d. Each party agrees that no disaggregate data, identifying individuals or employers,
<br />shall be released to outside parties or the public.
<br />e. The Subrecipient shall notify Pass -through Entity's Information Security Office of
<br />any actual or attempted information security incidents, within 24 hours of initial
<br />detection, by telephone at (916) 654-6231. Information security incidents include,
<br />but are not limited to, any event (intentional or unintentional), that causes the
<br />loss, damage, or destruction, or unauthorized access, use, modification, or
<br />disclosure of information assets.
<br />The Subrecipient shall cooperate with the Pass -through Entity in any investigation
<br />of security incidents. The system or device affected by an information security
<br />Incident and containing confidential data obtained in the administration of this
<br />program shall be immediately removed from operation upon confidential data exposure
<br />or a known security breach. It shall remain removed from operation until correction
<br />and mitigation measures are applied. If the Subrecipient learns of a breach in the
<br />security of the system which contains confidential data obtained under this
<br />Subgrant, then the Subrecipient must provide notification to individuals pursuant
<br />to California Civil Code Section 1798.82.
<br />The Subrecipient shall be responsible for all costs incurred by the Pass -through
<br />Entity due to a security incident resulting from the Subrecipient's failure to
<br />perform or negligent acts of its personnel, and resulting in an unauthorized
<br />disclosure, release, access, review, or destruction; or loss, theft or misuse of
<br />an information asset. If the Subrecipient experiences a loss or breach of data,
<br />the Subrecipient shall immediately report report the loss or breach to the Pass -
<br />through Entity. If the Pass -through Entity determines that notice to the
<br />individuals whose data has been lost or breached is appropriate, the Subrecipient
<br />will bear any and all costs associated with the notice or any mitigation selected
<br />by the Pass -through Entity. These costs include, but are not limited to, staff
<br />time, material costs, postage, media announcements, and other identifiable costs
<br />associated with the breach or loss of data.
<br />f. The Subrecipient shall provide for the management and control of physical access to
<br />information assets (including personal computer systems, computer terminals, mobile
<br />computing devices, and various electronic storage media) used in performance of this
<br />Subgrant. This shall include, but is not limited to, security measures to physically
<br />protect data, systems, and workstations from unauthorized access and malicious
<br />activity; the prevention, detection, and suppression of fires; and the prevention,
<br />detection, and minimization of water damage.
<br />g. At no time will confidential data obtained pursuant to this agreement be placed on a
<br />mobile computing device, or on any form of removable electronic storage media of any
<br />kind unless the data are fully encrypted.
<br />h. Each party shall provide its employees with access to confidential information with
<br />written instructions fully disclosing and explaining the penalties for unauthorized
<br />use or disclosure of confidential information found in Section 1798.55 of the
<br />California Civil Code, Section 502 of the California Penal Code, Section 2111 of the
<br />California Unemployment Insurance Code, Section 10850 of the California Welfare and
<br />Institutions Code and other applicable local, state and federal laws.
<br />i. Each party shall (where it is appropriate) store and process information in
<br />electronic format, in such a way that unauthorized persons cannot reasonably retrieve
<br />the information by means of a computer.
<br />j. All Subrecipient staff and subcontractors that are provided access to any data
<br />systems of the Pass -through Entity, excluding CaIJOBS, are required to complete
<br />and sign an Employee Confidentiality Statement (DE 7410).
<br />k. Each party shall promptly return to the other party confidential information when
<br />its use ends, or destroy the confidential information utilizing an approved method of
<br />destroying confidential information: shredding, burning, or certified or witnessed
<br />destruction. Magnetic media are to be degaussed or returned to the other party.
<br />I. If the Pass -through Entity or Subrecipient enters into an agreement with a third
<br />party to provide WIOA services, the Pass -through Entity or Subrecipient agrees to
<br />include these data and security and confidentiality requirements in the agreement
<br />with that third party. In no event shall said information be disclosed to any
<br />Page 12 of 14
<br />
|