligations. 28 6. HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT 1 A. The parties to this Agreement shall be in strict conformance with all 2 applicable Federal and State of California laws and regulations, including but not limited to 3 Sections 5328, 10850, and 14100.2 et seq. of the Welfare and Institutions Code, Sections 2.1 and 4 431.300 et seq. of Title 42, Code of Federal Regulations (CFR), Section 56 et seq. of the 5 California Civil Code, Sections 11977 and 11812 of Title 22 of the California Code of Regulations, 6 and the Health Insurance Portability and Accountability Act (HIPAA), including but not limited to 7 Section 1320 D et seq. of Title 42, United States Code (USC) and its implementing regulations, 8 including, but not limited to Title 45, CFR, Sections 142, 160, 162, and 164, The Health 9 Information Technology for Economic and Clinical Health Act (HITECH) regarding the 10 confidentiality and security of patient information, and the Genetic Information Nondiscrimination 11 Act (GINA) of 2008 regarding the confidentiality of genetic information. 12 Except as otherwise provided in this Agreement, CONTRACTOR, as a 13 Business Associate of COUNTY, may use or disclose Protected Health Information (PHI) to 14 perform functions, activities or services for or on behalf of COUNTY, as specified in this 15 Agreement, provided that such use or disclosure shall not violate the Health Insurance Portability 16 and Accountability Act (HIPAA), 42 USC 1320d et seq. The uses and disclosures of PHI may not 17 be more expansive than those applicable to COUNTY, as the "Covered Entity" under the HIPAA 18 Privacy Rule (45 CFR 164.500 et seq.), except as authorized for management, administrative or 19 legal responsibilities of the Business Associate. 20 21 22 23 24 25 26 27 28 1 B. CONTRACTOR, including its subcontractors and employees, shall protect, 2 from unauthorized access, use, or disclosure PHI and genetic information, concerning persons 3 receiving services pursuant to this Agreement, except where permitted in order to carry out data 4 aggregation purposes for health care operations [45 CFR Sections 164.504 (e)(2)(i), 164.504 5 (3)(2)(ii)(A), and 164.504 (e)(4)(i)] This pertains to any and all persons receiving services pursuant 6 to a COUNTY funded program. This requirement applies to electronic PHI. CONTRACTOR shall 7 not use PHI or genetic information for any purpose other than carrying out CONTRACTOR's 8 obligations under this Agreement. 9 C. CONTRACTOR, including its subcontractors and employees, shall not 10 disclose PHI or genetic information to any person or entity, except as otherwise specifically 11 permitted by this Agreement, authorized by Subpart E of 45 CFR Part 164 or other law, required 12 by the Secretary, or authorized by the client/patient in writing. In using or disclosing PHI that is 13 permitted by this Agreement or authorized by law, CONTRACTOR shall make reasonable efforts 14 to limit PHI to the minimum necessary to accomplish intended purpose of use, disclosure or 15 request. 16 D. For purposes of the above sections, genetic information shall include 17 genetic tests of family members of an individual or individual, manifestation of disease or disorder 18 of family members of an individual, or any request for or receipt of, genetic services by individual 19 or family members. Family member means a dependent or any person who is first, second, third, 20 or fourth degree relative. 21 E. CONTRACTOR shall provide access, at the request of COUNTY, and in 22 the time and manner designated by COUNTY, to PHI in a designated record set (as defined in 45 23 CFR Section 164.501), to an individual or to COUNTY in order to meet the requirements of 45 24 CFR Section 164.524 regarding access by individuals to their PHI. With respect to individual 25 requests, access shall be provided within thirty (30) days from request. Access may be extended 26 if CONTRACTOR cannot provide access and provides individual with the reasons for the delay 27 and the date when access may be granted. PHI shall be provided in the form and format 28 requested by the individual or COUNTY. 1 CONTRACTOR shall make any amendment(s) to PHI in a designated record set at 2 the request of COUNTY or individual, and in the time and manner designated by COUNTY in 3 accordance with 45 CFR Section 164.526. 4 CONTRACTOR shall provide to COUNTY or to an individual, in a time and manner 5 designated by COUNTY, information collected in accordance with 45 CFR Section 164.528, to 6 permit COUNTY to respond to a request by the individual for an accounting of disclosures of PHI 7 in accordance with 45 CFR Section 164.528. 8 F. CONTRACTOR shall report to COUNTY, in writing, any knowledge or 9 reasonable belief that there has been unauthorized access, use, disclosure, security incident, or 10 breach of unsecured PHI not permitted by this Agreement of which it becomes aware, immediately 11 and without reasonable delay and in no case later than five (5) business days of discovery, unless 12 applicable law requires earlier or immediate notice. Immediate notification shall be made to 13 COUNTY's Information Security Officer and Privacy Officer and COUNTY's DPH HIPAA 14 Representative, within five (5) business days of discovery. The notification shall include, to the 15 extent possible, the identification of each individual whose unsecured PHI has been, or is 16 reasonably believed to have been, accessed, acquired, used, disclosed, or breached. 17 CONTRACTOR shall take prompt corrective action to cure any deficiencies and any action 18 pertaining to such unauthorized disclosure required by applicable Federal and State Laws and 19 regulations. CONTRACTOR shall investigate such breach and to the extent Contractor solely 20 caused the breach, Contractor is responsible for all notifications required by law and regulation or 21 deemed necessary by the Parties and shall provide a written report of the investigation and 22 reporting required to COUNTY's Information Security Officer and Privacy Officer and COUNTY's 23 DPH HIPAA Representative. If the breach is caused by County, County is responsible for all 24 notifications required by law and regulation or deemed necessary by the Parties. This written 25 investigation and description of any reporting necessary shall be postmarked within the thirty (30) 26 working days of the discovery of the breach to the addresses below: 27 County of Fresno County of Fresno County of Fresno 28 Dept. of Public Health Dept. of Public Health Dept. of Internal Services 1 HIPAA Representative Privacy Officer Information Security Officer 2 (559) 600-6439 (559) 600-6405 (559) 600-5800 P.O. Box 11867 P.O. Box 11867 333 W. Pontiac Way 3 Fresno, CA 93775 Fresno, CA 93775 Clovis, CA 93612 4 G. CONTRACTOR shall make its internal practices, books, and records 5 relating to the use and disclosure of PHI received from COUNTY, or created or received by the 6 CONTRACTOR on behalf of COUNTY, in compliance with HIPAA's Privacy Rule, including, but 7 not limited to the requirements set forth in Title 45, CFR, Sections 160 and 164. CONTRACTOR 8 shall make its internal practices, books, and records relating to the use and disclosure of PHI 9 received from COUNTY, or created or received by the CONTRACTOR on behalf of COUNTY, 10 available to the United States Department of Health and Human Services (Secretary) upon 11 demand. 12 CONTRACTOR shall cooperate with the compliance and investigation reviews 13 conducted by the Secretary. PHI access to the Secretary must be provided during the 14 CONTRACTOR's normal business hours, however, upon exigent circumstances access at any 15 time must be granted. Upon the Secretary's compliance or investigation review, if PHI is 16 unavailable to CONTRACTOR and in possession of a Subcontractor, it must certify efforts to 17 obtain the information to the Secretary. 18 H. Safeguards 19 CONTRACTOR shall implement administrative, physical, and technical safeguards 20 as required by the HIPAA Security Rule, Subpart C of 45 CFR 164, that reasonably and 21 appropriately protect the confidentiality, integrity, and availability of PHI, including electronic PHI, 22 that it creates, receives, maintains or transmits on behalf of COUNTY and to prevent unauthorized 23 access, viewing, use, disclosure, or breach of PHI other than as provided for by this Agreement. 24 CONTRACTOR shall conduct an accurate and thorough assessment of the potential risks and 25 vulnerabilities to the confidential, integrity and availability of electronic PHI. CONTRACTOR shall 26 develop and maintain a written information privacy and security program that includes 27 administrative, technical and physical safeguards appropriate to the size and complexity of 28 1 CONTRACTOR's operations and the nature and scope of its activities. Upon COUNTY's request, 2 CONTRACTOR shall provide COUNTY with information concerning such safeguards. 3 CONTRACTOR shall implement strong access controls and other security 4 safeguards and precautions in order to restrict logical and physical access to confidential, 5 personal (e.g., PHI) or sensitive data to authorized users only. Said safeguards and precautions 6 shall include the following administrative and technical password controls for all systems used to 7 process or store confidential, personal, or sensitive data: 8 1. Passwords must not be: 9 a. Shared or written down where they are accessible or recognizable by 10 anyone else; such as taped to computer screens, stored under keyboards, 11 or visible in a work area; 12 c. Stored in clear text 13 2. Passwords must be: 14 a. Eight (8) characters or more in length; 15 b. Changed immediately if revealed or compromised; and 16 c. Composed of characters from at least three (3) of the following four (4) 17 groups from the standard keyboard: 18 1) Upper case letters (A-Z); 19 2) Lowercase letters (a-z); 20 3) Arabic numerals (0 through 9); and 21 4) Non-alphanumeric characters (punctuation symbols). 22 CONTRACTOR shall implement the following security controls on each workstation 23 or portable computing device (e.g., laptop computer) containing confidential, 24 personal, or sensitive data: 25 1. Network-based firewall and/or personal firewall; 26 2. Continuously updated anti-virus software; and 27 3. Patch management process including installation of all operating 28 system/software vendor security patches. 1 CONTRACTOR shall utilize a commercial encryption solution that has received 2 FIPS 140-3 validation to encrypt all confidential, personal, or sensitive data stored on portable 3 electronic media (including, but not limited to, compact disks and thumb drives) and on portable 4 computing devices (including, but not limited to, laptop and notebook computers). 5 CONTRACTOR shall not transmit confidential, personal, or sensitive data via e-mail 6 or other internet transport protocol unless the data is encrypted. CONTRACTOR must apply 7 appropriate sanctions against its employees who fail to comply with these safeguards. 8 CONTRACTOR must adopt procedures for terminating access to PHI when employment of 9 employee ends. 10 I. Mitigation of Harmful Effects 11 CONTRACTOR shall mitigate, to the extent practicable, any harmful effect that is 12 suspected or known to CONTRACTOR of an unauthorized access, viewing, use, disclosure, or 13 breach of PHI by CONTRACTOR or its subcontractors in violation of the requirements of these 14 provisions. CONTRACTOR must document suspected or known harmful effects and the 15 outcome. 16 J. CONTRACTOR's Subcontractors 17 CONTRACTOR shall ensure that any of its contractors, including subcontractors, if 18 applicable, to whom CONTRACTOR provides PHI received from or created or received by 19 CONTRACTOR on behalf of COUNTY, agree to the same restrictions, safeguards, and conditions 20 that apply to CONTRACTOR with respect to such PHI and to incorporate, when applicable, the 21 relevant provisions of these provisions into each subcontract or sub-award to such agents or 22 subcontractors. 23 K. Employee Training and Discipline 24 CONTRACTOR shall train and use reasonable measures to ensure compliance with 25 the requirements of these provisions by employees who assist in the performance of functions or 26 activities on behalf of COUNTY under this Agreement and use or disclose PHI and discipline such 27 employees who intentionally violate any provisions of these provisions, including termination of 28 employment. 1 L. Termination for Cause 2 Upon COUNTY's knowledge of a material breach of these provisions by 3 CONTRACTOR, COUNTY shall either: 4 1. Provide an opportunity for CONTRACTOR to cure the breach or end the violation 5 and terminate this Agreement if CONTRACTOR does not cure the breach or end 6 the violation within the time specified by COUNTY; or 7 2. Immediately terminate this Agreement if CONTRACTOR has breached a material 8 term of these provisions and cure is not possible. 9 3. If neither cure nor termination is feasible, the COUNTY's Privacy Officer shall 10 report the violation to the Secretary of the U.S. Department of Health and Human 11 Services. 12 M. Judicial or Administrative Proceedings 13 COUNTY may terminate this Agreement in accordance with the terms and 14 conditions of this Agreement as written hereinabove, if: (1) CONTRACTOR is found guilty in a 15 criminal proceeding for a violation of the HIPAA Privacy or Security Laws or the HITECH Act; or 16 (2) there is a finding or stipulation that the CONTRACTOR has violated a privacy or security 17 standard or requirement of the HITECH Act, HIPAA or other security or privacy laws in an 18 administrative or civil proceeding in which the CONTRACTOR is a party. 19 N. Effect of Termination 20 Upon termination or expiration of this Agreement for any reason, CONTRACTOR 21 shall return or destroy all PHI received from COUNTY (or created or received by CONTRACTOR 22 on behalf of COUNTY) that CONTRACTOR still maintains in any form, and shall retain no copies 23 of such PHI. If return or destruction of PHI is not feasible, it shall continue to extend the 24 protections of these provisions to such information, and limit further use of such PHI to those 25 purposes that make the return or destruction of such PHI infeasible. This provision shall apply to 26 PHI that is in the possession of subcontractors or agents, if applicable, of CONTRACTOR. If 27 CONTRACTOR destroys the PHI data, a certification of date and time of destruction shall be 28 provided to the COUNTY by CONTRACTOR upon written request. 1 0. Disclaimer 2 COUNTY makes no warranty or representation that compliance by CONTRACTOR 3 with these provisions, the HITECH Act, HIPAAor the HIPAA regulations will be adequate or 4 satisfactory for CONTRA CTOR's own purposes or that any information in CONTRACTOR's 5 possession or control, or transmitted or received by CONTRACTOR, is or will be secure from 6 unauthorized access, viewing, use, disclosure, or breach. CONTRACTOR is solely responsible 7 for all decisions made by CONTRACTOR regarding the safeguarding of PHI. 8 P. Amendment 9 The parties acknowledge that Federal and State laws relating to electronic data 10 security and privacy are rapidly evolving and that amendment of these provisions may be required 11 to provide for procedures to ensure compliance with such developments. The parties specifically 12 agree to take such action as is necessary to amend this agreement in order to implement the 13 standards and requirements of HIPAA, the HIPAA regulations, the HITECH Act and other 14 applicable laws relating to the security or privacy of PHI. COUNTY may terminate this Agreement 15 upon thirty (30) days written notice in the event that CONTRACTOR does not enter into an 16 amendment providing assurances regarding the safeguarding of PHI that COUNTY in its sole 17 discretion, deems sufficient to satisfy the standards and requirements of HIPAA, the HIPAA 18 regulations and the HITECH Act. 19 Q. No Third-Party Beneficiaries 20 Nothing express or implied in the terms and conditions of these provisions is intended to confer, 21 nor shall anything herein confer, upon any person other than COUNTY or CONTRACTOR and 22 their respective successors or assignees, any rights, remedies, obligations or liabilities 23 whatsoever. 24 R. Interpretation 25 The terms and conditions in these provisions shall be interpreted as broadly as 26 necessary to implement and comply with HIPAA, the HIPAA regulations and applicable State 27 laws. The parties agree that any ambiguity in the terms and conditions of these provisions shall be 28 resolved in favor of a meaning that complies and is consistent with HIPAA and the HIPAA 1 regulations. 2 S. Regulatory References 3 A reference in the terms and conditions of these provisions to a section in the 4 HIPAA regulations means the section as in effect or as amended. 5 T. Survival 6 The respective rights and obligations of CONTRACTOR as stated in this Section 7 shall survive the termination or expiration of this Agreement. 8 U. No Waiver of Obligations 9 No change, waiver or discharge of any liability or obligation hereunder on any one or 10 more occasions shall be deemed a waiver of performance of any continuing or other obligation, or 11 shall prohibit enforcement of any obligation on any other occasion. 12 8. INDEPENDENT CONTRACTOR: In performance of the work, duties and 13 obligations assumed by CONTRACTOR under this Agreement, it is mutually understood and 14 agreed that CONTRACTOR, including any and all of the CONTRACTOR'S officers, agents, and 15 employees will at all times be acting and performing as an independent contractor, and shall act in 16 an independent capacity and not as an officer, agent, servant, employee, joint venturer, partner, or 17 associate of the COUNTY. Furthermore, COUNTY shall have no right to control or supervise or 18 direct the manner or method by which CONTRACTOR shall perform its work and function. 19 However, COUNTY shall retain the right to administer this Agreement so as to verify that 20 CONTRACTOR is performing its obligations in accordance with the terms and conditions thereof. 21 CONTRACTOR and COUNTY shall comply with all applicable provisions of 22 law and the rules and regulations, if any, of governmental authorities having jurisdiction over 23 matters the subject thereof. 24 Because of its status as an independent contractor, CONTRACTOR shall have 25 absolutely no right to employment rights and benefits available to COUNTY employees. 26 CONTRACTOR shall be solely liable and responsible for providing to, or on behalf of, its 27 employees all legally-required employee benefits. In addition, CONTRACTOR shall be solely 28 responsible and save COUNTY harmless from all matters relating to payment of 1 CONTRACTOR'S employees, including compliance with Social Security withholding and all other 2 regulations governing such matters. It is acknowledged that during the term of this Agreement, 3 CONTRACTOR may be providing services to others unrelated to the COUNTY or to this 4 Agreement. 5 9. MODIFICATION: Any matters of this Agreement may be modified from time to 6 time by the written consent of all the parties without, in any way, affecting the remainder. 7 10. NON-ASSIGNMENT: Neither party may assign, transfer or sub-contract this 8 Agreement nor their rights or duties under this Agreement without the prior written consent of the 9 other party. 10 11. Indemnity. The CONTRACTOR shall indemnify and hold harmless and 11 defend the COUNTY (including its officers, agents, employees, and volunteers) against all 12 claims, demands, injuries, damages, costs, expenses (including attorney fees and costs), fines, 13 penalties, and liabilities of any kind incurred by the COUNTY that arise from or relate to the 14 performance or breach of this Agreement by the CONTRACTOR (or any of its officers, agents, 15 subcontractors, or employees). The COUNTY may conduct or participate in its own defense 16 without affecting the CONTRACTOR's obligation to indemnify and hold harmless or defend the 17 18 County. 19 13. INSURANCE 1 A. Required Insurance 2 Without limiting the COUNTY's right to obtain indemnification from 3 CONTRACTOR or any third parties, CONTRACTOR, at its sole expense, shall maintain in full 4 force and effect, the following insurance policies or a program of self-insurance, including but not 5 limited to, an insurance pooling arrangement or Joint Powers Agreement (JPA)throughout the 6 term of the Agreement: 7 A. Commercial General Liability 8 Commercial General Liability Insurance with limits of not less than Two Million 9 Dollars ($2,000,000) per occurrence and an annual aggregate of Four Million Dollars 10 ($4,000,000). This policy shall be issued on a per occurrence basis. 11 B. Automobile Liability 12 Comprehensive Automobile Liability Insurance with limits of not less than One 13 Million Dollars ($1,000,000.00) per accident for bodily injury and for property damages. Coverage 14 should include any auto used in connection with this Agreement. 15 C. Professional Liability 16 CONTRACTOR shall maintain Professional Liability Insurance with limits of 17 not less than One Million Dollars ($1,000,000.00) per occurrence, Three Million Dollars 18 ($3,000,000.00) annual aggregate. 19 D. Worker's Compensation 20 A policy of Worker's Compensation insurance as may be required by the 21 California Labor Code. 22 E. Technology Professional Liability (Errors and Omissions) 23 Technology professional liability (errors and omissions) insurance with limits 24 of not less than Two Million Dollars ($2,000,000.00) per occurrence. Coverage shall 25 encompass all of the CONTRACTOR's duties and obligations that are the subject of this 26 Agreement. Coverage shall include, but not be limited to, any and all claims, damages, costs, 27 fees, regulatory fines and penalties, or forms of legal action involving Cyber Risks. 28 1 F. Cyber Liability 2 Cyber liability insurance with limits of not less than Two Million Dollars 3 ($2,000,000.00) per occurrence. Coverage shall include, but not be limited to, any and all 4 claims, damages, costs, fees, regulatory fines and penalties, or forms of legal action involving 5 Cyber Risks. The cyber liability policy shall be endorsed to cover the full replacement value of, 6 damage to, alteration of, loss of, theft of, ransom of, or destruction of intangible property 7 (including but not limited to information or data) that is in the care, custody, or control of 8 CONTRACTOR. 9 G. Employer's Liability 10 Employer's Liability. Employer's liability insurance with limits of not less than One Million Dollars ($1,000,000) per occurrence for bodily injury and for disease 11 For purposes of the technology professional liability insurance and the cyber liability 12 insurance required under this Agreement, Cyber Risks include, but are not limited to, (i) security 13 breaches, which include disclosure of, whether intentional or unintentional, information provided 14 by COUNTY, information provided by or obtained from any employee, or personal-identifying 15 information relating to any employee, to an unauthorized third party; (ii) breach of any of 16 CONTRACTOR's obligations under this Agreement relating to data security, protection, 17 preservation, usage, storage, transmission, and the like; (iii) infringement of intellectual property 18 including, but not limited to, infringement of copyright, trademark, and trade dress; (iv) invasion 19 of privacy, including any release of private information; (v) information theft by any person or 20 entity, whatsoever; (vi) damage to or destruction or alteration of electronic information; (vii) 21 extortion related to CONTRACTOR's obligations under this Agreement regarding electronic 22 information, including information provided by COUNTY, information provided by or obtained 23 from any employee, or personal-identifying information relating to any employee; (viii) network 24 security; (ix) data breach response costs, including security breach response costs; (x) 25 regulatory fines and penalties related to CONTRACTOR's obligations under this Agreement 26 regarding electronic information, including information provided by COUNTY, information 27 provided by or obtained from an employee, or personal-identifying information relating to any 28 employee; and (xi) credit monitoring expenses. 29 B. Additional Requirements Relating to Insurance 30 CONTRACTOR shall obtain endorsements to the Commercial General Liability 1 insurance naming the COUNTY, its officers, agents, and employees, individually and collectively, 2 as additional insured, but only insofar as the operations under this Agreement are concerned. 3 Such coverage for additional insured shall apply as primary insurance and any other insurance, or 4 self-insurance, maintained by COUNTY, its officers, agents and employees shall be excess only 5 and not contributing with insurance provided under CONTRACTOR's policies herein. This 6 insurance shall not be cancelled or changed without a minimum of thirty (30) days advance written 7 notice given to COUNTY. 8 CONTRACTOR hereby waives its right to recover from COUNTY, its officers, 9 agents, and employees any amounts paid by the policy of worker's compensation insurance 10 required by this Agreement. CONTRACTOR is solely responsible to obtain any endorsement to 11 such policy that may be necessary to accomplish such waiver of subrogation, but 12 CONTRACTOR's waiver of subrogation under this paragraph is effective whether or not 13 CONTRACTOR obtains such an endorsement. 14 Within thirty (30) days from the date CONTRACTOR signs and executes this 15 Agreement, CONTRACTOR shall provide certificates of insurance and endorsement as stated 16 above for all of the foregoing policies, as required herein, to the COUNTY, (Hollis Magill, Director 17 of Human Resources, 2220 Tulare Street, 16t" Floor, Fresno, CA 93721), stating that such 18 insurance coverage have been obtained and are in full force; that the COUNTY, officers, agents 19 and employees will not be responsible for any premiums on the policies; that for such worker's 20 compensation insurance that CONTRACTOR has waived its right to recover from the COUNTY, 21 its officers, agents and employees any amounts paid under the insurance policy and that waiver 22 does not invalidate the insurance policy; that such Commercial General Liability insurance names 23 the COUNTY, its officers, agents and employees, individually and collectively, as additional 24 insured, but only insofar as the operations under this Agreement are concerned; that such 25 coverage for additional insured shall apply as primary insurance and any other insurance, or 26 self-insurance, maintained by COUNTY, its officers, agents and employees, shall be excess only 27 and not contributing with insurance provided under CONTRACTOR's policies herein; and that this 28 insurance shall not be cancelled or changed without a minimum of thirty (30) days advance, 1 written notice given to COUNTY. 2 In the event CONTRACTOR fails to keep in effect at all times insurance 3 coverage as herein provided, the COUNTY may, in addition to other remedies it may have, 4 suspend or terminate this Agreement upon the occurrence of such event. 5 All policies shall be with admitted insurers licensed to do business in the State 6 of California. Insurance purchased shall be purchased from companies possessing a current A.M. 7 Best, Inc. rating of A FSC VII or better. 8 14. AUDITS AND INSPECTIONS: The CONTRACTOR shall at any time during 9 business hours, and as often as the COUNTY may deem necessary, make available to the 10 COUNTY for examination all of its records and data with respect to the matters covered by this 11 Agreement. The CONTRACTOR shall, upon request by the COUNTY, permit the COUNTY to 12 audit and inspect all of such records and data necessary to ensure CONTRACTOR'S compliance 13 with the terms of this Agreement. 14 If this Agreement exceeds ten thousand dollars ($10,000.00), CONTRACTOR 15 shall be subject to the examination and audit of the Auditor General for a period of three (3) years 16 after final payment under contract (Government Code Section 8546.7). 17 15. NOTICES: The persons and their addresses having authority to give and 18 receive notices under this Agreement include the following: 19 COUNTY CONTRACTOR 20 Hollis Magill, Attention: Legal/Compliance Department Director of Human Resources Navia Benefit Solutions, Inc. 21 2220 Tulare Street. 16t" Floor 600 Naches Ave SW Fresno. CA 93721 Renton. WA 98057 22 23 All notices between the COUNTY and CONTRACTOR provided for or 24 permitted under this Agreement must be in writing and delivered either by personal service, by 25 first-class United States mail, by an overnight commercial courier service, or by telephonic 26 facsimile transmission. A notice delivered by personal service is effective upon service to the 27 recipient. A notice delivered by first-class United States mail is effective three COUNTY business 28 1 days after deposit in the United States mail, postage prepaid, addressed to the recipient. A notice 2 delivered by an overnight commercial courier service is effective one COUNTY business day after 3 deposit with the overnight commercial courier service, delivery fees prepaid, with delivery 4 instructions given for next day delivery, addressed to the recipient. A notice delivered by 5 telephonic facsimile is effective when transmission to the recipient is completed (but, if such 6 transmission is completed outside of COUNTY business hours, then such delivery shall be 7 deemed to be effective at the next beginning of a COUNTY business day), provided that the 8 sender maintains a machine record of the completed transmission. For all claims arising out of or 9 related to this Agreement, nothing in this section establishes, waives, or modifies any claims 10 presentation requirements or procedures provided by law, including but not limited to the 11 Government Claims Act (Division 3.6 of Title 1 of the Government Code, beginning with section 12 810). 13 16. GOVERNING LAW: Venue for any action arising out of or related to this 14 Agreement shall only be in Fresno County, California. 15 The rights and obligations of the parties and all interpretation and performance 16 of this Agreement shall be governed in all respects by the laws of the State of California. 17 17. DISCLOSURE OF SELF-DEALING TRANSACTIONS: This provision is only 18 applicable if the CONTRACTOR is operating as a corporation (a for-profit or non-profit 19 corporation) or if during the term of the agreement, the CONTRACTOR changes its status to 20 operate as a corporation. 21 Members of the CONTRACTOR's Board of Directors shall disclose any self- 22 dealing transactions that they are a party to while CONTRACTOR is providing goods or 23 performing services under this agreement. A self-dealing transaction shall mean a transaction to 24 which the CONTRACTOR is a party and in which one or more of its directors has a material 25 financial interest. Members of the Board of Directors shall disclose any self-dealing transactions 26 that they are a party to by completing and signing a Self-Dealing Transaction Disclosure Form, 27 attached hereto as Exhibit B and incorporated herein by reference, and submitting it to the 28 COUNTY prior to commencing with the self-dealing transaction or immediately thereafter. 1 18. ENTIRE AGREEMENT: This Agreement constitutes the entire agreement 2 between the CONTRACTOR and COUNTY with respect to the subject matter hereof and 3 supersedes all previous Agreement negotiations, proposals, commitments, writings, 4 advertisements, publications, and understanding of any nature whatsoever unless expressly 5 included in this Agreement. 6 [SIGNATURE PAGE TO FOLLOW] 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 1 IN WITNESS WHEREOF, the parties hereto have executed this Agreement as of the 2 day and year first hereinabove written. 3 CONTRACTOR COUNTY OF FRESNO 4 5 By: By 6 (Authorized Signature) Sal Via to o Chan Board of Supervisors of 7 Tina Boyd Secretary the County of Fresno 8 Print Name & Title 9 600 Naches AVE SW 10 Renton WA 98057 11 Mailing Address 12 Date: 11/21/23 Date: 1c2.-la-aDa3 13 14 ATTEST: Bernice E. Seidel 15 Clerk of the Board of Supervisors 16 County of Fresno, State of California 17 18 19 By. Deputy 20 21 22 23 24 25 FOR ACCOUNTING USE ONLY: 26 Fund No: 1060 Subclass: 10000 27 ORG No: 89250200 28 Account No: 7185 1 EXHIBIT A 2 3 CONTRACTOR will provide the following Administrative Services for the COUNTY's 4 Medicare retirees (Post-65 retirees): 5 1. Process retirees' enrollment/billing paperwork once received from COUNTY; 6 2. Track benefits elected by retirees and covered family members; 7 3. Send retirees introductory letter containing payment options (e.g. payment coupons for 8 check or money order, ACH for auto-payment, credit cards); 9 4. Track and collect retirees' monthly premiums; 10 5. Remit premiums to COUNTY directly (CONTRACTOR does not send to carriers); 11 6. Notify COUNTY of all retiree terminations; 12 7. Store COUNTY benefit plan rules, including eligibility restrictions, waiting periods, volume 13 and age calculation frequencies; 14 8. Maintain standard reporting system, including various census, discrepancy, enrollment, 15 and audit reports. 16 17 18 19 20 21 22 23 24 25 26 27 28 EXHIBIT "B" SELF-DEALING TRANSACTION DISCLOSURE FORM In order to conduct business with the County of Fresno (hereinafter referred to as "County"), members of a contractor's board of directors (hereinafter referred to as "County Contractor"), must disclose any self-dealing transactions that they are a party to while providing goods, performing services, or both for the County. A self-dealing transaction is defined below: "A self-dealing transaction means a transaction to which the corporation is a party and in which one or more of its directors has a material financial interest" The definition above will be utilized for purposes of completing this disclosure form. INSTRUCTIONS (1) Enter board member's name, job title (if applicable), and date this disclosure is being made. (2) Enter the board member's company/agency name and address. (3) Describe in detail the nature of the self-dealing transaction that is being disclosed to the County. At a minimum, include a description of the following: a. The name of the agency/company with which the corporation has the transaction; and b. The nature of the material financial interest in the Corporation's transaction that the board member has. (4) Describe in detail why the self-dealing transaction is appropriate based on applicable provisions of the Corporations Code. (5) Form must be signed by the board member that is involved in the self-dealing transaction described in Sections (3) and (4). EXHIBIT "B" (1) Company Board Member Information: Name: N/A Date: Job Title: (2) Company/Agency Name and Address: N/A (3)Disclosure(Please describe the nature of the self-dealing transaction you are a party to): N/A (4) Explain why this self-dealing transaction is consistent with the requirements of Corporations Code 5233(a): N/A (5)Authorized Signature Signature: Date: 1 EXHIBIT "C" 2 Data Security 3 1. Definitions 4 Capitalized terms used in this Exhibit C have the meanings set forth in this section 1. 5 (A) "Authorized Employees" mean the Contractor's employees who have access to 6 Personal information. 7 (B) "Authorized Persons" means: (i) any and all Authorized Employees; and (ii) any 8 and all of the Contractor's subcontractors, representatives, agents, outsourcers, and 9 consultants, and providers of professional services to the Contractor, who have access 10 to Personal Information in accordance with the terms of this Exhibit C. 11 (C)"Director" means the County's Director of Human Resources or his or her 12 designee. 13 (D)"Disclose" or any derivative of that word means to disclose, release, transfer, 14 disseminate, or otherwise provide access to or communicate all or any part of any 15 Personal Information orally, in writing, or by electronic or any other means to any person. 16 (E) "Person" means any natural person, corporation, partnership, limited liability 17 company, firm, or association. 18 (F) "Personal Information" means any and all information, including any data, 19 provided, or to which access is provided, that is personal information within the meaning 20 of California Civil Code section 1798.3, subdivision (a), or 1798.80, subdivision (e). 21 Personal information does not include personal health information exempt from the 22 CCPA or publicly available information that is lawfully made available to the general 23 public from federal, state, or local government records. 24 (G)"Privacy Practices Complaint" means a complaint received by the County relating 25 to the Contractor's (or any Authorized Person's) privacy practices, or alleging a Security 26 Breach. Such complaint shall have sufficient detail to enable the Contractor to promptly 27 investigate and take remedial action under this Exhibit C. 28 1 (H)"Security Safeguards" means physical, technical, administrative or organizational 2 security procedures and practices put in place by the Contractor (or any Authorized 3 Persons) that related to the protection of the security, confidentiality, value, or integrity of 4 Personal Information. Security Safeguards shall satisfy the minimal requirements set 5 forth in Section 3(C) of this Exhibit C. 6 (1) "Security Breach" means unauthorized acquisition of computerized data that 7 compromises the security, confidentiality, or integrity of personal information maintained 8 by the agency. Good faith acquisition of personal information by an employee or agent of 9 the agency for the purposes of the agency is not a breach of the security of the system, 10 provided that the personal information is not used or subject to further unauthorized 11 disclosure. 12 (J) "Use" or any derivative of that word means to receive acquire, collect, apply, 13 manipulate, employ, process, transmit, disseminate, access, store, disclose, or dispose 14 of Personal Information 15 16 2. Standard of Care 17 (A) The Contractor acknowledges that, in the course of its engagement by the 18 County under this Agreement, the Contractor, or any Authorized Persons, man Use 19 Personal Information only as permitted in this Agreement, as required by law, or as 20 necessary to administer the Services. 21 (B) The Contractor acknowledges that Personal Information is deemed to be 22 confidential information of, or owned by, the County (or persons from whom the County 23 receives or has received Personal Information) and is not confidential information of, or 24 owned or by, the Contractor, or any Authorized Persons. The Contractor further 25 acknowledges that all right, title, and interest in or to the Personal Information remains in 26 the County (or persons from whom the County receives or has received Personal 27 Information) regardless of the Contractor's, or any Authorized Person's, Use of that 28 Personal Information. 1 (C)The Contractor agrees and covenants in favor of the Country that the Contractor 2 shall: 3 (i) Keep and maintain all Personal Information in strict confidence, using such 4 degree of care under this section 2 as is reasonable and appropriate to avoid 5 a Security Breach; 6 (ii) Use Personal Information exclusively for the purposes for which the Personal 7 Information is made accessible to the Contractor pursuant to the terms of this 8 Agreement and Exhibit C; 9 (iii) Not Use, Disclose, sell, rent, license, or otherwise make available Personal 10 Information for the Contractor's own purposes or for the benefit of anyone 11 other than the County, except for this section C(ii), without the County's 12 express prior written consent, which the County may give or withhold in its 13 sole and absolute discretion; and 14 (D) Notwithstanding the foregoing paragraph, in any case in which the Contractor 15 believes it, or any Authorized Person, is required to disclose Personal Information to 16 government regulatory authorities, or pursuant to a legal proceeding, or otherwise as 17 may be required by applicable law, Contractor shall 18 (i) Immediately notify the County of the specific demand for, and legal authority 19 for the disclosure, including providing County with a copy of any notice, 20 discovery demand, subpoena, or order, as applicable, received by the 21 Contractor, or any Authorized Person, from any government regulatory 22 authorities, or in relation to any legal proceeding, and 23 (ii) Promptly notify the County before such Personal Information is offered by the 24 Contractor for such disclosure so that the County may have sufficient time to 25 obtain a court order or take any other action the County may deem necessary 26 to protect the Personal Information from such disclosure, and the Contractor 27 shall cooperate with the County to minimize the scope of such disclosure of 28 such Personal Information. 1 3. Information Security 2 (A) Both Parties covenant, represent and warrant that any use or disclosure of 3 Personal Information under this Agreement does and will at all times comply with all 4 applicable federal, state, and local privacy and data protection laws, a well as all other 5 applicable regulations and directives, including but not limited to California Civil Code, 6 Division 3, Part 4, Title 1.81 (beginning with section 1798.80), and the Song-Beverly 7 Credit Card Act of 1971 (California Civil Code, Division 3, Part 4, Title 1.3, beginning 8 with section 1747). If the Contractor Uses credit, debit or other payment cardholder 9 information, the Contract shall at all times remain in compliance with the Payment Card 10 Industry Data Security Standard ("PCI DSS") requirements, including remaining aware at 11 all times of changes to the PCI DSS and promptly implementing and maintaining all 12 procedures and practices as may be necessary to remain in compliance with the PIC 13 DSS, in each case, at the Contractor's sole cost and expense. 14 (B) The Contractor covenants, represents and warrants to the County that, as of the 15 effective date of this Agreement, the Contractor has not received notice of any violation 16 of any privacy or data protection laws, as well as any other applicable regulations or 17 directives, and is not the subject of any pending legal action or investigation by, any 18 government regulatory authority regrading same relating to County Personal Information. 19 (C)Without limiting the Contractor's obligations under section 3(A) of this Exhibit C, 20 the Contractor's (or Authorized Person's) Security Safeguard shall be no less rigorous 21 than accepted industry practices and at a minimum, include the following: 22 (i) Limiting Use of Personal Information strictly to the Contractor's and 23 Authorized Persons' technical and administrative personnel who are 24 necessary for the Contractor's, or Authorized Persons', Use of the Personal 25 Information pursuant to this Agreement; 26 (ii) In the event Contractor connects to County's computing systems, such 27 connection will only be through the County's security gateways and firewalls, 28 1 and only through security procedures approved upon the express prior written 2 consent of the Director; 3 (iii) To the extent that the connection to the County's cloud contain or provide 4 access to Personal Information, 5 (a) The Parties shall employ adequate controls and data security measures, both 6 internally and externally to protect 7 (1) The Personal Information from potential loss or misappropriation or 8 unauthorized Use, and 9 (2) The County's operations from disruption; 10 (b) Having and maintaining network, devise application, database and platform 11 security; 12 (c) Maintaining authentication and access controls within media, computing 13 equipment, operating systems, and software applications; and 14 (d) Installing and maintaining in all mobile, wireless, or handheld devises a 15 secure internet connection, having continuously updated anti-virus software 16 protection and a remove wipe feature always enabled; 17 (iv) Encrypting all Personal Information at advance encryption standard of 18 Advanced Encryption Standards (AES) of 128 bit or higher 19 (a) Stored on any mobile devices, including but not limited to hard disks, portable 20 storage devices, or remote installation, or 21 (b) Transmitted over public or wireless networks (the encrypted Personal 22 Information must be subject to password or pass phrase, and be stored on a 23 secure server and transferred by means of a Virtual Private Network (VPN) 24 connection, or another type of secure connection, all of which is subject to 25 express prior written consent of the Director); 26 (v) Logical segregation of Personal Information from all other information of the 27 Contractor, including any Authorized Person, or anyone with whom the 28 1 Contractor any Authorized Person deals so that Personal Information is not 2 commingled with any other types of information; 3 (vi) Having a patch management process including installation of all operating 4 system and software vendor security patches; 5 (vii) Maintaining appropriate personnel security and integrity procedures and 6 practices, including, but not limited to, conducting background checks of 7 Authorized Employees consistent with applicable law; and 8 (viii) Providing appropriate privacy and information security training to Authorized 9 Employees 10 (D) During the term of each Authorized Employee's employment by the Contractor, 11 the Contractor shall cause such Authorized Employees to abide strictly by the 12 Contractor's obligations under this Exhibit C. The Contractor shall maintain a disciplinary 13 process to address any unauthorized Use of Personal Information by any Authorized 14 Employees. 15 (E) The Contractor shall, in a secure manner, backup daily, or more frequently if it is 16 the Contractor's practice to do so more frequently. 17 (F) County may contact naviasecurity(a�-naviabenefits.com twenty-four (24) hours per 18 day, excluding holidays and weekend. 19 (G)The Contractor shall not knowingly include or authorize any Trojan horse, back 20 door, time bomb, drop dead device, worm, virus, or other code of any kind that may 21 disable, erase, display any unauthorized message within, or otherwise impair any 22 County computing system, with or without the intent to cause harm. 23 4. Security Breach Procedures 24 (A) Immediately upon the Contractor's determination of a Security Breach, but no 25 later than five business days, the Contractor shall 26 (i) Notify the Director of the Security Breach by email at the following email 27 address (559) 600— 1801 / HMagill(a_fresnocountyca.gi (which telephone 28 1 number and email address the County may update by providing notice to the 2 Contractor), and 3 (ii) Preserve all relevant evidence (and cause any affected Authorized Person to 4 preserve all relevant evidence) relating to the Security Breach. The 5 notification shall include, to the extent reasonably possible, the identification 6 of each type and the extent of Personal Information that has been, or is 7 reasonably believed to have been, breached, including but not limited to, 8 compromised, or subjected to unauthorized Use, Disclosure, or modification 9 of any loss or destruction, corruption, or damage. 10 (B) Immediately following the Contractor's notification to the County of a Security 11 Breach, as provided pursuant to section 4(A) of this Exhibit C, the Parties shall 12 coordinate with each other to investigate the Security Breach. The Contractor agrees to 13 fully cooperate with the County, including, without limitation: 14 (i) Assisting the County in conducting any investigation; 15 (ii) Providing the County with physical access to the facilities and operations 16 affected; 17 (iii) Facilitating interviews with Authorized Persons and any of the Contractor's 18 other employees knowledgeable of the matter; and 19 (iv) Making available all relevant records, logs, files, data reporting and other 20 materials required to comply with applicable law, regulation, industry 21 standards, or as otherwise reasonably required by the County. To that end, 22 the Contractor shall, with respect to a Security Breach, be solely responsible, 23 at its cost, for all notifications required by law and regulation, or deemed 24 reasonably necessary by the County, and the Contractor shall provide a 25 written report of the investigation and reporting required to the Director within 26 30 days after the Contractor's discovery of the Security Breach. However, if it 27 is determined that the Security Breach was caused by County or County's 28 1 employee or agent then County shall be responsible at its cost, for all 2 notifications required by law and regulation. 3 (C) County shall promptly notify the Contractor of the Director's knowledge, or 4 reasonable belief, of any Privacy Practices Complaint, and upon the Contractor's receipt 5 of that notification, the Contractor shall promptly address such Privacy Practices 6 Complaint, including taking any corrective action under this Exhibit C, all at the 7 Contractor's sole expense, except if such complaint is not due to the acts or omission of 8 Contractor (i.e. due to the acts of the County themselves, a third-party bad actor, or the 9 County's other agent) in accordance with applicable privacy rights, laws, regulations and 10 standards. In the event the Contractor discovers a Security Breach, the Contractor shall 11 treat the Privacy Practices Complaint as a Security Breach. Within 24 hours of the 12 Contractor's receipt of notification of such Privacy Practices Complaint, the Contractor 13 shall notify the County whether the matter is a Security Breach, or otherwise has been 14 corrected and the manner of correction, or determined not to require corrective action 15 and the reason for that determination. 16 (D)The Contractor shall take prompt corrective action to respond to and remedy any 17 Security Breach and take mitigating actions, including but not limiting to, preventing any 18 reoccurrence of the Security Breach and correcting any deficiency in Security Safeguard 19 as a result of such incident, all at the Contractor's sole expense, in accordance with 20 applicable privacy rights, laws, regulations and standards. 21 (E) The Contractor agrees to cooperate, at its sole expense, with the County in any 22 litigation or other action to protect the County's rights relating to Personal Information, 23 including the rights of persons from whom the County receives Personal Information. 24 5. Oversight of Security Compliance 25 (A) The Contractor shall have and maintain a written information security policy that 26 specifies Security Safeguards appropriate to the size and complexity of the Contractor's 27 operations and the nature and scope of its activities. 28 1 (B) Upon the County's written request, to confirm the Contractor's compliance with 2 this Exhibit C, as well as any applicable laws, regulations and industry standards, the 3 Contractor grants the County or, upon the County's election, a third party on the 4 County's behalf, permission to perform an assessment, audit, examination or review of 5 all controls in the Contractor's physical and technical environment in relation to all 6 Personal Information that is Used by the Contractor pursuant to this Agreement. The 7 Contractor shall fully cooperate with such assessment, audit, or examination, as 8 applicable, by providing the County or the third party on the County's behalf, access to 9 all Authorized Employees and other knowledgeable personnel, physical premises, 10 documentation, infrastructure and application software that is Used by the Contractor for 11 Personal Information pursuant to this Agreement, any third-party will execute a 12 confidentiality agreement or business associate agreement with the County to ensure 13 that such information may be shared in compliance with all applicable laws. In addition 14 the Contractor shall provide the County with the results of any audit by or on behalf of 15 the Contractor that assesses the effectiveness of the Contractor's information security 16 program as relevant to the security and confidentiality of Personal Information Used by 17 the Contractor or Authorized Persons during the course of this Agreement under this 18 Exhibit C. 19 (C)The Contractor shall ensure that all Authorized Persons who Use Personal 20 Information agree to the same restrictions and conditions in this Exhibit C that apply to 21 the Contractor with respect to such personal Information by incorporating substantially 22 similar provisions of these provisions into a valid and binding written agreement between 23 the Contractor and such Authorized Persons, or amending any written agreement to 24 provide same. 25 6. Return or Destruction of Personal Information 26 Upon the termination of this Agreement, the Contractor shall, and shall instruct all 27 Authorized Persons to, promptly return to the County all Personal Information, whether in 28 written, electronic or other form or media, in its possession or the possession of such 1 Authorized Persons, in a machine readable form used by the County at the time of such 2 return, or upon the express prior written consent of the Director, securely destroy all such 3 Personal Information, and certify in writing to the County that such Personal Information 4 have been returned to the County or disposed of securely, as applicable. If the Contractor is 5 authorized to dispose of any such Personal Information, as provided in this Exhibit C, such 6 certification shall state the date, time, and manner (including standard) of disposal and by 7 whom, specifying the tile of the individual. The Contractor shall comply with all reasonable 8 direction provided by the Director with respect to the return or disposal of Personal 9 Information and copies of Personal Information. If return or disposal of such Personal 10 Information or copies of Personal Information is not feasible, upon request for destruction or 11 return of the information, the Contractor shall notify the County according, specifying the 12 reason, and continue to extend the protections of this Exhibit C to all such Personal 13 Information and copies of Personal Information. The Contractor shall not retain any copy of 14 any Personal Information after returning or disposing of Personal Information as required by 15 this section 6. The Contractor's obligations upon this section 6 survive the termination of this 16 Agreement and apply to all Personal Information that the Contractor retains if return or 17 disposal is not feasible and to all Personal Information that the Contractor may later 18 discover. 19 7. Equitable Relief 20 The Contractor acknowledges that any breach of its covenants or obligations set forth in 21 this Exhibit C may cause the County irreparable harm for which monetary damages would not 22 be adequate compensation and agrees that, in the event of such breach or threatened breach, 23 the County is entitled to seek equitable relief, including a restraining order, injunctive relief, 24 specific performance and any other relief that may b available from any court, in addition to any 25 other remedy to which the County may be entitled at law or in equity. Such remedies shall not 26 be deemed to be exclusive but shall be in addition to all other remedies available to the County 27 at law or in equity or under this Agreement. 28 8. Indemnity 1 The Contractor shall defend, indemnify and hold harmless the County, its officers, 2 employees, and agents, (each, a "County Indemnitee") from and against any and all 3 infringement of intellectual property including, but not limited to infringement of copyright, 4 trademark, and trade dress, invasion of privacy, information theft, and extortion, unauthorized 5 Use, Disclosure or modification of, or any loss or destruction of, or any corruption of or damage 6 to, personal Information, Security Breach response and remedy costs, credit monitoring 7 expenses, forfeitures, losses, damages, liabilities, deficiencies, actions, judgements, interest, 8 awards, fines, and penalties (including regulatory fines and penalties), costs or expense of 9 whatever kind, including attorneys' fees and costs, the cost of enforcing any right to 10 indemnification or defense under this Exhibit C and the cost of pursuing any insurance 11 providers, (hereinafter referred to as "Damages"), arising out of or resulting from any third party 12 claim or action against any County Indemnitee in relation to the Contractor's, its officers, 13 employees, or agents, or any Authorized Employee's or Authorized Person's, performance or 14 failure to perform under this Exhibit C or arising out of or resulting from the Contractor's failure 15 to comply with any of its obligations under this section 8, except County shall be responsible for 16 any Damages cause by County of County's employees or other agents (i.e. broker, data 17 transmission provider, carrier, or similar vendors or subcontractor). The provisions of this 18 section 8 do not apply to the acts or omissions of the County. The provisions of this section 8 19 are cumulative to any other obligation of the Contractor to, defend, indemnify, or hold harmless 20 any County Indemnitee under this Agreement. 21 9. Survival 22 The respective rights and obligations of the Contractor and the County as stated in this 23 Exhibit C shall survive the termination of this Agreement. 24 10. No Third Party Beneficiary 25 Nothing express or implied in the provisions of in this Exhibit C is intended to confer, nor 26 shall anything in this Exhibit C confer, upon any person other than the County or the Contractor 27 and their respective successors or assignees, any rights, remedies, obligations or liabilities 28 whatsoever. 1 11. No County Warranty 2 The County does not make any warranty or representation whether any Personal 3 Information in the Contractor's (or any Authorized Person's) possession or control, or Use by 4 the Contractor (or any Authorized Person), pursuant to the terms of this Agreement is or will be 5 secure from unauthorized Use, or a Security Breach or Privacy Practices Complaint. 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28