|
best efforts to prevent any further Security Breach at Contractor's expense in accordance with applicable privacy
<br />laws. Except as otherwise required by law, Contractor shall not provide notice of the Security Breach directly to
<br />individuals whose Personally Identifiable Information was involved, to regulatory agencies, or to other entities,
<br />without first providing written notice to the District's Designated Representative.
<br />5.3 Security Breach Report. If the District reasonably determines that Contractor has committed a
<br />Security Breach, then the District may request Contractor to submit, within seven (7) calendar days from discovery of
<br />such breach, a written report, and any supporting documentation, identifying (i) the nature of the Security Breach,
<br />(ii) the steps Contractor has executed to investigate the Security Breach, (iii) what District Data or PIT was used or
<br />disclosed, (iv) who or what was the cause of the Security Breach, (v) what Contractor has done or shall do to
<br />remediate any deleterious effect of the Security Breach, and (vi) what corrective action Contractor has taken or shall
<br />take to prevent a future Incident or Security Breach. The District reserves the right to require Contractor to amend its
<br />remediation plans.
<br />5.4 Effect of Securitv Breach. Upon the occurrence of a Security Breach, the District may terminate
<br />this Agreement in accordance with District policies in addition to any other remedies available to the District under
<br />law or equity. The District may require Contractor to suspend all Services, pending the investigation and successful
<br />resolution of any Security Breach. Contractor acknowledges that, as a result of a Security Breach, the District may
<br />also elect to disqualify Contractor and any of its Subcontractors from future contracts with the District.
<br />5.5 Colorado Privacy Statute. The District and the Contractor both agree to comply with Colorado
<br />Consumer Data Privacy Statutes. Both parties will implement and maintain security procedures and practices that
<br />are appropriate and are reasonably designed to protect the PH (personally identifying information) from
<br />unauthorized access, use, modification, disclosure or destruction.
<br />6. Response to Legal Orders, Demands or Requests for Data
<br />6.1 Received by Contractor. Except as otherwise expressly prohibited by law, Contractor shall
<br />immediately notify the District of any subpoenas, warrants, other legal orders, or demands or requests received by
<br />Contractor seeking District Data; consult with the District regarding its response; cooperate with the District's
<br />reasonable requests in connection with efforts by the District to intervene and quash or modify the legal order,
<br />demand or request; and, upon the District's request, provide the District with a copy of its response.
<br />6.2 Received by District. If the District receives a subpoena, warrant, or other legal order, demand or
<br />request seeking District Data maintained by Contractor, including but not limited to a request pursuant to the
<br />Colorado Open Records Act, C.R.S. § 24-72-100.I et seg., the District will promptly notify Contractor and, within
<br />two (2) business days, excluding national holidays. Contractor shall supply the District with copies of the District
<br />Data for• the District to respond.
<br />6.3 Parent Request. if a parent, legal guardian or student contacts the District with a request to review
<br />or correct District Data or PII, pursuant to FERPA or the Student Data Transparency and Security Act, C.R.S. § 22-
<br />16-101 el seq. (the "Act"), the District will promptly notify Contractor's Designated Representative and Contractor
<br />shall use reasonable and good faith efforts to assist the District in fulfilling such requests, as directed by the District,
<br />within ten calendar (10) days after receipt of District's notice. Conversely, if a parent, legal guardian or student
<br />contacts the Contractor with a request to review or correct District Data or PII, within ten calendar (10) days after
<br />receipt of such notice, Contractor shall promptly notify the District and shall use reasonable and good faith efforts to
<br />assist the District in fulfilling such requests, as directed by the District.
<br />Colorado Council of School Board Attorneys, December 10, 20 t 6
<br />
|