Laserfiche WebLink
DocuSign Envelope ID:07C464C4-FDB6-434A-A01 B-558064E4E858 <br /> PO#:461001815 <br /> Routing#:22-HA3-ZG-00070 <br /> D. Final Audit Report <br /> Contractor shall promptly submit to the State a copy of any final audit report of an audit performed on <br /> Contractor's records that relates to or affects this Contract or the Work,whether the audit is conducted by <br /> Contractor or a third party. <br /> 10. CONFIDENTIAL INFORMATION-STATE RECORDS <br /> A. Confidentiality <br /> Contractor shall keep confidential,and cause all Subcontractors to keep confidential,all State Records,unless <br /> those State Records are publicly available. Contractor shall not,without prior written approval of the State, <br /> use, publish, copy, disclose to any third party, or permit the use by any third party of any State Records, <br /> except as otherwise stated in this Contract,permitted by law or approved in Writing by the State.Contractor <br /> shall provide for the security of all State Confidential Information in accordance with all policies promulgated <br /> by the Colorado Office of Information Security and all applicable laws, rules, policies, publications, and <br /> guidelines. If Contractor or any of its Subcontractors will or may receive the following types of data, <br /> Contractor or its Subcontractors shall provide for the security of such data according to the following:(i)the <br /> most recently promulgated IRS Publication 1075 for all Tax Information and in accordance with the <br /> Safeguarding Requirements for Federal Tax Information attached to this Contract as an Exhibit,if applicable, <br /> (ii)the most recently updated PCI Data Security Standard from the PCI Security Standards Council for all <br /> PCI,(iii)the most recently issued version of the U.S.Department of Justice,Federal Bureau of Investigation, <br /> Criminal Justice Information Services Security Policy for all CJI, and (iv) the federal Health Insurance <br /> Portability and Accountability Act for all PHI and the HIPAA Business Associate Agreement attached to this <br /> Contract,if applicable.Contractor shall immediately forward any request or demand for State Records to the <br /> State's principal representative. <br /> B. Other Entity Access and Nondisclosure Agreements <br /> Contractor may provide State Records to its agents, employees, assigns and Subcontractors as necessary to <br /> perform the Work, but shall restrict access to State Confidential Information to those agents, employees, <br /> assigns and Subcontractors who require access to perform their obligations under this Contract. Contractor <br /> shall ensure all such agents,employees, assigns,and Subcontractors sign nondisclosure agreements at least <br /> as protective as those in this Contract, and that the nondisclosure agreements are in force at all times the <br /> agent,employee,assign or Subcontractor has access to any State Confidential Information. Contractor shall <br /> provide copies of those signed nondisclosure restrictions to the State upon request. <br /> C. Use,Security,and Retention <br /> Contractor shall use, hold and maintain State Confidential Information in compliance with any and all <br /> applicable laws and regulations in facilities located within the United States, and shall maintain a secure <br /> environment that ensures confidentiality of all State Confidential Information wherever located. Contractor <br /> shall provide the State with access,subject to Contractor's reasonable security requirements,for purposes of <br /> inspecting and monitoring access and use of State Confidential Information and evaluating security control <br /> effectiveness. Upon the expiration or termination of this Contract, Contractor shall return State Records <br /> provided to Contractor or destroy such State Records and certify to the State that it has done so,as directed <br /> by the State.If Contractor is prevented by law or regulation from returning or destroying State Confidential <br /> Information, Contractor warrants it will guarantee the confidentiality of, and cease to use, such State <br /> Confidential Information. <br /> D. Incident Notice and Remediation <br /> If Contractor becomes aware of any Incident, it shall notify the State immediately and cooperate with the <br /> State regarding recovery, remediation, and the necessity to involve law enforcement, as determined by the <br /> State. Unless Contractor can establish that none of Contractor or any of its agents, employees, assigns or <br /> Subcontractors are the cause or source of the Incident,Contractor shall be responsible for the cost of notifying <br /> each person who may have been impacted by the Incident. After an Incident,Contractor shall take steps to <br /> reduce the risk of incurring a similar type of Incident in the future as directed by the State,which may include, <br /> but is not limited to, developing and implementing a remediation plan that is approved by the State at no <br /> additional cost to the State. The State may, in its sole discretion and at Contractor's sole expense, require <br /> Contractor to engage the services of an independent, qualified, State-approved third party to conduct a <br /> security audit. Contractor shall provide the State with the results of such audit and evidence of Contractor's <br /> planned remediation in response to any negative findings. <br /> Document Builder Generated Page 8 of 59 Version 0819 <br />