DocuSign Envelope ID:07C464C4-FDB6-434A-A01 B-558064E4E858
<br /> PO#:461001815
<br /> Routing#:22-HA3-ZG-00070
<br /> D. Final Audit Report
<br /> Contractor shall promptly submit to the State a copy of any final audit report of an audit performed on
<br /> Contractor's records that relates to or affects this Contract or the Work,whether the audit is conducted by
<br /> Contractor or a third party.
<br /> 10. CONFIDENTIAL INFORMATION-STATE RECORDS
<br /> A. Confidentiality
<br /> Contractor shall keep confidential,and cause all Subcontractors to keep confidential,all State Records,unless
<br /> those State Records are publicly available. Contractor shall not,without prior written approval of the State,
<br /> use, publish, copy, disclose to any third party, or permit the use by any third party of any State Records,
<br /> except as otherwise stated in this Contract,permitted by law or approved in Writing by the State.Contractor
<br /> shall provide for the security of all State Confidential Information in accordance with all policies promulgated
<br /> by the Colorado Office of Information Security and all applicable laws, rules, policies, publications, and
<br /> guidelines. If Contractor or any of its Subcontractors will or may receive the following types of data,
<br /> Contractor or its Subcontractors shall provide for the security of such data according to the following:(i)the
<br /> most recently promulgated IRS Publication 1075 for all Tax Information and in accordance with the
<br /> Safeguarding Requirements for Federal Tax Information attached to this Contract as an Exhibit,if applicable,
<br /> (ii)the most recently updated PCI Data Security Standard from the PCI Security Standards Council for all
<br /> PCI,(iii)the most recently issued version of the U.S.Department of Justice,Federal Bureau of Investigation,
<br /> Criminal Justice Information Services Security Policy for all CJI, and (iv) the federal Health Insurance
<br /> Portability and Accountability Act for all PHI and the HIPAA Business Associate Agreement attached to this
<br /> Contract,if applicable.Contractor shall immediately forward any request or demand for State Records to the
<br /> State's principal representative.
<br /> B. Other Entity Access and Nondisclosure Agreements
<br /> Contractor may provide State Records to its agents, employees, assigns and Subcontractors as necessary to
<br /> perform the Work, but shall restrict access to State Confidential Information to those agents, employees,
<br /> assigns and Subcontractors who require access to perform their obligations under this Contract. Contractor
<br /> shall ensure all such agents,employees, assigns,and Subcontractors sign nondisclosure agreements at least
<br /> as protective as those in this Contract, and that the nondisclosure agreements are in force at all times the
<br /> agent,employee,assign or Subcontractor has access to any State Confidential Information. Contractor shall
<br /> provide copies of those signed nondisclosure restrictions to the State upon request.
<br /> C. Use,Security,and Retention
<br /> Contractor shall use, hold and maintain State Confidential Information in compliance with any and all
<br /> applicable laws and regulations in facilities located within the United States, and shall maintain a secure
<br /> environment that ensures confidentiality of all State Confidential Information wherever located. Contractor
<br /> shall provide the State with access,subject to Contractor's reasonable security requirements,for purposes of
<br /> inspecting and monitoring access and use of State Confidential Information and evaluating security control
<br /> effectiveness. Upon the expiration or termination of this Contract, Contractor shall return State Records
<br /> provided to Contractor or destroy such State Records and certify to the State that it has done so,as directed
<br /> by the State.If Contractor is prevented by law or regulation from returning or destroying State Confidential
<br /> Information, Contractor warrants it will guarantee the confidentiality of, and cease to use, such State
<br /> Confidential Information.
<br /> D. Incident Notice and Remediation
<br /> If Contractor becomes aware of any Incident, it shall notify the State immediately and cooperate with the
<br /> State regarding recovery, remediation, and the necessity to involve law enforcement, as determined by the
<br /> State. Unless Contractor can establish that none of Contractor or any of its agents, employees, assigns or
<br /> Subcontractors are the cause or source of the Incident,Contractor shall be responsible for the cost of notifying
<br /> each person who may have been impacted by the Incident. After an Incident,Contractor shall take steps to
<br /> reduce the risk of incurring a similar type of Incident in the future as directed by the State,which may include,
<br /> but is not limited to, developing and implementing a remediation plan that is approved by the State at no
<br /> additional cost to the State. The State may, in its sole discretion and at Contractor's sole expense, require
<br /> Contractor to engage the services of an independent, qualified, State-approved third party to conduct a
<br /> security audit. Contractor shall provide the State with the results of such audit and evidence of Contractor's
<br /> planned remediation in response to any negative findings.
<br /> Document Builder Generated Page 8 of 59 Version 0819
<br />
|