The URL can be used to link to this page

Home My WebLink AboutAgreement A-25-629 with MyWorkplace Inc..pdf Agreement No. 25-629 1 AGREEMENT 2 3 THIS AGREEMENT is made and entered into effective December 9, 2025 , by and 4 between the COUNTY OF FRESNO, hereinafter referred to as"COUNTY", and MyWorkplace, 5 Inc., a Texas corporation, hereinafter referred to as"CONTRACTOR". 6 WITNESSETH: 7 WHEREAS, the COUNTY desires to obtain certain health benefit administrative 8 services, including maintaining benefits and eligibility information, for COUNTY retirees that are 65 9 years of age or older (hereinafter"post-65 retirees"); and 10 WHEREAS, the COUNTY participates in health insurance programs for its employees 11 and pre-65 aged retirees offered through its participation in the San Joaquin Valley Insurance 12 Authority (SJVIA); and 13 WHEREAS, the SJVIA offers additional administrative services including consolidated 14 eligibility and billing services through its separate agreement with CONTRACTOR; and 15 WHEREAS, the COUNTY desires to ensure consistency and efficiency in health 16 benefit administrative services offered through the SJVIA by matching pricing and services for its 17 post-65 retirees; and 18 WHEREAS, the CONTRACTOR represents that it is willing and able to provide the 19 health benefit administrative services as set forth in this Agreement. 20 NOW, THEREFORE, in consideration of the mutual covenants, terms and conditions 21 herein contained, the parties hereto agree as follows: 22 1. OBLIGATIONS OF THE CONTRACTOR 23 A. The CONTRACTOR will provide benefit related management functions as 24 outlined in Exhibit "A", attached hereto and incorporated herein by this reference. 25 B. The CONTRACTOR will provide the COUNTY with general administrative 26 services that include, but are not limited to: 27 1) Furnishing necessary training to assist the COUNTY in utilizing the 28 CONTRACTOR'S services. -1- 1 2) Furnishing the COUNTY with all available information from the 2 CONTRACTOR's records which the COUNTY may need. 3 3) Resolving any issues raised by COUNTY with due diligence. Any 4 questionable enrollment or service requests made by any post-65 retiree will be referred to 5 COUNTY for clarification 6 2. OBLIGATIONS OF THE COUNTY 7 A. The COUNTY is solely responsible for compliance with the Internal 8 Revenue Code and other Federal, State or local laws. 9 B. The COUNTY is solely responsible for the accuracy and integrity of 10 COUNTY data. 11 3. TERM 12 This Agreement shall become effective on the 1st day of January, 2026 and 13 shall terminate on the 31It day of December, 2026. 14 4. TERMINATION 15 A. Non-Allocation of Funds-The terms of this Agreement, and the services to 16 be provided thereunder, are contingent on the approval of funds by the COUNTY. Should 17 sufficient funds not be allocated, the services provided may be modified, or this Agreement 18 terminated, at any time by giving the CONTRACTOR thirty(30) days advance written notice. 19 B. Breach of Contract-The COUNTY may immediately suspend or terminate 20 this Agreement in whole or in part, where in the determination of the COUNTY there is: 21 1) An illegal or improper use of funds; 22 2) A failure to comply with any term of this Agreement; 23 3) A substantially incorrect or incomplete report submitted to the 24 COUNTY, 25 4) Improperly performed service. 26 In no event shall any payment by the COUNTY constitute a waiver by the COUNTY 27 of any breach of this Agreement or any default which may then exist on the part of the 28 CONTRACTOR. Neither shall such payment impair or prejudice any remedy available to the -2- I COUNTY with respect to the breach or default. The COUNTY shall have the right to demand of 2 the CONTRACTOR the repayment to the COUNTY of any funds disbursed to the CONTRACTOR 3 under this Agreement, which in the judgment of the COUNTY were not expended in accordance 4 with the terms of this Agreement. The CONTRACTOR shall promptly refund any such funds upon 5 demand. 6 C. Without Cause - Under circumstances other than those set forth above, 7 this Agreement may be terminated by COUNTY upon the giving of sixty (60) days advance written 8 notice of an intention to terminate to CONTRACTOR. 9 5. COMPENSATION/INVOICING; COUNTY agrees to pay CONTRACTOR and 10 CONTRACTOR agrees to receive compensation as described in Exhibit B, attached hereto and 11 incorporated herein by this reference. The Per Retiree Per Month (PRPM) fee described in 12 Exhibit B will be paid monthly throughout the term of the Agreement per the compiled monthly 13 transmittals prepared by CONTRACTOR for funding disbursement. The PRPM fees are based on 14 the actual number of eligible retirees as determined by the COUNTY. CONTRACTOR will invoice 15 COUNTY for services related to Affordable Care Act reporting as described in Exhibit B. 16 6. OWNERSHIP OF DATA: All data delivered by the COUNTY to 17 CONTRACTOR, or which is created by either party for the COUNTY in connection with the 18 performance of this Agreement, shall be the exclusive property of the COUNTY. CONTRACTOR 19 shall be the custodian of such data and will immediately make such data available to the COUNTY 20 upon request during normal working hours. CONTRACTOR shall return all personnel/payroll raw 21 data collected or generated in connection with the performance of the Agreement within thirty (30) 22 days of the termination of this Agreement and shall not access said data for any purpose other 23 than in connection with the performance of this Agreement. 24 7. HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT 25 A. The parties to this Agreement shall be in strict conformance with all 26 applicable Federal and State of California laws and regulations, including but not limited to 27 Sections 5328, 10850, and 14100.2 et seq. of the Welfare and Institutions Code, Sections 2.1 and 28 431.300 et seq. of Title 42, Code of Federal Regulations (CFR), Section 56 et seq. of the -3- 1 California Civil Code, Sections 11977 and 11812 of Title 22 of the California Code of Regulations, 2 and the Health Insurance Portability and Accountability Act (HIPAA), including but not limited to 3 Section 1320 D et seq. of Title 42, United States Code (USC) and its implementing regulations, 4 including, but not limited to Title 45, CFR, Sections 142, 160, 162, and 164, The Health 5 Information Technology for Economic and Clinical Health Act (HITECH) regarding the 6 confidentiality and security of patient information, and the Genetic Information Nondiscrimination 7 Act(GINA) of 2008 regarding the confidentiality of genetic information. 8 Except as otherwise provided in this Agreement, CONTRACTOR, as a 9 Business Associate of COUNTY, may use or disclose Protected Health Information (PHI)to 10 perform functions, activities or services for or on behalf of COUNTY, as specified in this 11 Agreement, provided that such use or disclosure shall not violate the Health Insurance Portability 12 and Accountability Act (HIPAA), 42 USC 1320d et seq. The uses and disclosures of PHI may not 13 be more expansive than those applicable to COUNTY, as the "Covered Entity" under the HIPAA 14 Privacy Rule (45 CFR 164.500 et seq.), except as authorized for management, administrative or 15 legal responsibilities of the Business Associate. 16 B. CONTRACTOR, including its subcontractors and employees, shall protect, 17 from unauthorized access, use, or disclosure of names and other identifying information, including 18 genetic information, concerning persons receiving services pursuant to this Agreement, except 19 where permitted in order to carry out data aggregation purposes for health care operations [45 20 CFR Sections 164.504 (e)(2)(i), 164.504 (3)(2)(ii)(A), and 164.504 (e)(4)(i)] This pertains to any 21 and all persons receiving services pursuant to a COUNTY funded program. This requirement 22 applies to electronic PHI. CONTRACTOR shall not use such identifying information or genetic 23 information for any purpose other than carrying out CONTRACTOR's obligations under this 24 Agreement. 25 C. CONTRACTOR, including its subcontractors and employees, shall not 26 disclose any such identifying information or genetic information to any person or entity, except as 27 otherwise specifically permitted by this Agreement, authorized by Subpart E of 45 CFR Part 164 28 or other law, required by the Secretary, or authorized by the client/patient in writing. In using or -4- 1 disclosing PHI that is permitted by this Agreement or authorized by law, CONTRACTOR shall 2 make reasonable efforts to limit PHI to the minimum necessary to accomplish intended purpose 3 of use, disclosure or request- 4 D. For purposes of the above sections, identifying information shall include, 5 but not be limited to name, identifying number, symbol, or other identifying particular assigned to 6 the individual, such as finger or voice print, or photograph. 7 E. For purposes of the above sections, genetic information shall include 8 genetic tests of family members of an individual or individual, manifestation of disease or disorder 9 of family members of an individual, or any request for or receipt of, genetic services by individual 10 or family members. Family member means a dependent or any person who is first, second, third, 11 or fourth degree relative. 12 F. CONTRACTOR shall provide access, at the request of COUNTY, and in 13 the time and manner designated by COUNTY, to PHI in a designated record set (as defined in 45 14 CFR Section 164.501), to an individual or to COUNTY in order to meet the requirements of 45 15 CFR Section 164.524 regarding access by individuals to their PHI. With respect to individual 16 requests, access shall be provided within thirty (30) days from request. Access may be extended 17 if CONTRACTOR cannot provide access and provides individual with the reasons for the delay 18 and the date when access may be granted. PHI shall be provided in the form and format 19 requested by the individual or COUNTY. 20 CONTRACTOR shall make any amendment(s) to PHI in a designated record set at 21 the request of COUNTY or individual, and in the time and manner designated by COUNTY in 22 accordance with 45 CFR Section 164.526. 23 CONTRACTOR shall provide to COUNTY or to an individual, in a time and manner 24 designated by COUNTY, information collected in accordance with 45 CFR Section 164.528, to 25 permit COUNTY to respond to a request by the individual for an accounting of disclosures of PHI 26 in accordance with 45 CFR Section 164.528. 27 G. CONTRACTOR shall report to COUNTY, in writing, any knowledge or 28 reasonable belief that there has been unauthorized access, viewing, use, disclosure, security -5- 1 incident, or breach of unsecured PHI not permitted by this Agreement of which it becomes aware, 2 immediately and without reasonable delay and in no case later than two (2) business days of 3 discovery. Immediate notification shall be made to COUNTY's Information Security Officer and 4 Privacy Officer and COUNTY's DPH HIPAA Representative, within two (2) business days of 5 discovery. The notification shall include, to the extent possible, the identification of each individual 6 whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, 7 used, disclosed, or breached. CONTRACTOR shall take prompt corrective action to cure any 8 deficiencies and any action pertaining to such unauthorized disclosure required by applicable 9 Federal and State Laws and regulations. CONTRACTOR shall investigate such breach and is 10 responsible for all notifications required by law and regulation or deemed necessary by COUNTY 11 and shall provide a written report of the investigation and reporting required to COUNTY's 12 Information Security Officer and Privacy Officer and COUNTY's DPH HIPAA Representative. This 13 written investigation and description of any reporting necessary shall be postmarked within the 14 thirty (30) working days of the discovery of the breach to the addresses below: 15 16 County of Fresno County of Fresno County of Fresno Dept. of Public Health Dept. of Public Health Dept. of Internal Services 17 HIPAA Representative Privacy Officer Information Security Officer 18 (559)600-6439 (559) 600-6405 (559)600-5800 P.O. Box 11867 P.O. Box 11867 333 W. Pontiac Way 19 Fresno, CA 93775 Fresno, CA 93775 Clovis, CA 93612 20 21 H. CONTRACTOR shall make its internal practices, books, and records 22 relating to the use and disclosure of PHI received from COUNTY, or created or received by the 23 CONTRACTOR on behalf of COUNTY, in compliance with HIPAA's Privacy Rule, including, but 24 not limited to the requirements set forth in Title 45, CFR, Sections 160 and 164. CONTRACTOR 25 shall make its internal practices, books, and records relating to the use and disclosure of PHI 26 received from COUNTY, or created or received by the CONTRACTOR on behalf of COUNTY, 27 available to the United States Department of Health and Human Services (Secretary) upon 28 demand. -s- 1 CONTRACTOR shall cooperate with the compliance and investigation reviews 2 conducted by the Secretary. PHI access to the Secretary must be provided during the 3 CONTRACTOR's normal business hours, however, upon exigent circumstances access at any 4 time must be granted. Upon the Secretary's compliance or investigation review, if PHI is 5 unavailable to CONTRACTOR and in possession of a Subcontractor, it must certify efforts to 6 obtain the information to the Secretary. 7 I. Safeguards 8 CONTRACTOR shall implement administrative, physical, and technical safeguards 9 as required by the HIPAA Security Rule, Subpart C of 45 CFR 164, that reasonably and 10 appropriately protect the confidentiality, integrity, and availability of PHI, including electronic PHI, 11 that it creates, receives, maintains or transmits on behalf of COUNTY and to prevent unauthorized 12 access, viewing, use, disclosure, or breach of PHI other than as provided for by this Agreement. 13 CONTRACTOR shall conduct an accurate and thorough assessment of the potential risks and 14 vulnerabilities to the confidential, integrity and availability of electronic PHI. CONTRACTOR shall 15 develop and maintain a written information privacy and security program that includes 16 administrative, technical and physical safeguards appropriate to the size and complexity of 17 CONTRACTOR's operations and the nature and scope of its activities. Upon COUNTY's request, 18 CONTRACTOR shall provide COUNTY with information concerning such safeguards. 19 CONTRACTOR shall implement strong access controls and other security 20 safeguards and precautions in order to restrict logical and physical access to confidential, 21 personal (e.g., PHI) or sensitive data to authorized users only. Said safeguards and precautions 22 shall include the following administrative and technical password controls for all systems used to 23 process or store confidential, personal, or sensitive data: 24 1. Passwords must not be: 25 a. Shared or written down where they are accessible or recognizable by 26 anyone else; such as taped to computer screens, stored under keyboards, 27 or visible in a work area; 28 b. A dictionary word; or -7- 1 c. Stored in clear text 2 2. Passwords must be: 3 a. Eight(8) characters or more in length; 4 b. Changed every ninety (90) days; 5 c. Changed immediately if revealed or compromised; and 6 d. Composed of characters from at least three (3) of the following four(4) 7 groups from the standard keyboard: 8 1) Upper case letters (A-Z), 9 2) Lowercase letters (a-z); 10 3) Arabic numerals (0 through 9); and 11 4) Non-alphanumeric characters (punctuation symbols). 12 CONTRACTOR shall implement the following security controls on each workstation 13 or portable computing device (e.g., laptop computer) containing confidential, 14 personal, or sensitive data: 15 1. Network-based firewall and/or personal firewall; 16 2. Continuously updated anti-virus software; and 17 3. Patch management process including installation of all operating 18 systemisoftware vendor security patches. 19 CONTRACTOR shall utilize a commercial encryption solution that has received 20 HIPS 140-2 validation to encrypt all confidential, personal, or sensitive data stored on portable 21 electronic media (including, but not limited to, compact disks and thumb drives) and on portable 22 computing devices (including, but not limited to, laptop and notebook computers). 23 CONTRACTOR shall not transmit confidential, personal, or sensitive data via e-mail 24 or other internet transport protocol unless the data is encrypted by a solution that has been 25 validated by the National Institute of Standards and Technology (NIST) as conforming to the 26 Advanced Encryption Standard (AES) Algorithm. CONTRACTOR must apply appropriate 27 sanctions against its employees who fail to comply with these safeguards. CONTRACTOR must 28 adopt procedures for terminating access to PHI when employment of employee ends. -8- 1 J. Mitigation of Harmful Effects 2 CONTRACTOR shall mitigate, to the extent practicable, any harmful effect that is 3 suspected or known to CONTRACTOR of an unauthorized access, viewing, use, disclosure, or 4 breach of PHI by CONTRACTOR or its subcontractors in violation of the requirements of these 5 provisions. CONTRACTOR must document suspected or known harmful effects and the 6 outcome. 7 K. CONTRACTOR's Subcontractors 8 CONTRACTOR shall ensure that any of its contractors, including subcontractors, if 9 applicable, to whom CONTRACTOR provides PHI received from or created or received by 10 CONTRACTOR on behalf of COUNTY, agree to the same restrictions, safeguards, and conditions 11 that apply to CONTRACTOR with respect to such PHI and to incorporate, when applicable, the 12 relevant provisions of these provisions into each subcontract or sub-award to such agents or 13 subcontractors. 14 L. Employee Training and Discipline 15 CONTRACTOR shall train and use reasonable measures to ensure compliance with 16 the requirements of these provisions by employees who assist in the performance of functions or 17 activities on behalf of COUNTY under this Agreement and use or disclose PHI and discipline such 18 employees who intentionally violate any provisions of these provisions, including termination of 19 employment. 20 M. Termination for Cause 21 Upon COUNTY's knowledge of a material breach of these provisions by 22 CONTRACTOR, COUNTY shall either: 23 1. Provide an opportunity for CONTRACTOR to cure the breach or end the violation 24 and terminate this Agreement if CONTRACTOR does not cure the breach or end 25 the violation within the time specified by COUNTY; or 26 2. Immediately terminate this Agreement if CONTRACTOR has breached a material 27 term of these provisions and cure is not possible. 28 3. If neither cure nor termination is feasible, the COUNTY's Privacy Officer shall -9- 1 report the violation to the Secretary of the U.S. Department of Health and Human 2 Services. 3 N. Judicial or Administrative Proceedings 4 COUNTY may terminate this Agreement in accordance with the terms and 5 conditions of this Agreement as written hereinabove, ifs (1) CONTRACTOR is found guilty in a 6 criminal proceeding for a violation of the HIPAA Privacy or Security Laws or the HITECH Act; or 7 (2) there is a finding or stipulation that the CONTRACTOR has violated a privacy or security 8 standard or requirement of the HITECH Act, HIPAA or other security or privacy laws in an 9 administrative or civil proceeding in which the CONTRACTOR is a party. 10 0. Effect of Termination 11 Upon termination or expiration of this Agreement for any reason, CONTRACTOR 12 shall return or destroy all PHI received from COUNTY (or created or received by CONTRACTOR 13 on behalf of COUNTY) that CONTRACTOR still maintains in any form, and shall retain no copies 14 of such PHI. If return or destruction of PHI is not feasible, it shall continue to extend the 15 protections of these provisions to such information, and limit further use of such PHI to those 16 purposes that make the return or destruction of such PHI infeasible. This provision shall apply to 17 PHI that is in the possession of subcontractors or agents, if applicable, of CONTRACTOR. If 18 CONTRACTOR destroys the PHI data, a certification of date and time of destruction shall be 19 provided to the COUNTY by CONTRACTOR. 20 P. Disclaimer 21 COUNTY makes no warranty or representation that compliance by CONTRACTOR 22 with these provisions, the HITECH Act, HIPAA or the HIPAA regulations will be adequate or 23 satisfactory for CONTRA CTOR's own purposes or that any information in CONTRACTOR's 24 possession or control, or transmitted or received by CONTRACTOR, is or will be secure from 25 unauthorized access, viewing, use, disclosure, or breach. CONTRACTOR is solely responsible 26 for all decisions made by CONTRACTOR regarding the safeguarding of PHI. 27 Q. Amendment 28 The parties acknowledge that Federal and State laws relating to electronic data -10- 1 security and privacy are rapidly evolving and that amendment of these provisions may be required 2 to provide for procedures to ensure compliance with such developments. The parties specifically 3 agree to take such action as is necessary to amend this agreement in order to implement the 4 standards and requirements of HIPAA, the HIPAA regulations, the HITECH Act and other 5 applicable laws relating to the security or privacy of PHI. COUNTY may terminate this Agreement 6 upon thirty (30) days written notice in the event that CONTRACTOR does not enter into an 7 amendment providing assurances regarding the safeguarding of PHI that COUNTY in its sole 8 discretion, deems sufficient to satisfy the standards and requirements of HIPAA, the HIPAA 9 regulations and the HITECH Act. 10 R. No Third-Party Beneficiaries 11 Nothing express or implied in the terms and conditions of these provisions is intended to confer, 12 nor shall anything herein confer, upon any person other than COUNTY or CONTRACTOR and 13 their respective successors or assignees, any rights; remedies, obligations or liabilities 14 whatsoever. 15 S. Interpretation 16 The terms and conditions in these provisions shall be interpreted as broadly as 17 necessary to implement and comply with HIPAA, the HIPAA regulations and applicable State 18 laws. The parties agree that any ambiguity in the terms and conditions of these provisions shall be 19 resolved in favor of a meaning that complies and is consistent with HIPAA and the HIPAA 20 regulations. 21 T. Regulatory References 22 A reference in the terms and conditions of these provisions to a section in the 23 HIPAA regulations means the section as in effect or as amended. 24 U. Survival 25 The respective rights and obligations of CONTRACTOR as stated in this Section 26 shall survive the termination or expiration of this Agreement. 27 V. No Waiver of Obligations 28 No change, waiver or discharge of any liability or obligation hereunder on any one or -11- 1 more occasions shall be deemed a waiver of performance of any continuing or other obligation, or 2 shall prohibit enforcement of any obligation on any other occasion. 3 8. INDEPENDENT CONTRACTOR: In performance of the work, duties and 4 obligations assumed by CONTRACTOR under this Agreement, it is mutually understood and 5 agreed that CONTRACTOR, including any and all of the CONTRACTOR'S officers, agents, and 6 employees will at all times be acting and performing as an independent contractor, and shall act in 7 an independent capacity and not as an officer, agent, servant, employee, joint venturer, partner, or 8 associate of the COUNTY. Furthermore, COUNTY shall have no right to control or supervise or 9 direct the manner or method by which CONTRACTOR shall perform its work and function. 10 However, COUNTY shall retain the right to administer this Agreement so as to verify that 11 CONTRACTOR is performing its obligations in accordance with the terms and conditions thereof. 12 CONTRACTOR and COUNTY shall comply with ail applicable provisions of 13 law and the rules and regulations, if any, of governmental authorities having jurisdiction over 14 matters the subject thereof. 15 Because of its status as an independent contractor, CONTRACTOR shall have 16 absolutely no right to employment rights and benefits available to COUNTY employees. 17 CONTRACTOR shall be solely liable and responsible for providing to, or on behalf of, its 18 employees all legally-required employee benefits. In addition, CONTRACTOR shall be solely 19 responsible and save COUNTY harmless from all matters relating to payment of 20 CONTRACTOR'S employees, including compliance with Social Security withholding and all other 21 regulations governing such matters. It is acknowledged that during the term of this Agreement, 22 CONTRACTOR may be providing services to others unrelated to the COUNTY or to this 23 Agreement. 24 9. MODIFICATION: Any matters of this Agreement may be modified from time to 25 time by the written consent of all the parties without, in any way, affecting the remainder. 26 10. NON-ASSIGNMENT: Neither party may assign, transfer or sub-contract this 27 Agreement nor their rights or duties under this Agreement without the prior written consent of the 28 other party. -12- 1 11. HOLD HARMLESS: The Contractor shall indemnify and hold harmless and 2 defend the County (including its officers, agents, employees, and volunteers) against all claims, 3 demands, injuries, damages, costs, expenses (including attorney fees and costs), fines, penalties, 4 and liabilities of any kind to the County, the Contractor, or any third party that arise from or relate 5 to the performance or failure to perform by the Contractor(or any of its officers, agents, 6 subcontractors, or employees) under this Agreement. The County may conduct or participate in its 7 own defense without affecting the Contractor's obligation to indemnify and hold harmless or 8 defend the County. 9 The provisions of this Section 11 shall survive termination of this Agreement. 10 12. INSURANCE 11 A. Required Insurance 12 Without limiting the COUNTY's right to obtain indemnification from 13 CONTRACTOR or any third parties, CONTRACTOR, at its sole expense, shall maintain in full 14 force and effect, the following insurance policies or a program of self-insurance, including but not 15 limited to, an insurance pooling arrangement or Joint Powers Agreement (JPA)throughout the 16 term of the Agreement: 17 1. Commercial General Liability 18 Commercial General Liability Insurance with limits of not less than Two 19 Million Dollars ($2,000,000) per occurrence and an annual aggregate of Four Million Dollars 20 ($4,000,000). This policy shall be issued on a per occurrence basis. COUNTY may require 21 specific coverages including completed operations, products liability, contractual liability, 22 Explosion-Collapse-Underground, fire legal liability or any other liability insurance deemed 23 necessary because of the nature of this contract. 24 2. Professional Liability 25 If CONTRACTOR employs licensed professional staff, (e.g., Ph.D., R.N., 26 L.C.S.W., M.F.C.C.) in providing services, Professional Liability Insurance with limits of not less 27 than One Million Dollars ($1,000,000.00) per occurrence, Three Million Dollars ($3,000,000.00) 28 annual aggregate. -13- 1 3. Worker's Compensation 2 A policy of Worker's Compensation insurance as may be required by the 3 California Labor Code. 4 4. Technology Professional Liability (Errors and Omissions,) 5 Technology professional liability (errors and omissions) insurance with limits 6 of not less than Five Million Dollars ($5,000,000.00) annual aggregate. Coverage shall 7 encompass all of the CONTRACTOR's duties and obligations that are the subject of this 8 Agreement. Coverage shall include, but not be limited to, any and all claims, damages, costs, 9 fees, regulatory fines and penalties, or forms of legal action involving Cyber Risks_ 10 5. Cyber Liability 11 Cyber liability insurance with limits of not less than Five Million Dollars 12 ($5,000,000.00) annual aggregate. Coverage shall include, but not be limited to, any and all 13 claims, damages, costs, fees, regulatory fines and penalties, or forms of legal action involving 14 Cyber Risks. The cyber liability policy shall be endorsed to cover the full replacement value of, 15 damage to, alteration of, loss of, theft of, ransom of, or destruction of intangible property 16 (including but not limited to information or data) that is in the care, custody, or control of 17 CONTRACTOR. 18 6. Employer Liability 19 Employer's liability insurance with limits of not less than One Million Dollars 20 ($1,000,000) per occurrence for bodily injury and for disease. 21 For purposes of the technology professional liability insurance and the 22 cyber liability insurance required under this Agreement, Cyber Risks include, but are not limited 23 to, (i) security breaches, which include disclosure of, whether intentional or unintentional, 24 information provided by COUNTY, information provided by or obtained from any employee, or 25 personal-identifying information relating to any employee, to an unauthorized third party; (ii) 26 breach of any of CONTRACTOR's obligations under this Agreement relating to data security, 27 protection, preservation, usage, storage, transmission, and the like; (iii) infringement of 28 intellectual property including, but not limited to, infringement of copyright, trademark, and trade -14- 1 dress; (iv) invasion of privacy, including any release of private information; (v) information theft 2 by any person or entity, whatsoever; (vi) damage to or destruction or alteration of electronic 3 information; (vii) extortion related to CONTRACTOR's obligations under this Agreement 4 regarding electronic information, including information provided by COUNTY, information 5 provided by or obtained from any employee, or personal-identifying information relating to any 6 employee; (viii) network security; (ix) data breach response costs, including security breach 7 response costs; (x) regulatory fines and penalties related to CONTRACTOR's obligations under 8 this Agreement regarding electronic information, including information provided by COUNTY, 9 information provided by or obtained from an employee, or personal-identifying information 10 relating to any employee; and (xi) credit monitoring expenses. 11 B. Additional Requirements Relating to Insurance 12 CONTRACTOR shall obtain endorsements to the Commercial General Liability 13 insurance naming the COUNTY, its officers, agents, and employees, individually and collectively, 14 as additional insured, but only insofar as the operations under this Agreement are concerned. 15 Such coverage for additional insured shall apply as primary insurance and any other insurance, or 16 self-insurance, maintained by COUNTY, its officers, agents and employees shall be excess only 17 and not contributing with insurance provided under CONTRACTOR's policies herein. This 18 insurance shall not be cancelled or changed without a minimum of thirty (30) days advance written 19 notice given to COUNTY. 20 CONTRACTOR hereby waives its right to recover from COUNTY, its officers, 21 agents, and employees any amounts paid by the policy of worker's compensation insurance 22 required by this Agreement. CONTRACTOR is solely responsible to obtain any endorsement to 23 such policy that may be necessary to accomplish such waiver of subrogation, but 24 CONTRACTOR's waiver of subrogation under this paragraph is effective whether or not 25 CONTRACTOR obtains such an endorsement. 26 Within thirty (30) days from the date CONTRACTOR signs and executes this 27 Agreement, CONTRACTOR shall provide certificates of insurance and endorsement as stated 28 above for all of the foregoing policies, as required herein, to the COUNTY, (Hollis Magill, Director -15- 1 of Human Resources, 2220 Tulare Street, 16t" Floor, Fresno, CA 93721), stating that such 2 insurance coverage have been obtained and are in full force; that the COUNTY, officers, agents 3 and employees will not be responsible for any premiums on the policies; that for such worker's 4 compensation insurance that CONTRACTOR has waived its right to recover from the COUNTY, 5 its officers, agents and employees any amounts paid under the insurance policy and that waiver 6 does not invalidate the insurance policy; that such Commercial General Liability insurance names 7 the COUNTY, its officers, agents and employees, individually and collectively, as additional 8 insured, but only insofar as the operations under this Agreement are concerned, that such 9 coverage for additional insured shall apply as primary insurance and any other insurance, or 10 self-insurance, maintained by COUNTY, its officers, agents and employees, shall be excess only 11 and not contributing with insurance provided under CONTRACTORS policies herein; and that this 12 insurance shall not be cancelled or changed without a minimum of thirty (30) days advance, 13 written notice given to COUNTY. 14 In the event CONTRACTOR fails to keep in effect at all times insurance 15 coverage as herein provided, the COUNTY may, in addition to other remedies it may have, 16 suspend or terminate this Agreement upon the occurrence of such event. 17 All policies shall be with admitted insurers licensed to do business in the State 18 of California. Insurance purchased shall be purchased from companies possessing a current A.M. 19 Best, Inc. rating of A FSC VII or better. 20 13. AUDITS AND INSPECTIONS: The CONTRACTOR shall at any time during 21 business hours, and as often as the COUNTY may deem necessary, make available to the 22 COUNTY for examination all of its records and data with respect to the matters covered by this 23 Agreement. The CONTRACTOR shall, upon request by the COUNTY, permit the COUNTY to 24 audit and inspect all of such records and data necessary to ensure CONTRACTOR'S compliance 25 with the terms of this Agreement. 26 If this Agreement exceeds ten thousand dollars ($10,000.00), CONTRACTOR 27 shall be subject to the examination and audit of the Auditor General for a period of three (3) years 28 after final payment under contract (Government Code Section 8546.7). -16- 1 14. NOTICES: The persons and their addresses having authority to give and 2 receive notices under this Agreement include the following- 3 COUNTY CONTRACTOR 4 Hollis Magill, Greg Kinder, President/CEO Director of Human Resources MyyWorkplace, Inc. 5 2220 Tulare Street, 16th Floor 400 N. Loop 1604 East, Suite 110 Fresno, CA 93721 San Antonio, TX 78232 6 7 All notices between the COUNTY and CONTRACTOR provided for or 8 permitted under this Agreement must be in writing and delivered either by personal service, by 9 first-class United States mail, by an overnight commercial courier service, or by telephonic 10 facsimile transmission. A notice delivered by personal service is effective upon service to the 11 recipient. A notice delivered by first-class United States mail is effective three COUNTY business 12 days after deposit in the United States mail, postage prepaid, addressed to the recipient. A notice 13 delivered by an overnight commercial courier service is effective one COUNTY business day after 14 deposit with the overnight commercial courier service, delivery fees prepaid, with delivery 15 instructions given for next day delivery, addressed to the recipient. A notice delivered by 16 telephonic facsimile is effective when transmission to the recipient is completed (but, if such 17 transmission is completed outside of COUNTY business hours, then such delivery shall be 18 deemed to be effective at the next beginning of a COUNTY business day), provided that the 19 sender maintains a machine record of the completed transmission. For all claims arising out of or 20 related to this Agreement, nothing in this section establishes, waives, or modifies any claims 21 presentation requirements or procedures provided by law, including but not limited to the 22 Government Claims Act (Division 3.6 of Title 1 of the Government Code, beginning with section 23 810). 24 15. GOVERNING LAW: Venue for any action arising out of or related to this 25 Agreement shall only be in Fresno County, California. 26 The rights and obligations of the parties and all interpretation and performance of 27 this Agreement shall be governed in all respects by the laws of the State of California. 28 -17- 1 16. DISCLOSURE OF SELF-DEALING TRANSACTIONS: This provision is only 2 applicable if the CONTRACTOR is operating as a corporation (a for-profit or non-profit 3 corporation) or if during the term of the agreement, the CONTRACTOR changes its status to 4 operate as a corporation. 5 Members of the CONTRACTOR's Board of Directors shall disclose any self- 6 dealing transactions that they are a party to while CONTRACTOR is providing goods or 7 performing services under this agreement. A self-dealing transaction shall mean a transaction to 8 which the CONTRACTOR is a party and in which one or more of its directors has a material 9 financial interest. Members of the Board of Directors shall disclose any self-dealing transactions 10 that they are a party to by completing and signing a Self-Dealing Transaction Disclosure Form, 11 attached hereto as Exhibit C and incorporated herein by reference, and submitting it to the 12 COUNTY prior to commencing with the self-dealing transaction or immediately thereafter. 13 17. ENTIRE AGREEMENT: This Agreement constitutes the entire agreement 14 between the CONTRACTOR and COUNTY with respect to the subject matter hereof and 15 supersedes all previous Agreement negotiations, proposals, commitments, writings, 16 advertisements, publications, and understanding of any nature whatsoever unless expressly 17 included in this Agreement. 18 19 20 21 22 23 24 25 26 27 28 -18- 1 IN WITNESS WHEREOF, the parties hereto have executed this Agreement as of the 2 day and year first hereinabove written. 3 CONTRACTOR COUNTY OF FRESNO 4 5 ��.C% By: ByC- 6 Greg Kinder Ernest Buddy Mend6ir — President Chairman of the Board of Supervisors of 7 the County of Fresno 8 Date: b A Date. _ l a ��l a 0,9- 9 10 ATTEST: 11 Bernice E. Seidel Clerk of the Board of Supervisors 12 County of Fresno, State of California 13 14 15 By. 16 Deputy 17 18 19 20 21 FOR ACCOUNTING USE ONLY: 22 Fund No: 1060 23 Subclass: 10000 ORG No: 89250200 24 Account No: 7185 25 26 27 28 i i 1 EXHIBIT "A" 2 CONTRACTOR will provide health benefit administrative services for COUNTY post- 3 65 retirees to include the following; 4 1. Myworkplace.net access—self service 5 2. System technical support to end users 6 3. Produce Eligibility Electronic Data Interface (EDI) files to carriers 7 4. Weekly COBRA data feed to Navia Benefit Solutions, Inc. (Navia) 8 5. EDI Monitoring and discrepancy resolution with carriers 9 6. Multiple eligibility/billing scheme management and closings 10 7. Retiree pension deduction imports and premium applications 11 8. Compile transmittal worksheets and accounting breakouts 12 9. Assist with reconciliation of member accounts and benefits that appear on accounting 13 discrepancy reports 14 10.Manual PGP Encryption and SFTP of all files uploaded/downloaded 15 11 . Full ad-hoc requests from COUNTY staff, Navia, and consultant (e.g. custom queries, etc.) 16 12. Import retiree pension deductions into SQL tables and perform monthly comparisons to 17 eligibility; take query results and compile a change file for Fresno County Employee 18 Retirement Association to send to State Street Bank for retiree deduction processing 19 13.Modify Myworkplace.net benefit setups at renewal to comply with changes made by 20 COUNTY for new plan years 21 14.At plan year changes, complete any employee/dependent data migrations necessary 22 within database to meet plan year changes 23 15. Review and break down rates provided by COUNTY consultant into component pieces 24 necessary for completing transmittals; work with consultant to verify rate breakouts, and 25 provide approved premiums and breakouts to COUNTY and Navia 26 16.Input new plan year rates into Myworkplace.net rate tables 27 17.Coordinate and complete programming required to support new carriers and/or benefit 28 changes for EDI transmittals -20- 1 18.Provide Affordable Care Act required health insurance reporting to the IRS, by preparation 2 and filing of 1094C/1095C forms with the IRS 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 -21- 1 EXHIBIT "B" 2 COUNTY will compensate CONTRACTOR for services provided as follows: 3 1. Compensation to CONTRACTOR for retiree eligibility services to COUNTY's post-65 4 retirees shall be paid as follows: 5 a. For post-65 retirees enrolled in the Retiree First plan a fee of$2.75 PRPM. 6 b. For post-65 retirees enrolled in the Kaiser Medicare plans a fee of$2.75 PRPM. 7 2. Compensation to CONTRACTOR for preparation and filing of 1094C/1095C forms with 8 the IRS as required under the Affordable Care Act shall be paid as follows- 9 a. For preparation and filing of each 1094C/1095C form a fee of$3.60 perform. 10 b. CONTRACTOR's printing and mailing of each 1094C/1095C form will be 11 reimbursed at CONTRACTOR's actual cost, but in no event to exceed $1.25 per 12 form. 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 -22- EXHIBIT "C" SELF-DEALING TRANSACTION DISCLOSURE FORM in order to conduct business with the County of Fresno(hereinafter referred to as "County"), members of a contractor's board of directors (hereinafter referred to as "County Contractor"), must disclose any self-dealing transactions that they are a party to while providing goods, performing services, or both for the County. A self-dealing transaction is defined below: "A self-dealing transaction means a transaction to which the corporation is a party and in which one or more of its directors has a material financial interest" The definition above will be utilized for purposes of completing this disclosure form. INSTRUCTIONS (1) Enter board member's name,job title (if applicable), and date this disclosure is being made. (2) Enter the board member's company/agency name and address. (3) Describe in detail the nature of the self-dealing transaction that is being disclosed to the County. At a minimum, include a description of the following: a. The name of the agency/company with which the corporation has the transaction; and b. The nature of the material financial interest in the Corporation's transaction that the board member has. (4) Describe in detail why the self-dealing transaction is appropriate based on applicable provisions of the Corporations Code. (5) Form must be signed by the board member that is involved in the self-dealing transaction described in Sections(3) and (4). -23- EXHIBIT "C" (1)Company Board Member Information: Name: 'Gregory Kinder Date: Job Title: President (2)Company/Agency Dame and Address: NA (3)Disclosure(Please describe the nature of the self-dealing transaction you are a party to): NA (4)Explain why this self-dealing transaction is consistent with the requirements of Corporations Code 5233(a): NA (5)Authorized signat re Signature: i- Date: -24- 1 EXHIBIT "D" 2 Data Security 3 1. Definitions 4 Capitalized terms used in this Exhibit D have the meanings set forth in this section 1. 5 (A) "Authorized Employees" means the Contractor's employees who have access to 6 Personal Information. 7 (B) "Authorized Persons" means: (i) any and all Authorized Employees, and (ii) any and 8 all of the Contractor's subcontractors, representatives, agents, outsourcers, and consultants, and 9 providers of professional services to the Contractor, who have access to Personal Information 10 and are bound by law or in writing by confidentiality obligations sufficient to protect Personal 11 Information in accordance with the terms of this Exhibit D. 12 (C) "Director" means the County's Director of Human Resources or his or her designee. 13 (D) "Disclose" or any derivative of that word means to disclose, release, transfer, 14 disseminate, or otherwise provide access to or communicate all or any part of any Personal 15 Information orally, in writing, or by electronic or any other means to any person. 16 (E) "Person" means any natural person, corporation, partnership, limited liability 17 company, firm, or association. 18 (F) "Personal Information" means any and all information, including any data, provided, 19 or to which access is provided, to the Contractor by or upon the authorization of the County, 20 under this Agreement, including but not limited to vital records, that: (i) identifies, describes, or 21 relates to, or is associated with, or is capable of being used to identify, describe, or relate to, or 22 associate with, a person (including, without limitation, names, physical descriptions, signatures, 23 addresses, telephone numbers, a-mail addresses, education, financial matters, employment 24 history, and other unique identifiers, as well as statements made by or attributable to the person); 25 (ii) is used or is capable of being used to authenticate a person (including, without limitation, 26 employee identification numbers, government-issued identification numbers, passwords or 27 personal identification numbers (PINs), financial account numbers, credit report information, 28 answers to security questions, and other personal identifiers); or(iii) is personal information within -25- I the meaning of California Civil Code section 1798.3, subdivision (a), or 1798.80, subdivision (e). 2 Personal Information does not include publicly available information that is lawfully made 3 available to the general public from federal, state, or local government records. 4 (G) "Privacy Practices Complaint" means a complaint received by the County relating to 5 the Contractor's (or any Authorized Person's) privacy practices, or alleging a Security Breach. 6 Such complaint shall have sufficient detail to enable the Contractor to promptly investigate and 7 take remedial action under this Exhibit D. 8 (H) "Security Safeguards" means physical, technical, administrative or organizational 9 security procedures and practices put in place by the Contractor (or any Authorized Persons) that 10 relate to the protection of the security, confidentiality, value, or integrity of Personal Information. 11 Security Safeguards shall satisfy the minimal requirements set forth in section 3(C) of this Exhibit 12 D. 13 (1) "Security Breach" means (i) any act or omission that compromises either the security, 14 confidentiality, value, or integrity of any Personal Information or the Security Safeguards, or (ii) 15 any unauthorized Use, Disclosure, or modification of, or any loss or destruction of, or any 16 corruption of or damage to, any Personal Information. 17 (J) "Use" or any derivative of that word means to receive, acquire, collect, apply, 18 manipulate, employ, process, transmit, disseminate, access, store, disclose, or dispose of 19 Personal information. 20 2. Standard of Care 21 (A) The Contractor acknowledges that, in the course of its engagement by the County 22 under this Agreement, the Contractor, or any Authorized Persons, may Use Personal Information 23 only as permitted in this Agreement. 24 (B) The Contractor acknowledges that Personal Information is deemed to be confidential 25 information of, or owned by, the County (or persons from whom the County receives or has 26 received Personal Information) and is not confidential information of, or owned or by, the 27 Contractor, or any Authorized Persons. The Contractor further acknowledges that all right, title, 28 and interest in or to the Personal Information remains in the County (or persons from whom the -26- I 1 County receives or has received Personal Information) regardless of the Contractor's, or any 2 Authorized Person's, Use of that Personal Information. 3 (C) The Contractor agrees and covenants in favor of the Country that the Contractor 4 shall: 5 (i) keep and maintain all Personal Information in strict confidence, using such degree of 6 care under this section 2 as is reasonable and appropriate to avoid a Security Breach; 7 (i i) Use Personal Information exclusively for the purposes for which the Personal 8 Information is made accessible to the Contractor pursuant to the terms of this Exhibit D; 9 (iii) not Use, Disclose, sell, rent, license, or otherwise make available Personal 10 Information for the Contractor's own purposes or for the benefit of anyone other than the County, 11 without the County's express prior written consent, which the County may give or withhold in its 12 sole and absolute discretion; and 13 (iv) not, directly or indirectly, Disclose Personal Information to any person (an 14 "Unauthorized Third Party") other than Authorized Persons pursuant to this Agreement, without 15 the Director's express prior written consent. 16 (D) Notwithstanding the foregoing paragraph, in any case in which the Contractor 17 believes it, or any Authorized Person, is required to disclose Personal Information to government 18 regulatory authorities, or pursuant to a legal proceeding, or otherwise as may be required by 19 applicable law, Contractor shall (i) immediately notify the County of the specific demand for, and 20 legal authority for the disclosure, including providing County with a copy of any notice, discovery 21 demand, subpoena, or order, as applicable, received by the Contractor, or any Authorized 22 Person, from any government regulatory authorities, or in relation to any legal proceeding, and (ii) 23 promptly notify the County before such Personal Information is offered by the Contractor for such 24 disclosure so that the County may have sufficient time to obtain a court order or take any other 25 action the County may deem necessary to protect the Personal Information from such disclosure, 26 and the Contractor shall cooperate with the County to minimize the scope of such disclosure of 27 such Personal Information. 28 (E) The Contractor shall remain liable to the County for the actions and omissions of any -27- 1 Unauthorized Third Party concerning its Use of such Personal Information as if they were the 2 Contractor's own actions and omissions. 3 3. Information Security 4 (A) The Contractor covenants, represents and warrants to the County that the 5 Contractor's Use of Personal Information under this Agreement does and will at all times comply 6 with all applicable federal, state, and local, privacy and data protection laws, as well as all other 7 applicable regulations and directives, including but not limited to California Civil Code, Division 3, 8 Part 4, Title 1.81 (beginning with section 1798.80), and the Song-Beverly Credit Card Act of 1971 9 (California Civil Code, Division 3, Part 4, Title 1.3, beginning with section 1747). If the Contractor 10 Uses credit, debit or other payment cardholder information, the Contractor shall at all times 11 remain in compliance with the Payment Card Industry Data Security Standard ("PCI DSS") 12 requirements, including remaining aware at all times of changes to the PCI DSS and promptly 13 implementing and maintaining all procedures and practices as may be necessary to remain in 14 compliance with the PCI DSS, in each case, at the Contractor's sole cost and expense. 15 (B) The Contractor covenants, represents and warrants to the County that, as of the 16 effective date of this Agreement, the Contractor has not received notice of any violation of any 17 privacy or data protection laws, as well as any other applicable regulations or directives, and is 18 not the subject of any pending legal action or investigation by, any government regulatory 19 authority regarding same. 20 (C) Without limiting the Contractor's obligations under section 3(A) of this Exhibit D, the 21 Contractor's (or Authorized Person's) Security Safeguards shall be no less rigorous than 22 accepted industry practices and, at a minimum, include the following: 23 (i) limiting Use of Personal information strictly to the Contractor's and Authorized 24 Persons' technical and administrative personnel who are necessary for the Contractor's, or 25 Authorized Persons', Use of the Personal Information pursuant to this Agreement; 26 (ii) ensuring that all of the Contractor's connectivity to County computing systems will 27 only be through the County's security gateways and firewalls, and only through security 28 procedures approved upon the express prior written consent of the Director; -28- 1 (iii) to the extent that they contain or provide access to Personal Information, (a) securing 2 business facilities, data centers, paper files, servers, back-up systems and computing equipment, 3 operating systems, and software applications, including, but not limited to, all mobile devices and 4 other equipment, operating systems, and software applications with information storage 5 capability; (b) employing adequate controls and data security measures, both internally and 6 externally, to protect (1) the Personal Information from potential loss or misappropriation, or 7 unauthorized Use, and (2)the County's operations from disruption and abuse; (c) having and 8 maintaining network, device application, database and platform security; (d) maintaining 9 authentication and access controls within media, computing equipment, operating systems, and 10 software applications; and (e) installing and maintaining in all mobile, wireless, or handheld 11 devices a secure internet connection, having continuously updated anti-virus software protection 12 and a remote wipe feature always enabled, all of which is subject to express prior written consent 13 of the Director; 14 (iv) encrypting all Personal Information at advance encryption standards of Advanced 15 Encryption Standards (AES) of 128 bit or higher (a) stored on any mobile devices, including but 16 not limited to hard disks, portable storage devices, or remote installation, or(b) transmitted over 17 public or wireless networks (the encrypted Personal Information must be subject to password or 18 pass phrase, and be stored on a secure server and transferred by means of a Virtual Private 19 Network (VPN) connection, or another type of secure connection, all of which is subject to 20 express prior written consent of the Director); 21 (v) strictly segregating Personal Information from all other information of the Contractor, 22 including any Authorized Person, or anyone with whom the Contractor or any Authorized Person 23 deals so that Personal Information is not commingled with any other types of information; 24 (vi) having a patch management process including installation of all operating system 25 and software vendor security patches; 26 (vii) maintaining appropriate personnel security and integrity procedures and practices, 27 including, but not limited to, conducting background checks of Authorized Employees consistent 28 with applicable law; and -29- I (viii) providing appropriate privacy and information security training to Authorized 2 Employees. 3 (D) During the term of each Authorized Employee's employment by the Contractor, the 4 Contractor shall cause such Authorized Employees to abide strictly by the Contractor's 5 obligations under this Exhibit D. The Contractor shall maintain a disciplinary process to address 6 any unauthorized Use of Personal Information by any Authorized Employees. 7 (E) The Contractor shall, in a secure manner, backup daily, or more frequently if it is the 8 Contractor's practice to do so more frequently, Personal Information received from the County, 9 and the County shall have immediate, real time access, at all times, to such backups via a 10 secure, remote access connection provided by the Contractor, through the Internet. 11 (F) The Contractor shall provide the County with the name and contact information for 12 each Authorized Employee (including such Authorized Employee's work shift, and at least one 13 alternate Authorized Employee for each Authorized Employee during such work shift)who shall 14 serve as the County's primary security contact with the Contractor and shall be available to assist 15 the County twenty-four(24) hours per day, seven (7) days per week as a contact in resolving the 16 Contractor's and any Authorized Persons' obligations associated with a Security Breach or a 17 Privacy Practices Complaint. 18 (G) The Contractor shall not knowingly include or authorize any Trojan Horse, back door, 19 time bomb, drop dead device, worm, virus, or other code of any kind that may disable, erase, 20 display any unauthorized message within, or otherwise impair any County computing system, 21 with or without the intent to cause harm. 22 4. Security Breach Procedures 23 (A) Immediately upon the Contractor's awareness or reasonable belief of a Security 24 Breach, the Contractor shall (i) notify the Director of the Security Breach, such notice to be given 25 first by telephone at the following telephone number, followed promptly by email at the following 26 email address: (559) 600-1801 / HMagill@fresnocountyca.gov (which telephone number and 27 email address the County may update by providing notice to the Contractor), and (N) preserve all 28 relevant evidence (and cause any affected Authorized Person to preserve all relevant evidence) -30- 1 relating to the Security Breach. The notification shall include, to the extent reasonably possible, 2 the identification of each type and the extent of Personal Information that has been, or is 3 reasonably believed to have been, breached, including but not limited to, compromised, or 4 subjected to unauthorized Use, Disclosure, or modification, or any loss or destruction, corruption, 5 or damage. 6 (B) Immediately following the Contractor's notification to the County of a Security Breach, 7 as provided pursuant to section 4(A) of this Exhibit D, the Parties shall coordinate with each other 8 to investigate the Security Breach. The Contractor agrees to fully cooperate with the County, 9 including, without limitation: 10 (i) assisting the County in conducting any investigation; 11 (ii) providing the County with physical access to the facilities and operations affected; 12 (iii) facilitating interviews with Authorized Persons and any of the Contractor's other 13 employees knowledgeable of the matter; and 14 (iv) making available all relevant records, logs, files, data reporting and other materials 15 required to comply with applicable law, regulation, industry standards, or as otherwise reasonably 16 required by the County. 17 To that end, the Contractor shall, with respect to a Security Breach, be solely responsible, at its 18 cost, for all notifications required by law and regulation, or deemed reasonably necessary by the 19 County, and the Contractor shall provide a written report of the investigation and reporting 20 required to the Director within 30 days after the Contractor's discovery of the Security Breach. 21 (C) County shall promptly notify the Contractor of the Director's knowledge, or 22 reasonable belief, of any Privacy Practices Complaint, and upon the Contractor's receipt of that 23 notification, the Contractor shall promptly address such Privacy Practices Complaint, including 24 taking any corrective action under this Exhibit D, all at the Contractor's sole expense, in 25 accordance with applicable privacy rights, laws, regulations and standards. In the event the 26 Contractor discovers a Security Breach, the Contractor shall treat the Privacy Practices 27 Complaint as a Security Breach. Within 24 hours of the Contractor's receipt of notification of such 28 Privacy Practices Complaint, the Contractor shall notify the County whether the matter is a -31- I Security Breach, or otherwise has been corrected and the manner of correction, or determined 2 not to require corrective action and the reason for that determination. 3 (D) The Contractor shall take prompt corrective action to respond to and remedy any 4 Security Breach and take mitigating actions, including but not limiting to, preventing any 5 reoccurrence of the Security Breach and correcting any deficiency in Security Safeguards as a 6 result of such incident, all at the Contractor's sole expense, in accordance with applicable privacy 7 rights, laws, regulations and standards. The Contractor shall reimburse the County for all 8 reasonable costs incurred by the County in responding to, and mitigating damages caused by, 9 any Security Breach, including all costs of the County incurred relation to any litigation or other 10 action described section 4(E) of this Exhibit D. 11 (E) The Contractor agrees to cooperate, at its sole expense, with the County in any 12 litigation or other action to protect the County's rights relating to Personal Information, including 13 the rights of persons from whom the County receives Personal Information. 14 5. Oversight of Security Compliance 15 (A) The Contractor shall have and maintain a written information security policy that 16 specifies Security Safeguards appropriate to the size and complexity of the Contractor's 17 operations and the nature and scope of its activities. 18 (B) Upon the County's written request, to confirm the Contractor's compliance with this 19 Exhibit D, as well as any applicable laws, regulations and industry standards, the Contractor 20 grants the County or, upon the County's election, a third party on the County's behalf, permission 21 to perform an assessment, audit, examination or review of all controls in the Contractor's physical 22 and technical environment in relation to all Personal Information that is Used by the Contractor f 23 pursuant to this Agreement. The Contractor shall fully cooperate with such assessment, audit or 24 examination, as applicable, by providing the County or the third party on the County's behalf, 25 access to all Authorized Employees and other knowledgeable personnel, physical premises, 26 documentation, infrastructure and application software that is Used by the Contractor for 27 Personal Information pursuant to this Agreement. In addition, the Contractor shall provide the 28 County with the results of any audit by or on behalf of the Contractor that assesses the I� k -32- 1 effectiveness of the Contractor's information security program as relevant to the security and 2 confidentiality of Personal Information Used by the Contractor or Authorized Persons during the 3 course of this Agreement under this Exhibit D. 4 (C) The Contractor shall ensure that all Authorized Persons who Use Personal 5 Information agree to the same restrictions and conditions in this Exhibit D that apply to the 6 Contractor with respect to such Personal Information by incorporating the relevant provisions of 7 these provisions into a valid and binding written agreement between the Contractor and such 8 Authorized Persons, or amending any written agreements to provide same. 9 6. Return or Destruction of Personal Information. Upon the termination of this 10 Agreement, the Contractor shall, and shall instruct all Authorized Persons to, promptly return to 11 the County all Personal Information, whether in written, electronic or other form or media, in its 12 possession or the possession of such Authorized Persons, in a machine readable form used by 13 the County at the time of such return, or upon the express prior written consent of the Director, 14 securely destroy all such Personal Information, and certify in writing to the County that such 15 Personal Information have been returned to the County or disposed of securely, as applicable. If 16 the Contractor is authorized to dispose of any such Personal Information, as provided in this 17 Exhibit D, such certification shall state the date, time, and manner (including standard) of disposal 18 and by whom, specifying the title of the individual. The Contractor shall comply with all 19 reasonable directions provided by the Director with respect to the return or disposal of Personal 20 Information and copies of Personal Information. If return or disposal of such Personal Information 21 or copies of Personal Information is not feasible, the Contractor shall notify the County according, 22 specifying the reason, and continue to extend the protections of this Exhibit D to all such 23 Personal Information and copies of Personat Information. The Contractor shall not retain any 24 copy of any Personal Information after returning or disposing of Personal Information as required 25 by this section 6. The Contractor's obligations under this section 6 survive the termination of this 26 Agreement and apply to all Personal Information that the Contractor retains if return or disposal is 27 not feasible and to all Personal Information that the Contractor may later discover. 28 7. Equitable Relief. The Contractor acknowledges that any breach of its covenants or -33- 1 obligations set forth in this Exhibit D may cause the County irreparable harm for which monetary 2 damages wou;d not be adequate compensation and agrees that, in the event of such breach or 3 threatened breach, the County is entitled to seek equitable relief, including a restraining order, 4 injunctive relief, specific performance and any other relief that may be available from any court, in 5 addition to any other remedy to which the County may be entitled at law or in equity_ Such 6 1 remedies shall not be deemed to be exclusive but shall be in addition to all other remedies 7 available to the County at law or in equity or under this Agreement. 8 8. Indemnity. The Contractor shall defend, indemnify and hold harmless the County, its 9 officers, employees, and agents, (each, a "County Indemnitee")from and against any and all 10 infringement of intellectual property including, but not limited to infringement of copyright, 11 trademark, and trade dress, invasion of privacy, information theft, and extortion, unauthorized 12 Use, Disclosure, or modification of, or any loss or destruction of, or any corruption of or damage 13 to, Personal Information, Security Breach response and remedy costs, credit monitoring 14 expenses, forfeitures; losses, damages, liabilities, deficiencies, actions, judgments, interest, 15 awards, fines and penalties (including regulatory fines and penalties), costs or expenses of 16 whatever kind, including attorneys' fees and costs, the cost of enforcing any right to 17 indemnification or defense under this Exhibit D and the cost of pursuing any insurance providers, 18 arising out of or resulting from any third party claim or action against any County Indemnitee in 19 relation to the Contractor's, its officers, employees, or agents, or any Authorized Employee's or 20 Authorized Person's, performance or failure to perform under this Exhibit D or arising out of or 21 resulting from the Contractor's failure to comply with any of its obligations under this section 8. 22 The provisions of this section 8 do not apply to the acts or omissions of the County. The 23 provisions of this section 8 are cumulative to any other obligation of the Contractor to, defend, 24 indemnify, or hold harmless any County Indemnitee under this Agreement. The provisions of this 25 section 8 shall survive the termination of this Agreement. 26 9. Survival. The respective rights and obligations of the Contractor and the County as 27 stated in this Exhibit D shall survive the termination of this Agreement. 28 10. No Third Party Beneficiary. Nothing express or implied in the provisions of in this -34- I Exhibit D is intended to confer, nor shall anything in this Exhibit D confer, upon any person other 2 than the Canty or the Contractor and their resoectme successors or assignees, any rights, 3 remedies, obligations or liabilities whatsoever. 4 11. No County Warranty. The County does not make any warranty or representation 5 whether any Personal Information in the Contractor's (or any Authorized Person's) possession or 6 control, or Use by the Contractor(or any Authorized Person), pursuant to the terms of this 7 Agreement is or will be secure from unauthorized Use, or a Security Breach or Privacy Practices 8 Complaint. 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 -3&