Model Contracts: Data Security Provision

November 2016

11. DATA SECURITY AND PRIVACY

For the purposes of this Agreement, “Personal Data” means any information relating to an identified or identifiable natural person (i.e. a private individual as opposed to a corporation or other comparable entity).  An identifiable person is someone who can be identified, directly or indirectly, in particular by reference to an identification number or the person’s physical, physiological, mental, economic, cultural or social characteristics.  [Client/Licensee] Personal Data means Personal Data of [Client/Licensee] and may relate to employees of [Client/Licensee], or other natural persons, including [Client/Licensee’s] or its Affiliates’ customers, suppliers and contractors.

 

11.2  Data Security and Privacy Safeguards.  

Supplier represents and warrants that it is and will remain in compliance with all applicable laws and regulations, including without limitation those relating to the protection of Personal Data. Supplier represents and warrants that it has put in place, and will maintain, and has required its third-party service providers to put in place, and maintain, appropriate physical, electronic, technical, organizational and managerial procedures (i) required by applicable law or regulation, (ii) if applicable, required to comply with contractual obligations of Supplier and (iii) consistent with applicable industry standards, to safeguard and secure all [Client/Licensee] Personal Data and other Confidential Information that is received from, processed by or prepared for [Client/Licensee] and/or its Affiliates and/or their respective suppliers, customers and other third party business partners.

 

11.3    Minimum Safeguards

At a minimum, Supplier’s safeguards for the protection of Personal Data and other Confidential Information shall include securing its business facilities, data centers, paper files, computers (including servers and back-up systems) and implementing authentication and access controls within media, software applications, operating systems and equipment. Except to the extent [Client/Licensee] shall provide an express waiver in writing, Supplier shall cause its agents and subcontractors to (a) encrypt, or cause the encryption of, all [Client/Licensee] Personal Data transmitted from Supplier’s and/or its third party service providers’ computers and/or mobile communication devices and media and (b) encrypt all [Client/Licensee] Personal Data stored on Supplier’s and/or its third party service providers’ laptop computers and/or other portable devices or transmitted for Supplier’s and its third party service providers’ computers and/or other portable devices wirelessly or across public networks, if and to the extent that under applicable laws and regulations [Client/Licensee] (i) would be obligated to encrypt such [Client/Licensee] Personal Data or, (ii) in the event of a security breach with respect to such [Client/Licensee] Personal Data, [Client/Licensee] would be obligated to notify the affected individuals.  Supplier shall provide information to [Client/Licensee] as to the method of such encryption.

 

11.4      Reviews of Safeguards

Supplier shall continuously review its and its third party service providers’ procedures and technology safeguards to ensure they remain consistent with the applicable standards.  Supplier shall upon request (i) provide copies of its data protection policies and procedures together with such SSAE 16 SOC 2 Type II and ISO 27001:2005 or similar audit reports as Supplier may possess and (ii) permit [Client/Licensee] to review its technology safeguards, and shall require its third-party service providers to permit same.  If such review reveals that the procedures or technology safeguards of Supplier or any of its third-party service providers are not consistent with the applicable standards, [Client/Licensee] shall have the right to terminate this Agreement without liability.  

 

11.5     Security Breach

Supplier shall notify Licensee immediately upon any actual, potential or suspected breach of security of data, including, without limitation, [Client/Licensee] Personal Data in the custody of Supplier or any of its third-party service providers. For purposes of this Agreement, a “breach of security” shall mean the acquisition of, or access to, computerized data by an unauthorized person that compromises the security, confidentiality or integrity of such data. In addition to any other notice requirements set forth in this Agreement, such notification shall be sent to both (i) Vice President and Chief Information Officer, Textron Inc., 2301 Eagle Parkway, Suite 100, Fort Worth, TX 76177 by nationally recognized overnight courier service and by facsimile to (817) 590-1190 and (ii) Vice President and Deputy General Counsel, Textron Inc., 40 Westminster Street, Providence, RI  02903 by nationally recognized overnight courier service and by facsimile to (401) 457-3696. Supplier will indemnify, hold harmless and defend [Client/Licensee] against, and pay and compensate [Client/Licensee] for, any and all liabilities, claims, suits demands, fines or judgments, losses or damages (including reasonable attorneys’ fees) resulting from or arising out of the failure by Supplier or its third-party service providers to safeguard and keep secure [Client/Licensee’s] Personal Data and other Confidential Information, including any costs or expenses of notifying individuals of any breach of security of [Client/Licensee] Personal Data and of providing credit monitoring services to appropriate individuals.

 

11.6     Textron IT Security Risk Assessment

Supplier represents and warrants that any and all responses provided by it with respect to the Textron IT Security Risk Assessment Form and any supplemental information provided are accurate and complete.  Supplier shall provide not less than thirty (30) days prior written notice of (a) any changes to its or its third party service providers’ procedures or technology which would cause any of such information to change in a way adverse to the interests of [Client/Licensee] or any of the individuals to whom any [Client/Licensee] Personal Data relates or (b) any transfer of [Client/Licensee’s] Personal Data  or other Confidential Information to a location or computer for which information satisfactory to [Client/Licensee] has not been provided on or with respect to any Textron IT Security Risk Assessment Form.

 

11.7 Transfer of [Client/Licensee] Personal Data Outside Country of Origin.  

Without [Client/Licensee]’s prior written consent in each case, Supplier shall not transfer or permit the transfer of, or access to, any third party of any [Client/Licensee] Personal Data in the custody of Supplier or any third party service provider, to or by any person, entity or computer in any country other than the country in which the individual resides to whom the Personal Data relates (“Country of Origin”).  Specifically, in the case of [Client/Licensee] Personal Data relating to European Union (“EU“), Swiss or Canadian individuals, Supplier shall not transfer or permit the transfer of such [Client/Licensee] Personal Data to any third party outside the Country of Origin other than with the prior written consent of [Client/Licensee] in each case or in accordance with any relevant provisions in data transfer agreements that Supplier may enter into with [Client/Licensee] or any of its Affiliates regarding the processing standards applicable to Personal Data of EU, Swiss or Canadian individuals, as the case may be. Supplier shall execute EU Commission’s Standard Contractual Clauses (also known as Model Clauses or Model Contracts) with [Client/Licensee] promptly upon request.

 

11.8    Payment Card Industry Data Security Standard (“PCI DSS”)

If in the course of the performance of the Services Supplier will have access to or will collect, use, store, process, dispose of or disclose credit, debit, or other payment cardholder information relating to [Client/Licensee] or any of its employees, customers, suppliers or other business partners, Supplier shall, and shall cause its third party service providers to, at all times remain in compliance with the PCI DSS requirements and shall provide [Client/Licensee] with such evidence thereof as [Client/Licensee] may reasonably request from time to time.

 

11.9 HIPAA, Etc.

Supplier represents and warrants to [Client/Licensee] that, if applicable, the [Software and] Services fully comply with Public Law 104-91, Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Care Financing Administration Internet Security Policy of 1998.  Furthermore, Supplier agrees, and will require its third party service providers, to establish and maintain an effective program to prevent and detect violations of law, including but not limited to violations of HIPAA and all proposed rules and final rules issues pursuant to HIPAA applicable to and affecting [Client/Licensee], [the Software] and Services, and the operations of Supplier.