Laserfiche WebLink
EXHIBIT 2 <br />Each party agrees that no disaggregate data, identifying individuals or employers, <br />shall be released to outside parties or the public. <br />The Subrecipient shall notify Pass -through Entity's Information Security Office of <br />any actual or attempted information security incidents, within 24 hours of initial <br />detection, by telephone at (916) 654-6231. Information security incidents include, <br />but are not limited to, any event (intentional or unintentional), that causes the <br />loss, damage, or destruction, or unauthorized access, use, modification, or <br />disclosure of information assets. <br />The Subrecipient shall cooperate with the Pass -through Entity in any investigation <br />of security incidents. The system or device affected by an information security <br />incident and containing confidential data obtained in the administration of this <br />program shall be immediately removed from operation upon confidential data exposure <br />or a known security breach. It shall remain removed from operation until correction <br />and mitigation measures are applied. If the Subrecipient learns of a breach in the <br />security of the system which contains confidential data obtained under this <br />Subgrant, then the Subrecipient must provide notification to individuals pursuant <br />to California Civil Code Section 1798.82. <br />The Subrecipient shall be responsible for all costs incurred by the Pass -through <br />Entity due to a security incident resulting from the Subrecipient's failure to <br />perform or negligent acts of its personnel, and resulting in an unauthorized <br />disclosure, release, access, review, or destruction; or loss, theft or misuse of <br />an information asset. If the Subrecipient experiences a loss or breach of data, <br />the Subrecipient shall immediately report report the loss or breach to the Pass - <br />through Entity. If the Pass -through Entity determines that notice to the <br />individuals whose data has been lost or breached is appropriate, the Subrecipient <br />will bear any and all costs associated with the notice or any mitigation selected <br />by the Pass -through Entity. These costs include, but are not limited to, staff <br />time, material costs, postage, media announcements, and other identifiable costs <br />associated with the breach or loss of data. <br />f. The Subrecipient shall provide for the management and control of physical access to <br />information assets (including personal computer systems, computer terminals, mobile <br />computing devices, and various electronic storage media) used in performance of this <br />Subgrant. This shall include, but is not limited to, security measures to physically <br />protect data, systems, and workstations from unauthorized access and malicious <br />activity; the prevention, detection, and suppression of fires; and the prevention, <br />detection, and minimization of water damage. <br />g. At no time will confidential data obtained pursuant to this agreement be placed on a <br />mobile computing device, or on any form of removable electronic storage media of any <br />kind unless the data are fully encrypted. <br />h. Each party shall provide its employees with access to confidential information with <br />written instructions fully disclosing and explaining the penalties for unauthorized <br />use or disclosure of confidential information found in Section 1798.55 of the <br />California Civil Code, Section 502 of the California Penal Code, Section 2111 of the <br />California Unemployment Insurance Code, Section 10850 of the California Welfare and <br />Institutions Code and other applicable local, state and federal laws. <br />i. Each party shall (where it is appropriate) store and process information in <br />electronic format, in such a way that unauthorized persons cannot reasonably retrieve <br />the information by means of a computer. <br />j. All Subrecipient staff and subcontractors that are provided access to any data <br />systems of the Pass -through Entity, excluding CaIJOBS, are required to complete <br />and sign an Employee Confidentiality Statement (DE 7410). <br />k. Each party shall promptly return to the other party confidential information when <br />its use ends, or destroy the confidential information utilizing an approved method of <br />destroying confidential information: shredding, burning, or certified or witnessed <br />destruction. Magnetic media are to be degaussed or returned to the other party. <br />I. If the Pass -through Entity or Subrecipient enters into an agreement with a third <br />party to provide WIOA services, the Pass -through Entity or Subrecipient agrees to <br />include these data and security and confidentiality requirements in the agreement <br />with that third party. In no event shall said information be disclosed to any <br />Page 12 of 14 <br />