◆ SpookStack

SSEerEL_ b. Data Security By acceptance of, or performance on, this contract, the contractor agrees that with respect to the data identified in paragraph a, in the event of an actual or suspected breach of such data (i.e., loss of control, compromise, unauthorized disclosure, access for an unauthorized purpose, or other unauthorized access, whether physical or electronic), the contractor will immediately (and in no event later than within one hour or discovery) report the breach to the CO and the Contracting Officer's Technical Representative (COTR). If the data breach occurs outside of regular business hours and/or neither the CO nor the COTR can be reached, the contractor shall call the DOJ Computer Emergency Readiness Team (DOJCERT) at 1-866-US4-CERT (1-866-874-2378) within one hour of discovery of the breach. The contractor shall also notify the CO as soon as possible during regular business hours. c. Personally Identifiable Information Notification Requirement The contractor further certifies that 1t has a security policy in place that contains procedures to promptly notify any individual whose personally identification information (as defined by OMB) was, or is reasonably believed to have been, breached. Any notification shall be coordinated with the Department, and shall not proceed until the Department has made a determination that notification would not impede a law enforcement investigation or jeopardize national security. The method and content of any notification by the contract shall be coordinated with, and be subject to the approval of, the Department. The contractor assumes full responsibility for taking corrective action consistent with the Department's Data Breach Notification Procedures, which may include offering credit monitoring when appropriate. d. Pass-through of Security Requirements to Subcontractors The requirements set forth in Paragraphs a through c above, apply to all subcontractors who perform work in connection with this contract. For each subcontractor, the contractor must certify that it has required the subcontractor to adhere to all such requirements. Any breach by a subcontractor of any of the provisions set forth in this clause will be attributed to the contractor. H.33.1.2. Information Resellers or Data Brokers Under this contract, the Department obtains personally identifiable information about individuals from the contractor. The contractor hereby certified that 1t has a security policy in place which contains procedures to promptly notify any individual whose personally identifiable information (as defined by OMB) was, or is reasonably believed to have been, lost or acquired by an unauthorized person while the data is under the control of the contractor. In any case in which the data that was lost or improperly acquired reflects or consists of data that originated with the Department, or reflects sensitive law enforcement or national security interest in the data, the contractor shall notify the Department Contracting Officer so that the Department my determine whether notification would impede a law enforcement investigation or jeopardize national security. In such cases, the contractor shall notify the individuals until 1t receives further instruction from the Department. H.34 Continuation of Essential Contractor Services AP-56 Ecker Page 30 of 54