The URL can be used to link to this page

Home My WebLink AboutAgreement A-20-394 with Troncore LLC 2.pdf-1- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 A G R E E M E N T THIS AGREEMENT (“Agreement”) is made and entered into this day of October, 2020, by and between the COUNTY OF FRESNO, a political subdivision of the State of California, ("COUNTY"), and Troncore, LLC., a Delaware limited liability company, whose address is 31789 Country View Road, Temecula, California, 92591, ("CONTRACTOR"). W I T N E S S E T H: WHEREAS, COUNTY requires an outside vendor to perform internal and external penetration testing for COUNTY’s Information Technology network and infrastructure; WHEREAS, COUNTY issued RFP 20-031 for IT Security Auditing Services, and CONTRACTOR was selected as the respondent best able to provide the requested services; and WHEREAS, COUNTY and CONTRACTOR desire to enter into an agreement for IT Security Auditing and Testing services. NOW, THEREFORE, in consideration of the mutual covenants, terms and conditions herein contained, the parties hereto agree as follows: 1.OBLIGATIONS OF THE CONTRACTOR A.IT Security Services CONTRACTOR will provide the COUNTY with IT Security Auditing Services, including, but not limited to the following: i.Assess, evaluate, attempt to safely penetrate, and test the targeted systems as described below, using the methodologies described in CONTRACTOR’s response to RFP, which have been incorporated into the Scope of Work, attached as Exhibit A. A more comprehensive and detailed Statement of Work (SOW) will be developed by CONTRACTOR and COUNTY staff to be approved in writing by the Director of Internal Services/Chief Information Officer or his or her designee prior to the start of the penetration test. 6th Agreement No. 20-394 -2- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ii.Deliver to the COUNTY a full reporting of CONTRACTOR’s findings, as described on pages 30 and 31 of Exhibit A. B.Subsequent Services CONTRACTOR shall perform additional IT Security Services for the duration of this Agreement, as defined in subsequent Statements of Work (SOW). All such SOWs shall be approved in writing by the Director of Internal Services/Chief Information Officer or his or her designee. C.Sensitive Information CONTRACTOR will be made privy to sensitive Information Technology security information in the course of performing the services described in this Agreement. CONTRACTOR shall make all reasonable efforts to keep such information confidential. All reporting data shall be encrypted in transit and at rest. All data shall be destroyed per the applicable records retention policy. 2.OBLIGATIONS OF THE COUNTY A.COUNTY agrees to provide all reasonable access, information, and support required by CONTRACTOR to accomplish the assessment and testing services described above in Section 1. 3.TERM The term of this Agreement shall be for a period of three (3) years, commencing on October 6, 2020, through and including October 5, 2023. This Agreement may be extended for two (2) additional consecutive twelve (12) month periods upon written approval of both parties no later than thirty (30) days prior to the first day of the next twelve (12) month extension period. The Director of Internal Services/Chief Information Officer or his or her designee is authorized to execute such written approval on behalf of COUNTY based on CONTRACTOR’S satisfactory performance. 4.TERMINATION A.Non-Allocation of Funds - The terms of this Agreement, and the services to be provided hereunder, are contingent on the approval of funds by the appropriating government agency. Should sufficient funds not be allocated, the services provided may be modified, or this Agreement terminated, at any time by giving the CONTRACTOR thirty (30) days advance written notice. B.Breach of Contract - The COUNTY may immediately suspend or terminate this -3- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Agreement in whole or in part, where in the determination of the COUNTY there is: 1)An illegal or improper use of funds; 2)A failure to comply with any term of this Agreement; 3)A substantially incorrect or incomplete report submitted to the COUNTY; 4)Improperly performed service. In no event shall any payment by the COUNTY constitute a waiver by the COUNTY of any breach of this Agreement or any default which may then exist on the part of the CONTRACTOR. Neither shall such payment impair or prejudice any remedy available to the COUNTY with respect to the breach or default. The COUNTY shall have the right to demand of the CONTRACTOR the repayment to the COUNTY of any funds disbursed to the CONTRACTOR under this Agreement, which in the judgment of the COUNTY were not expended in accordance with the terms of this Agreement. The CONTRACTOR shall promptly refund any such funds upon demand. C.Without Cause - Under circumstances other than those set forth above, this Agreement may be terminated by COUNTY by giving thirty (30) days advance written notice of an intention to terminate to CONTRACTOR. 5.COMPENSATION/INVOICING: COUNTY agrees to pay CONTRACTOR and CONTRACTOR agrees to receive compensation as follows: For each engagement of CONTRACTOR’s Services, a Statement of Work shall be prepared according to the following rates and approved by the Contract Administrator before work begins: Type of Staff Cost per Hour Principle Consultant $150.00 Project Manager $125.00 CONTRACTOR shall submit invoices via email to ISDBusinessOffice@FresnoCountyCA.gov or to the Internal Services Business Office at 333 W. Pontiac Way, Clovis, CA 93612. In no event shall compensation paid for services performed under this Agreement exceed $315,000 during the five (5) year term of this Agreement. It is understood that all expenses incidental to CONTRACTOR'S performance of services under this Agreement shall be borne by CONTRACTOR. -4- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 6. INDEPENDENT CONTRACTOR: In performance of the work, duties and obligations assumed by CONTRACTOR under this Agreement, it is mutually understood and agreed that CONTRACTOR, including any and all of the CONTRACTOR'S officers, agents, and employees will at all times be acting and performing as an independent contractor, and shall act in an independent capacity and not as an officer, agent, servant, employee, joint venturer, partner, or associate of the COUNTY. Furthermore, COUNTY shall have no right to control or supervise or direct the manner or method by which CONTRACTOR shall perform its work and function. However, COUNTY shall retain the right to administer this Agreement so as to verify that CONTRACTOR is performing its obligations in accordance with the terms and conditions thereof. CONTRACTOR and COUNTY shall comply with all applicable provisions of law and the rules and regulations, if any, of governmental authorities having jurisdiction over matters the subject thereof. Because of its status as an independent contractor, CONTRACTOR shall have absolutely no right to employment rights and benefits available to COUNTY employees. CONTRACTOR shall be solely liable and responsible for providing to, or on behalf of, its employees all legally-required employee benefits. In addition, CONTRACTOR shall be solely responsible and save COUNTY harmless from all matters relating to payment of CONTRACTOR'S employees, including compliance with Social Security withholding and all other regulations governing such matters. It is acknowledged that during the term of this Agreement, CONTRACTOR may be providing services to others unrelated to the COUNTY or to this Agreement. 7. MODIFICATION: Any matters of this Agreement may be modified from time to time by the written consent of all the parties without, in any way, affecting the remainder. 8. NON-ASSIGNMENT: Neither party shall assign, transfer or sub-contract this Agreement nor their rights or duties under this Agreement without the prior written consent of the other party. 9. HOLD HARMLESS: CONTRACTOR agrees to indemnify, save, hold harmless, and at COUNTY'S request, defend the COUNTY, its officers, agents, and employees from any and all costs and expenses (including attorney’s fees and costs), damages, liabilities, claims, and losses occurring or resulting to COUNTY in connection with the performance, or failure to perform, by CONTRACTOR, its officers, agents, or employees under this Agreement, and from any and all costs and expenses (including attorney’s fees and costs), damages, liabilities, claims, and losses occurring or resulting to any person, firm, -5- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 or corporation who may be injured or damaged by the performance, or failure to perform, of CONTRACTOR, its officers, agents, or employees under this Agreement. The provisions of this Section 9 shall survive termination of this Agreement. 10.INSURANCE A.Required Policies Without limiting the COUNTY’s right to obtain indemnification from CONTRACTOR or any third parties, CONTRACTOR, at its sole expense, shall maintain in full force and effect the following insurance policies throughout the term of the Agreement: i.Commercial General Liability. Commercial general liability insurance with limits of not less than One Million Dollars ($1,000,000) per occurrence and an annual aggregate of Two Million Dollars ($2,000,000). This policy must be issued on a per occurrence basis. CONTRACTOR shall obtain an endorsement to this policy naming the County of Fresno, its officers, agents, employees, and volunteers, individually and collectively, as additional insureds, but only insofar as the operations under this Agreement are concerned. Such coverage for additional insureds will apply as primary insurance and any other insurance, or self-insurance, maintained by COUNTY is excess only and not contributing with insurance provided under CONTRACTOR’s policy. ii.Automobile Liability. Automobile liability insurance with limits of not less than One Million Dollars ($1,000,000) per occurrence for bodily injury and for property damages. Coverage must include any auto used in connection with this Agreement. iii.Workers Compensation. Workers compensation insurance as required by the California Labor Code. iv.Technology Professional Liability. Technology professional liability (errors and omissions) insurance with limits of not less than One Million Dollars ($1,000,000) per occurrence. Coverage must encompass all of CONTRACTOR’s obligations under this Agreement, including but not limited to claims involving Cyber Risks. v.Cyber Liability. Cyber liability insurance with limits of not less than One Million Dollars ($1,000,000) per occurrence. Coverage must include, but not be limited to, claims involving Cyber Risks. The cyber liability policy must be endorsed to cover the full replacement value of -6- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 damage to, alteration of, loss of, or destruction of intangible property (including but not limited to information or data) that is in the care, custody, or control of CONTRACTOR. vi. Definition of Cyber Risks. “Cyber Risks” include but are not limited to (i) Security Breaches, which may include Disclosure of Personal Information to an Unauthorized Third Party; (ii) breach of any of CONTRACTOR’s obligations under Exhibit B to this Agreement, “Data Security”, which is attached and incorporated by this reference; (iii) infringement of intellectual property, including but not limited to infringement of copyright, trademark, and trade dress; (iv) invasion of privacy, including release of private information; (v) information theft; (vi) damage to or destruction or alteration of electronic information; (vii) extortion related to CONTRACTOR’s obligations under this Agreement regarding electronic information, including Personal Information; (viii) network security; (ix) data breach response costs, including Security Breach response costs; (x) regulatory fines and penalties related to CONTRACTOR’s obligations under this Agreement regarding electronic information, including Personal Information; and (xi) credit monitoring expenses. Capitalized terms in this paragraph have the meaning given to them in Exhibit B, “Data Security.” B. Additional Requirements Relating to Insurance i. Verification of Coverage. Within 30 days after this Agreement has been signed by both CONTRACTOR and COUNTY, CONTRACTOR shall deliver, or cause its broker or producer to deliver, to the ISD Business Office at 333 W. Pontiac Way, Clovis, CA 93612, or at ISDBusinessOffice@fresnocountyca.gov copies of insurance policies as produced by the broker or producer, and certificates of insurance and endorsements for all of the coverages required under this Agreement. CONTRACTOR shall provide verification of coverage within 30 days after each SOW is signed as described in Section 1.B. a. All insurance certificates must state that: (1) the insurance coverage has been obtained and is in full force; (2) COUNTY, its officers, agents, employees, and volunteers are not responsible for any premiums on the policy; and (3) CONTRACTOR has waived its right to recover from COUNTY, its officers, agents, employees, and volunteers any amounts paid under any insurance policy required by this Agreement and that waiver does not invalidate the insurance policy. -7- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 b.The commercial general liability insurance certificate must also state that: (1) the COUNTY, its officers, agents, employees, and volunteers, individually and collectively, are additional insureds insofar as the operations under this Agreement are concerned; (2) the coverage shall apply as primary insurance and any other insurance, or self-insurance, maintained by COUNTY shall be excess only and not contributing with insurance provided under CONTRACTOR’s policy. c.The automobile liability insurance certificate must state that the policy covers any auto used in connection with this Agreement. d.The technology professional liability insurance certificate must also state that coverage encompasses all of CONTRACTOR’s obligations under this Agreement, including but not limited to claims involving Cyber Risks, as that term is defined in this Agreement. e.The cyber liability insurance certificate must also state that it is endorsed to cover the full replacement value of damage to, alteration of, loss of, or destruction of intangible property (including but not limited to information or data) that is in the care, custody, or control of CONTRACTOR. ii.Acceptability of Insurers. All insurance policies required under this Agreement must be issued by admitted insurers licensed to do business in the State of California and possessing at all times during the term of this Agreement an A.M. Best, Inc. rating of A:VII or greater. iii.Notice of Cancellation of Coverage. For the duration of each SOW as described in Section 1, for each insurance policy required under this Agreement, CONTRACTOR shall provide to COUNTY, or ensure that the policy requires the insurer to provide to COUNTY, written notice of any cancellation or change in the policy as required in this paragraph. For cancellation of the policy for nonpayment of premium, CONTRACTOR shall, or shall cause the insurer to, provide written notice to COUNTY not less than 10 days in advance of cancellation. For cancellation of the policy for any other reason, and for any other change to the policy, CONTRACTOR shall, or shall cause the insurer to, provide written notice to -8- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 COUNTY not less than 30 days in advance of cancellation or change. COUNTY in its sole discretion may determine that the failure of CONTRACTOR or its insurer to timely provide a written notice required by this paragraph is a breach of this Agreement. iv.COUNTY’s Entitlement to Greater Coverage. If CONTRACTOR has or obtains insurance with broader coverage, higher limits, or both, than what is required under this Agreement, then COUNTY is not entitled to the broader coverage. v.Waiver of Subrogation. CONTRACTOR waives its right to recover from COUNTY, its officers, agents, employees, and volunteers any amounts paid under the policy of worker’s compensation insurance required by this Agreement. CONTRACTOR is solely responsible to obtain any policy endorsement that may be necessary to accomplish that waiver, but CONTRACTOR’s waiver of subrogation under this paragraph is effective whether or not CONTRACTOR obtains such an endorsement. vi.County’s Remedy for Contractor’s Failure to Maintain. If CONTRACTOR fails to keep in effect at all times any insurance coverage required under this Agreement, COUNTY may, in addition to any other remedies it may have, suspend or terminate this Agreement upon the occurrence of that failure, or purchase such insurance coverage, and charge the cost of that coverage to CONTRACTOR. COUNTY may offset such charges against any amounts owed by COUNTY to CONTRACTOR under this Agreement. 11.HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT A.The parties to this Agreement shall be in strict conformance with all applicable Federal and State of California laws and regulations, including but not limited to Sections 5328, 10850, and 14100.2 et seq. of the Welfare and Institutions Code, Sections 2.1 and 431.300 et seq. of Title 42, Code of Federal Regulations (CFR), Section 56 et seq. of the California Civil Code, and the Health Insurance Portability and Accountability Act (HIPAA), including but not limited to Section 1320 D et seq. of Title 42, United States Code (USC) and its implementing regulations, including, but not limited to Title 45, CFR, Sections 142, 160, 162, and 164, The Health Information Technology for Economic and Clinical Health Act (HITECH) regarding the confidentiality and security of patient information and the Genetic Information Nondiscrimination Act (GINA) of 2008 regarding the confidentiality of genetic -9- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 information. Except as otherwise provided in this Agreement, CONTRACTOR, as a Business Associate of COUNTY, may use or disclose Protected Health Information (PHI) to perform functions, activities or services for or on behalf of COUNTY, as specified in this Agreement, provided that such use or disclosure shall not violate the HIPAA, USC 1320d et seq. The uses and disclosures of PHI may not be more expansive than those applicable to COUNTY, as the “Covered Entity” under the HIPAA Privacy Rule (45 CFR 164.500 et seq), except as authorized for management, administrative or legal responsibilities of the Business Associate. B.CONTRACTOR, including its subcontractors and employees, shall protect, from unauthorized access, use, or disclosure of names and other identifying information, including genetic information, concerning persons receiving services pursuant to this Agreement, except where permitted in order to carry out data aggregation purposes for health care operations [45 CFR Sections 164.504 (e)(2)(i), 164.504 (3)(2)(ii)(A), and 164.504 (e)(4)(i)]. This pertains to any and all persons receiving services pursuant to a COUNTY funded program. This requirement applies to electronic PHI. CONTRACTOR shall not use such identifying information or genetic information for any purpose other than carrying out CONTRACTOR’s obligations under this Agreement. C.CONTRACTOR, including its subcontractors and employees, shall not disclose any such identifying information or genetic information to any person or entity, except as otherwise specifically permitted by this Agreement, authorized by Subpart E of 45 CFR Part 164 or other law, required by the Secretary, or authorized by the client/patient in writing. In using or disclosing PHI that is permitted by this Agreement or authorized by law, CONTRACTOR shall make reasonable efforts to limit PHI to the minimum necessary to accomplish intended purpose of use, disclosure or request. D.For purposes of the above sections, identifying information shall include, but not be limited to name, identifying number, symbol, or other identifying particular assigned to the individual, such as finger or voice print, or a photograph. E.For purposes of the above sections, genetic information shall include genetic tests of family members of an individual or individual, manifestation of disease or disorder of family -10- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 members of an individual, or any request for or receipt of, genetic services by individual or family members. Family member means a dependent or any person who is first, second, third, or fourth degree relative. F.CONTRACTOR shall provide access, at the request of COUNTY, and in the time and manner designated by COUNTY, to PHI in a designated record set (as defined in 45 CFR Section 164.501), to an individual or to COUNTY in order to meet the requirements of 45 CFR Section164.524 regarding access by individuals to their PHI. With respect to individual requests, access shall be provided within thirty (30) days from request. Access may be extended if CONTRACTOR cannot provide access and provide individual with the reasons for the delay and the date when access may be granted. PHI shall be provided in the form and format requested by the individual or COUNTY. CONTRACTOR shall make any amendment(s) to PHI in a designated record set at the request of COUNTY, or individual, and in the time and manner designated by COUNTY in accordance with 45 CFR Section 164.526. CONTRACTOR shall provide to COUNTY or to an individual, in a time and manner designated by COUNTY, information collected in accordance with 45 CFR Section 164.528, to permit COUNTY to respond to a request by the individual for an accounting of disclosures of PHI in accordance with 45 CFR Section 164.528. G.CONTRACTOR shall report to COUNTY, in writing, any knowledge or reasonable belief that there has been unauthorized access, viewing, use, disclosure, security incident, or breach of unsecured PHI not permitted by this Agreement of which it becomes aware, immediately and without reasonable delay and in no case later than two (2) business days of discovery. Immediate notification shall be made to COUNTY’s Information Security Officer and Privacy Officer and COUNTY’s DBH HIPAA Representative, within two (2) business days of discovery. The notification shall include, to the extent possible, the identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, disclosed, or breached. CONTRACTOR shall take prompt corrective action to cure any deficiencies and any action -11- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 pertaining to such unauthorized disclosure required by applicable Federal and State Laws and regulations. CONTRACTOR shall investigate such breach and is responsible for all notifications required by law and regulation or deemed necessary by COUNTY and shall provide a written report of the investigation and reporting required to COUNTY’s Information Security Officer and Privacy Officer and COUNTY’s DBH HIPAA Representative. This written investigation and description of any reporting necessary shall be postmarked within the thirty (30) working days of the discovery of the breach to the addresses below: County of Fresno County of Fresno County of Fresno Department of Behavioral Health Dept. of Public Health Information Technology Services HIPAA Representative Privacy Officer Information Security Officer (559) 600-6798 (559) 600-6405 (559) 600-5800 3147 N. Millbrook Ave (559) 600-6439 333 W. Pontiac Way Fresno, CA 93703 P.O. Box 11867 Clovis, CA 93612 Fresno, CA 93721 H. CONTRACTOR shall make its internal practices, books, and records relating to the use and disclosure of PHI received from COUNTY, or created or received by the CONTRACTOR on behalf of COUNTY, in compliance with HIPAA’s Privacy Rule, including, but not limited to the requirements set forth in Title 45, CFR, Sections 160 and 164. CONTRACTOR shall make its internal practices, books, and records relating to the use and disclosure of PHI received from COUNTY, or created or received by the CONTRACTOR on behalf of COUNTY, available to the United States Department of Health and Human Services (Secretary) upon demand. CONTRACTOR shall cooperate with the compliance and investigation reviews conducted by the Secretary. PHI access to the Secretary must be provided during the CONTRACTOR’s normal business hours, however, upon exigent circumstances access at any time must be granted. Upon the Secretary’s compliance or investigation review, if PHI is unavailable to CONTRACTOR and in possession of a Subcontractor, it must certify efforts to obtain the information to the Secretary. I. Safeguards CONTRACTOR shall implement administrative, physical, and technical safeguards as -12- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 required by the HIPAA Security Rule, Subpart C of 45 CFR 164, that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, including electronic PHI, that it creates, receives, maintains or transmits on behalf of COUNTY and to prevent unauthorized access, viewing, use, disclosure, or breach of PHI other than as provided for by this Agreement. CONTRACTOR shall conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidential, integrity and availability of electronic PHI. CONTRACTOR shall develop and maintain a written information privacy and security program that includes administrative, technical and physical safeguards appropriate to the size and complexity of CONTRACTOR’s operations and the nature and scope of its activities. Upon COUNTY’s request, CONTRACTOR shall provide COUNTY with information concerning such safeguards. CONTRACTOR shall implement strong access controls and other security safeguards and precautions in order to restrict logical and physical access to confidential, personal (e.g., PHI) or sensitive data to authorized users only. Said safeguards and precautions shall include the following administrative and technical password controls for all systems used to process or store confidential, personal, or sensitive data: 1.Passwords must not be: a.Shared or written down where they are accessible or recognizable by anyone else; such as taped to computer screens, stored under keyboards, or visible in a work area; b.A dictionary word; or c.Stored in clear text 2.Passwords must be: a.Eight (8) characters or more in length; b.Changed every ninety (90) days; c.Changed immediately if revealed or compromised; and d.Composed of characters from at least three of the following four groups from the standard keyboard: 1)Upper case letters (A-Z); -13- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 2)Lowercase letters (a-z); 3)Arabic numerals (0 through 9); and 4)Non-alphanumeric characters (punctuation symbols). CONTRACTOR shall implement the following security controls on each workstation or portable computing device (e.g., laptop computer) containing confidential, personal, or sensitive data: 1.Network-based firewall and/or personal firewall; 2.Continuously updated anti-virus software; and 3.Patch management process including installation of all operating system/software vendor security patches. CONTRACTOR shall utilize a commercial encryption solution that has received FIPS 140-2 validation to encrypt all confidential, personal, or sensitive data stored on portable electronic media (including, but not limited to, compact disks and thumb drives) and on portable computing devices (including, but not limited to, laptop and notebook computers). CONTRACTOR shall not transmit confidential, personal, or sensitive data via e-mail or other internet transport protocol unless the data is encrypted by a solution that has been validated by the National Institute of Standards and Technology (NIST) as conforming to the Advanced Encryption Standard (AES) Algorithm. CONTRACTOR must apply appropriate sanctions against its employees who fail to comply with these safeguards. CONTRACTOR must adopt procedures for terminating access to PHI when employment of employee ends. J.Mitigation of Harmful Effects CONTRACTOR shall mitigate, to the extent practicable, any harmful effect that is suspected or known to CONTRACTOR of an unauthorized access, viewing, use, disclosure, or breach of PHI by CONTRACTOR or its subcontractors in violation of the requirements of these provisions. CONTRACTOR must document suspected or known harmful effects and the outcome. K.CONTRACTOR’s Subcontractors CONTRACTOR shall ensure that any of its contractors, including subcontractors, if applicable, to whom CONTRACTOR provides PHI received from or created or received by CONTRACTOR on behalf of COUNTY, agree to the same restrictions, safeguards, and conditions that apply to CONTRACTOR with -14- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 respect to such PHI and to incorporate, when applicable, the relevant provisions of these provisions into each subcontract or sub-award to such agents or subcontractors. L.Employee Training and Discipline CONTRACTOR shall train and use reasonable measures to ensure compliance with the requirements of these provisions by employees who assist in the performance of functions or activities on behalf of COUNTY under this Agreement and use or disclose PHI and discipline such employees who intentionally violate any provisions of these provisions, including termination of employment. M.Termination for Cause Upon COUNTY’s knowledge of a material breach of these provisions by CONTRACTOR, COUNTY shall either: 1.Provide an opportunity for CONTRACTOR to cure the breach or end the violation and terminate this Agreement if CONTRACTOR does not cure the breach or end the violation within the time specified by COUNTY; or 2.Immediately terminate this Agreement if CONTRACTOR has breached a material term of these provisions and cure is not possible. 3.If neither cure nor termination is feasible, the COUNTY Privacy Officer shall report the violation to the Secretary of the U.S. Department of Health and Human Services. N.Judicial or Administrative Proceedings COUNTY may terminate this Agreement in accordance with the terms and conditions of this Agreement as written hereinabove, if: (1) CONTRACTOR is found guilty in a criminal proceeding for a violation of the HIPAA Privacy or Security Laws or the HITECH Act; or (2) a finding or stipulation that the CONTRACTOR has violated a privacy or security standard or requirement of the HITECH Act, HIPAA or other security or privacy laws in an administrative or civil proceeding in which the CONTRACTOR is a party. O.Effect of Termination Upon termination or expiration of this Agreement for any reason, CONTRACTOR shall return or destroy all PHI received from COUNTY (or created or received by CONTRACTOR on behalf of COUNTY) -15- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 that CONTRACTOR still maintains in any form, and shall retain no copies of such PHI. If return or destruction of PHI is not feasible, it shall continue to extend the protections of these provisions to such information, and limit further use of such PHI to those purposes that make the return or destruction of such PHI infeasible. This provision shall apply to PHI that is in the possession of subcontractors or agents, if applicable, of CONTRACTOR. If CONTRACTOR destroys the PHI data, a certification of date and time of destruction shall be provided to the COUNTY by CONTRACTOR. P.Disclaimer COUNTY makes no warranty or representation that compliance by CONTRACTOR with these provisions, the HITECH Act, HIPAA or the HIPAA regulations will be adequate or satisfactory for CONTRACTOR’s own purposes or that any information in CONTRACTOR’s possession or control, or transmitted or received by CONTRACTOR, is or will be secure from unauthorized access, viewing, use, disclosure, or breach. CONTRACTOR is solely responsible for all decisions made by CONTRACTOR regarding the safeguarding of PHI. Q.Amendment The parties acknowledge that Federal and State laws relating to electronic data security and privacy are rapidly evolving and that amendment of these provisions may be required to provide for procedures to ensure compliance with such developments. The parties specifically agree to take such action as is necessary to amend this agreement in order to implement the standards and requirements of HIPAA, the HIPAA regulations, the HITECH Act and other applicable laws relating to the security or privacy of PHI. COUNTY may terminate this Agreement upon thirty (30) days written notice in the event that CONTRACTOR does not enter into an amendment providing assurances regarding the safeguarding of PHI that COUNTY in its sole discretion deems sufficient to satisfy the standards and requirements of HIPAA, the HIPAA regulations and the HITECH Act. R.No Third-Party Beneficiaries Nothing express or implied in the terms and conditions of these provisions is intended to confer, nor shall anything herein confer, upon any person other than COUNTY or CONTRACTOR and their respective successors or assignees, any rights, remedies, obligations or liabilities whatsoever. S.Interpretation -16- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 The terms and conditions in these provisions shall be interpreted as broadly as necessary to implement and comply with HIPAA, the HIPAA regulations and applicable State laws. The parties agree that any ambiguity in the terms and conditions of these provisions shall be resolved in favor of a meaning that complies and is consistent with HIPAA and the HIPAA regulations. T.Regulatory References A reference in the terms and conditions of these provisions to a section in the HIPAA regulations means the section as in effect or as amended. U.Survival The respective rights and obligations of CONTRACTOR as stated in this Section shall survive the termination or expiration of this Agreement. V.No Waiver of Obligations No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation on any other occasion. 12.AUDITS AND INSPECTIONS: The CONTRACTOR shall at any time during its published business hours, and as often as the COUNTY may deem necessary, make available to the COUNTY for examination records and data related to the matters covered by this Agreement. The CONTRACTOR shall, upon request by the COUNTY, and at the sole cost of the COUNTY, permit the COUNTY to audit and inspect records and data only related to the matters covered by this Agreement to ensure CONTRACTOR'S compliance with the terms of this Agreement. If this Agreement exceeds ten thousand dollars ($10,000.00), CONTRACTOR shall be subject to the examination and audit of the California State Auditor for a period of three (3) years after final payment under contract (Government Code Section 8546.7). 13.NOTICES: The persons and their addresses having authority to give and receive notices under this Agreement include the following: COUNTY CONTRACTOR Director of Internal Services/CIO Troncore, LLC 333 W. Pontiac Way 31789 County View Road Clovis, CA 93612 Temecula, CA 92591 -17- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ISDContracts@FresnoCountyCA.gov All notices between the COUNTY and CONTRACTOR provided for or permitted under this Agreement must be in writing and delivered either by personal service, by first-class United States mail, by an overnight commercial courier service, or by email. A notice delivered by personal service is effective upon service to the recipient. A notice delivered by first-class United States mail is effective three COUNTY business days after deposit in the United States mail, postage prepaid, addressed to the recipient. A notice delivered by an overnight commercial courier service is effective one COUNTY business day after deposit with the overnight commercial courier service, delivery fees prepaid, with delivery instructions given for next day delivery, addressed to the recipient. For all claims arising out of or related to this Agreement, nothing in this section establishes, waives, or modifies any claims presentation requirements or procedures provided by law, including but not limited to the Government Claims Act (Division 3.6 of Title 1 of the Government Code, beginning with section 810). 14.GOVERNING LAW: Venue for any action arising out of or related to this Agreement shall only be in Fresno County, California. The rights and obligations of the parties and all interpretation and performance of this Agreement shall be governed in all respects by the laws of the State of California. 15.DISCLOSURE OF SELF-DEALING TRANSACTIONS This provision is only applicable if the CONTRACTOR is operating as a corporation (a for-profit or non-profit corporation) or if during the term of the agreement, the CONTRACTOR changes its status to operate as a corporation. Members of the CONTRACTOR’s Board of Directors shall disclose any self-dealing transactions that they are a party to while CONTRACTOR is providing goods or performing services under this agreement. A self-dealing transaction shall mean a transaction to which the CONTRACTOR is a party and in which one or more of its directors has a material financial interest. Members of the Board of Directors shall disclose any self-dealing transactions that they are a party to by completing and signing a Self-Dealing Transaction Disclosure Form, attached hereto as Exhibit C and incorporated herein by reference, and submitting it to the COUNTY prior to commencing with the self-dealing transaction or immediately thereafter. 1 16. ENTIRE AGREEMENT: This Agreement constitutes the entire agreement between the 2 CONTRACTOR and COUNTY with respect to the subject matter hereof, and supersedes all previous 3 Agreement negotiations, proposals, commitments , writings , advertisements , publications, and 4 understanding of any nature whatsoever unless expressly included in this Agreement. 5 Il l 6 7 IN WITNESS WHEREOF , the parties hereto have executed this Agreement as of the day and year 8 first hereinabove written. 9 10 11 12 13 14 15 (.A:uthorized S ignature) Dustin Fritz , General M anager Print Name & Title 3 1789 Country View Ro ad Temec ula , CA 92591 16 Mailing Address 17 18 19 20 21 22 23 24 25 26 27 28 FOR ACCOUNTING USE ONLY: Fund : 1020 Subclass : 10000 ORG : 8905 Account: 7 2 9 5 By: COUNTY OF FRESNO £#'~~ Ernest Buddy Mens, Chairman of the Board of Supervisors of the County of Fresno ATTEST: Bernice E. Seidel Clerk of the Board of Supervisors County of Fresno , State of Cal ifornia Dep ~Q. , e '"t!s -18- -19- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Exhibit A This exhibit is considered Confidential Government Information as defined in Evidence Code sec. 1040 Exhibit B “Data Security” A-1 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 A. Definitions. Capitalized terms used in this Exhibit A have the meanings set forth in this section A. “Authorized Employees” means CONTRACTOR’s employees who have access to Personal Information. “Authorized Persons” means: (i) any and all Authorized Employees; and (ii) any and all of CONTRACTOR’s subcontractors, representatives, agents, outsourcers, and consultants, and providers of professional services to CONTRACTOR, who have access to Personal Information and are bound by law or in writing by confidentiality obligations sufficient to protect Personal Information in accordance with the terms of this Exhibit A. “Director” means COUNTY’s Director of Internal Services-Chief Information Officer or his or her designee. “Disclose” or any derivative of that word means to disclose, release, transfer, disseminate, or otherwise provide access to or communicate all or any part of any Personal Information orally, in writing, or by electronic or any other means to any person. “Person” means any natural person, corporation, partnership, limited liability company, firm, or association. “Personal Information” means any and all information, including any data, provided, or to which access is provided, to CONTRACTOR by or upon the authorization of COUNTY, under this Agreement, including but not limited to vital records, that: (i) identifies, describes, or relates to, or is associated with, or is capable of being used to identify, describe, or relate to, or associate with, a person (including, without limitation, names, physical descriptions, signatures, addresses, telephone numbers, e-mail addresses, education, financial matters, employment history, and other unique identifiers, as well as statements made by or attributable to the person); (ii) is used or is capable of being used to authenticate a person (including, without limitation, employee identification numbers, government-issued identification numbers, passwords or personal identification numbers (PINs), financial account numbers, credit report information, answers to security questions, and other personal identifiers); or is personal information within the meaning of California Exhibit B “Data Security” A-2 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Civil Code section 1798.3, subdivision (a), or 1798.80, subdivision (e). Personal Information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. “Privacy Practices Complaint” means a complaint received by COUNTY relating to CONTRACTOR’s (or any Authorized Person’s) privacy practices, or alleging a Security Breach. Such complaint shall have sufficient detail to enable CONTRACTOR to promptly investigate and take remedial action under this Exhibit A. “Security Safeguards” means physical, technical, administrative or organizational security procedures and practices put in place by CONTRACTOR (or any Authorized Persons) that relate to the protection of the security, confidentiality, value, or integrity of Personal Information. Security Safeguards shall satisfy the minimal requirements set forth in subsection C.(5) of this Exhibit A. “Security Breach” means (i) any act or omission that compromises either the security, confidentiality, value, or integrity of any Personal Information or the Security Safeguards, or (ii) any unauthorized Use, Disclosure, or modification of, or any loss or destruction of, or any corruption of or damage to, any Personal Information. “Use” or any derivative thereof means to receive, acquire, collect, apply, manipulate, employ, process, transmit, disseminate, access, store, disclose, or dispose of Personal Information. B. Standard of Care. (1) CONTRACTOR acknowledges that, in the course of its engagement by COUNTY under this Agreement, CONTRACTOR, or any Authorized Persons, may Use Personal Information only as permitted in this Agreement. (2) CONTRACTOR acknowledges that Personal Information is deemed to be confidential information of, or owned by, COUNTY (or persons from whom COUNTY receives or has received Personal Information) and is not confidential information of, or owned or by, CONTRACTOR, or any Authorized Persons. CONTRACTOR further acknowledges that all right, title, and interest in or to the Personal Information remains in Exhibit B “Data Security” A-3 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 COUNTY (or persons from whom COUNTY receives or has received Personal Information) regardless of CONTRACTOR’s, or any Authorized Person’s, Use of that Personal Information. (3) CONTRACTOR agrees and covenants in favor of COUNTY that CONTRACTOR shall: (i) keep and maintain all Personal Information in strict confidence, using such degree of care under this Subsection B as is reasonable and appropriate to avoid a Security Breach; (ii) Use Personal Information exclusively for the purposes for which the Personal Information is made accessible to CONTRACTOR pursuant to the terms of this Exhibit A; (iii) not Use, Disclose, sell, rent, license, or otherwise make available Personal Information for CONTRACTOR’s own purposes or for the benefit of anyone other than COUNTY, without COUNTY’s express prior written consent, which the COUNTY may give or withhold in its sole and absolute discretion; and (iv) not, directly or indirectly, Disclose Personal Information to any person (an “Unauthorized Third Party”) other than Authorized Persons pursuant to this Agreement, without the Director’s and the Recorder’s express prior written consent. Notwithstanding the foregoing paragraph, in any case in which CONTRACTOR believes it, or any Authorized Person, is required to disclose Personal Information to government regulatory authorities, or pursuant to a legal proceeding, or otherwise as may be required by applicable law, Contractor shall (a) immediately notify COUNTY of the specific demand for, and legal authority for the disclosure, including providing County with a copy of any notice, discovery demand, subpoena, or order, as applicable, received by CONTRACTOR, or any Authorized Person, from any government regulatory authorities, or in relation to any legal proceeding, and (b) promptly notify COUNTY before such Personal Information is offered by CONTRACTOR for such disclosure so that COUNTY may have sufficient time to obtain a court order or take any other action COUNTY may deem necessary to protect the Personal Information from such disclosure, and CONTRACTOR shall cooperate with COUNTY to minimize the scope of such disclosure of such Personal Information. Exhibit B “Data Security” A-4 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 CONTRACTOR shall remain liable to COUNTY for the actions and omissions of any Unauthorized Third Party concerning its Use of such Personal Information as if they were CONTRACTOR’s own actions and omissions. C. Information Security. (1) CONTRACTOR covenants, represents and warrants to COUNTY that Contractor’s Use of Personal Information under this Agreement does and shall at all times comply with all applicable federal, state, and local, privacy and data protection laws, as well as all other applicable regulations and directives, including but not limited to California Civil Code, Division 3, Part 4, Title 1.81 (beginning with section 1798.80), and the Song-Beverly Credit Card Act of 1971 (California Civil Code, Division 3, Part 4, Title 1.3, beginning with section 1747). If CONTRACTOR Uses credit, debit or other payment cardholder information, CONTRACTOR shall at all times remain in compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) requirements, including remaining aware at all times of changes to the PCI DSS and promptly implementing and maintaining all procedures and practices as may be necessary to remain in compliance with the PCI DSS, in each case, at CONTRACTOR’s sole cost and expense. (2) CONTRACTOR covenants, represents and warrants to COUNTY that, as of the Effective Date, CONTRACTOR has not received notice of any violation of any privacy or data protection laws, as well as any other applicable regulations or directives, and is not the subject of any pending legal action or investigation by, any government regulatory authority regarding same. (3) Without limiting CONTRACTOR’s obligations under subsection C.(1) of this Exhibit A, CONTRACTOR’s (or Authorized Person’s) Security Safeguards shall be no less rigorous than accepted industry practices and, at a minimum, include the following: (i) limiting Use of Personal Information strictly to CONTRACTOR’s and Authorized Persons’ technical and administrative personnel who are necessary for the CONTRACTOR’s, or Authorized Persons’, Use of the Personal Information pursuant to this Agreement; (ii) ensuring that all of CONTRACTOR’s connectivity to County computing systems will only be Exhibit B “Data Security” A-5 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 through COUNTY’s security gateways and firewalls, and only through security procedures approved upon the express prior written consent of the Director; (iii) to the extent that they contain or provide access to Personal Information, (a) securing business facilities, data centers, paper files, servers, back-up systems and computing equipment, operating systems, and software applications, including, but not limited to, all mobile devices and other equipment, operating systems, and software applications with information storage capability; (b) employing adequate controls and data security measures, both internally and externally, to protect (1) the Personal Information from potential loss or misappropriation, or unauthorized Use, and (2) the COUNTY’s operations from disruption and abuse; (c) having and maintaining network, device application, database and platform security; (d) maintaining authentication and access controls within media, computing equipment, operating systems, and software applications; and (e) installing and maintaining in all mobile, wireless, or handheld devices a secure internet connection, having continuously updated anti-virus software protection and a remote wipe feature always enabled, all of which is subject to express prior written consent of the Director; (iv) encrypting all Personal Information at advance encryption standards of Advanced Encryption Standards (AES) of 128 bit or higher (a) stored on any mobile devices, including but not limited to hard disks, portable storage devices, or remote installation, or (b) transmitted over public or wireless networks (the encrypted Personal Information must be subject to password or pass phrase, and be stored on a secure server and transferred by means of a Virtual Private Network (VPN) connection, or another type of secure connection, all of which is subject to express prior written consent of the Director); (v) strictly segregating Personal Information from all other information of CONTRACTOR, including any Authorized Person, or anyone with whom CONTRACTOR or any Authorized Person deals so that Personal Information is not commingled with any other types of information; (vi) having a patch management process including installation of all operating system/software vendor security patches; (vii) maintaining appropriate personnel security and integrity procedures and practices, including, but not limited to, conducting Exhibit B “Data Security” A-6 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 background checks of Authorized Employees consistent with applicable law; and (viii) providing appropriate privacy and information security training to Authorized Employees. (4) During the term of each Authorized Employee’s employment by CONTRACTOR, CONTRACTOR shall cause such Authorized Employees to abide strictly by CONTRACTOR’s obligations under this Exhibit A. CONTRACTOR further agrees that it shall maintain a disciplinary process to address any unauthorized Use of Personal Information by any Authorized Employees. (5) CONTRACTOR shall, in a secure manner, backup daily, or more frequently if it is CONTRACTOR’s practice to do so more frequently, Personal Information received from COUNTY, and the COUNTY shall have immediate, real time access, at all times, to such backups via a secure, remote access connection provided by CONTRACTOR, through the Internet. (6) CONTRACTOR shall provide COUNTY with the name and contact information for each Authorized Employee (including such Authorized Employee’s work shift, and at least one alternate Authorized Employee for each Authorized Employee during such work shift) who shall serve as COUNTY’s primary security contact with CONTRACTOR and shall be available to assist COUNTY twenty-four (24) hours per day, seven (7) days per week as a contact in resolving CONTRACTOR’s and any Authorized Persons’ obligations associated with a Security Breach or a Privacy Practices Complaint. D. Security Breach Procedures. (1) Immediately upon CONTRACTOR’s awareness or reasonable belief of a Security Breach, CONTRACTOR shall (a) notify the Director of the Security Breach, such notice to be given first by telephone at the following telephone number, followed promptly by email at the following email address: (559) 600-6200 / ematthews@fresnocountyca.gov (which telephone number and email address COUNTY may update by providing notice to CONTRACTOR), and (b) preserve all relevant evidence (and cause any affected Authorized Person to preserve all relevant evidence) relating to the Security Breach. The notification shall include, to the extent reasonably possible, the identification of each type and the extent Exhibit B “Data Security” A-7 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 of Personal Information that has been, or is reasonably believed to have been, breached, including but not limited to, compromised, or subjected to unauthorized Use, Disclosure, or modification, or any loss or destruction, corruption, or damage. (2) Immediately following CONTRACTOR’s notification to COUNTY of a Security Breach, as provided pursuant to subsection D.(1) of this Exhibit A, the Parties shall coordinate with each other to investigate the Security Breach. CONTRACTOR agrees to fully cooperate with COUNTY, including, without limitation: (i) assisting COUNTY in conducting any investigation; (ii) providing COUNTY with physical access to the facilities and operations affected; (iii) facilitating interviews with Authorized Persons and any of CONTRACTOR’s other employees knowledgeable of the matter; and (iv) making available all relevant records, logs, files, data reporting and other materials required to comply with applicable law, regulation, industry standards, or as otherwise reasonably required by COUNTY. To that end, CONTRACTOR shall, with respect to a Security Breach, be solely responsible, at its cost, for all notifications required by law and regulation, or deemed reasonably necessary by COUNTY, and CONTRACTOR shall provide a written report of the investigation and reporting required to the Director within thirty (30) days after the CONTRACTOR’s discovery of the Security Breach. (3) County shall promptly notify CONTRACTOR of the Director’s knowledge, or reasonable belief, of any Privacy Practices Complaint, and upon CONTRACTOR’s receipt of notification thereof, CONTRACTOR shall promptly address such Privacy Practices Complaint, including taking any corrective action under this Exhibit A, all at CONTRACTOR’s sole expense, in accordance with applicable privacy rights, laws, regulations and standards. In the event CONTRACTOR discovers a Security Breach, CONTRACTOR shall treat the Privacy Practices Complaint as a Security Breach. Within twenty-four (24) hours of CONTRACTOR’s receipt of notification of such Privacy Practices Complaint, CONTRACTOR shall notify COUNTY whether the matter is a Security Breach, or otherwise has been corrected and the manner of correction, or determined not to require corrective action and the reason therefor. Exhibit B “Data Security” A-8 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 (4) CONTRACTOR shall take prompt corrective action to respond to and remedy any Security Breach and take mitigating actions, including but not limiting to, preventing any reoccurrence of the Security Breach and correcting any deficiency in Security Safeguards as a result of such incident, all at CONTRACTOR’s sole expense, in accordance with applicable privacy rights, laws, regulations and standards. CONTRACTOR shall reimburse COUNTY for all reasonable costs incurred by COUNTY in responding to, and mitigating damages caused by, any Security Breach, including all costs of COUNTY incurred relation to any litigation or other action described subsection D.(5) of this Exhibit A. (5) CONTRACTOR agrees to cooperate, at its sole expense, with COUNTY in any litigation or other action to protect COUNTY’s rights relating to Personal Information, including the rights of persons from whom COUNTY receives Personal Information. E. Oversight of Security Compliance. (1) CONTRACTOR shall have and maintain a written information security policy that specifies Security Safeguards appropriate to the size and complexity of CONTRACTOR’s operations and the nature and scope of its activities. (2) Upon COUNTY’s written request, to confirm CONTRACTOR’s compliance with this Exhibit A, as well as any applicable laws, regulations and industry standards, CONTRACTOR grants COUNTY or, upon COUNTY’s election, a third party on COUNTY’s behalf, permission to perform an assessment, audit, examination or review of all controls in CONTRACTOR’s physical and technical environment in relation to all Personal Information that is Used by CONTRACTOR pursuant to this Agreement. CONTRACTOR shall fully cooperate with such assessment, audit or examination, as applicable, by providing COUNTY or the third party on COUNTY’s behalf, access to all Authorized Employees and other knowledgeable personnel, physical premises, documentation, infrastructure and application software that is Used by CONTRACTOR for Personal Information pursuant to this Agreement. In addition, CONTRACTOR shall provide COUNTY with the results of any audit by or on behalf of CONTRACTOR that assesses the effectiveness of CONTRACTOR’s information security program as relevant to the security and confidentiality of Personal Exhibit B “Data Security” A-9 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Information Used by CONTRACTOR or Authorized Persons during the course of this Agreement under this Exhibit A. (3) CONTRACTOR shall ensure that all Authorized Persons who Use Personal Information agree to the same restrictions and conditions in this Exhibit A. that apply to CONTRACTOR with respect to such Personal Information by incorporating the relevant provisions of these provisions into a valid and binding written agreement between CONTRACTOR and such Authorized Persons, or amending any written agreements to provide same. F. Return or Destruction of Personal Information. Upon the termination of this Agreement, CONTRACTOR shall, and shall instruct all Authorized Persons to, promptly return to COUNTY all Personal Information, whether in written, electronic or other form or media, in its possession or the possession of such Authorized Persons, in a machine readable form used by COUNTY at the time of such return, or upon the express prior written consent of the Recorder and the Director, securely destroy all such Personal Information, and certify in writing to the COUNTY that such Personal Information have been returned to COUNTY or disposed of securely, as applicable. If CONTRACTOR is authorized to dispose of any such Personal Information, as provided in this Exhibit A, such certification shall state the date, time, and manner (including standard) of disposal and by whom, specifying the title of the individual. CONTRACTOR shall comply with all reasonable directions provided by the Recorder and the Director with respect to the return or disposal of Personal Information and copies thereof. If return or disposal of such Personal Information or copies of Personal Information is not feasible, CONTRACTOR shall notify COUNTY according, specifying the reason, and continue to extend the protections of this Exhibit A to all such Personal Information and copies of Personal Information. CONTRACTOR shall not retain any copy of any Personal Information after returning or disposing of Personal Information as required by this section F. CONTRACTOR’s obligations under this section F survive the termination of this Agreement Exhibit B “Data Security” A-10 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 and apply to all Personal Information that CONTRACTOR retains if return or disposal is not feasible and to all Personal Information that CONTRACTOR may later discover. G. Equitable Relief. CONTRACTOR acknowledges that any breach of its covenants or obligations set forth in this Exhibit A may cause COUNTY irreparable harm for which monetary damages would not be adequate compensation and agrees that, in the event of such breach or threatened breach, COUNTY is entitled to seek equitable relief, including a restraining order, injunctive relief, specific performance and any other relief that may be available from any court, in addition to any other remedy to which COUNTY may be entitled at law or in equity. Such remedies shall not be deemed to be exclusive but shall be in addition to all other remedies available to COUNTY at law or in equity or under this Agreement. H. Indemnification. CONTRACTOR shall defend, indemnify and hold harmless COUNTY, its officers, employees, and agents, (each, a “COUNTY Indemnitee”) from and against any and all infringement of intellectual property including, but not limited to infringement of copyright, trademark, and trade dress, invasion of privacy, information theft, and extortion, unauthorized Use, Disclosure, or modification of, or any loss or destruction of, or any corruption of or damage to, Personal Information, Security Breach response and remedy costs, credit monitoring expenses, forfeitures, losses, damages, liabilities, deficiencies, actions, judgments, interest, awards, fines and penalties (including regulatory fines and penalties), costs or expenses of whatever kind, including attorneys’ fees and costs, the cost of enforcing any right to indemnification or defense under this Exhibit A and the cost of pursuing any insurance providers, arising out of or resulting from any third party claim or action against any COUNTY Indemnitee in relation to CONTRACTOR’s, its officers, employees, or agents, or any Authorized Employee’s or Authorized Person’s, performance or failure to perform under this Exhibit A or arising out of or resulting from CONTRACTOR’s failure to comply with any of its obligations under this section H. The provisions of this section H do not apply to the acts or omissions of COUNTY. The provisions of this section H Exhibit B “Data Security” A-11 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 are cumulative to any other obligation of CONTRACTOR to, defend, indemnify, or hold harmless any COUNTY Indemnity under this Agreement. The provisions of this section H shall survive the termination of this Agreement. I. Survival. The respective rights and obligations of CONTRACTOR and COUNTY as stated in this Exhibit A shall survive the termination of this Agreement. J. No Third Party Beneficiary. Nothing express or implied in the provisions of in this Exhibit A is intended to confer, nor shall anything herein confer, upon any person other than COUNTY or CONTRACTOR and their respective successors or assignees, any rights, remedies, obligations or liabilities whatsoever. L. No County Warranty. COUNTY does not make any warranty or representation whether any Personal Information in CONTRACTOR’s (or any Authorized Person’s) possession or control, or Use by CONTRACTOR (or any Authorized Person), pursuant to the terms of this Agreement is or will be secure from unauthorized Use, or a Security Breach or Privacy Practices Complaint. Exhibit C SELF-DEALING TRANSACTION DISCLOSURE FORM In order to conduct business with the County of Fresno (hereinafter referred to as “County”), members of a contractor’s board of directors (hereinafter referred to as “County Contractor”), must disclose any self-dealing transactions that they are a party to while providing goods, performing services, or both for the County. A self-dealing transaction is defined below: “A self-dealing transaction means a transaction to which the corporation is a party and in which one or more of its directors has a material financial interest” The definition above will be utilized for purposes of completing this disclosure form. INSTRUCTIONS (1) Enter board member’s name, job title (if applicable), and date this disclosure is being made. (2) Enter the board member’s company/agency name and address. (3) Describe in detail the nature of the self-dealing transaction that is being disclosed to the County. At a minimum, include a description of the following: a. The name of the agency/company with which the corporation has the transaction; and b. The nature of the material financial interest in the Corporation’s transaction that the board member has. (4) Describe in detail why the self-dealing transaction is appropriate based on applicable provisions of the Corporations Code. (5) Form must be signed by the board member that is involved in the self-dealing transaction described in Sections (3) and (4). Exhibit C (1)Company Board Member Information: Name: Date: Job Title: (2)Company/Agency Name and Address: (3)Disclosure (Please describe the nature of the self-dealing transaction you are a party to): (4)Explain why this self-dealing transaction is consistent with the requirements of Corporations Code 5233 (a): (5)Authorized Signature Signature: Date: