Laserfiche WebLink
EXHIBIT A -SECURITY AND NOTIFICATION REQUIREMENTS <br />1. Data Protection. <br />Agency shall take appropriate measures to protect against the misuse and unauthorized access through or to Agency's (i) credentials <br />("Account IDs") used to access the Services; or (ii) corresponding passwords, whether by Agency or any third party; or (iii) the Services <br />and/or information derived therefrom. Agency shall manage identification, use, and access control to all Account IDs in an <br />appropriately secure manner and shall promptly deactivate any Account IDs when no longer needed or where access presents a <br />securityrisk. Agency shall Implement its own appropriate program for Account ID management and shall use commercially reasonable <br />efforts to follow the policies and procedures for account maintenance as may be communicated to Agency by Provider from time to <br />time in writing. <br />2. Agency's Information Security Program. <br />Agency shall implement and document appropriate policies and procedures covering the administrative, physical and technical <br />safeguards in place and relevant to the access, use, storage, destruction, and control of information which are measured against <br />objective standards and controls ("Agency's Information Security Program"). Agency's Information Security Program shall: (1) account <br />for known and reasonably anticipated threats and Agency shall monitor for new threats on an ongoing basis; and (2) meet or exceed <br />industry best practices. Agency will promptly remediate any deficiencies Identified in Agency's Information Security Program. Agency <br />shall not allow the transfer of any personally identifiable information received from Provider across any national borders outside the <br />United States without the prior written consent of Provider. <br />3. Agency Security Event. <br />In the event Agency learns or has reason to believe that Account IDs, the Services, or any information related thereto have been <br />misused, disclosed, or accessed in an unauthorized manner or by an unauthorized person (an "Agency Security Event") Agency shall: <br />(1) provide immediate written notice to: <br />a) the Information Security and Compliance Organization at 1000 Alderman Drive, Alpharetta, Georgia 30005; <br />or <br />Ib) via email to (security.investigations@lexisnexis.com); or <br />c) by phone at (1-888-872-5375) with a written notification to follow within twenty four (24) hours; and <br />(ii) promptly investigate the situation; and <br />(iii) obtain written consent from Provider, not to be unreasonably withheld, prior to disclosing Provider or the Services to <br />any third party in connection with the Agency Security Event; and <br />(iv) if required by law, or in Provider discretion, Agency shall: <br />a) notify the Individuals whose information was disclosed that an Agency Security Event has occurred; and <br />b) be responsible for all legal and regulatory obligations including any associated costs which may arise in <br />connection with the Agency Security Event; and <br />(v) remain solely liable for all costs and claims that may arise from the Agency Security Event, including, but not limited to: <br />litigation (including attorney's fees); reimbursement sought by individuals (including costs for credit monitoring and <br />other losses alleged to be in connection with such Agency Security Event); and <br />(vi) provide all proposed third party notification materials to Provider for review and approval prior to distribution. <br />In the event of an Agency Security Event, Provider may, In its sole discretion, take immediate action, including suspension or <br />termination of Agency's account, without further obligation or liability of any kind. <br />Confidential and ➢ SQnrWation of LexisNexis <br />r'nnfidr,W-Inm Fnf m JAevr J011R0 Pa..RnfR <br />