Laserfiche WebLink
16.1.3 Notwithstanding any other provision in the Contract or Contract, <br />Implementer's nondisclosure obligations with respect to SCE Personal <br />Information shall survive any expiration or termination of the Contract in <br />perpetuity. Upon the expiration or termination of the Contract, or at any time <br />upon request of SCE, all SCE Personal Information in any medium, including all <br />copies or parts thereof, shall be returned to SCE or destroyed, except that <br />Implementer may retain one copy of any materials prepared by Implementer <br />containing or reflecting SCE Personal Information if necessary for compliance <br />with its internal record-keeping or quality assurance requirements only. If <br />destroyed, such destruction shall be certified in writing by Implementer. <br />16.2 Security Incidents. This section shall apply only to the extent Implementer is in <br />possession or control of SCE Personal Information or SCE Confidential Customer <br />Information. <br />16.2.1 Security Incident Response Plan. Implementer shall develop, implement and <br />maintain a written plan and process for preventing, detecting, identifying, <br />reporting, tracking and remediating Security Incidents ("Security Incident Response <br />Plan" or "SIRP"). A Security Incident shall mean an event or set of circumstances <br />that results in a reasonable expectation of a compromise of the security, <br />confidentiality or integrity of SCE data or information under the Implementer's <br />control. Examples of Security Incidents include are but not limited to: <br />(i) Security breaches to Implementer's network perimeter or to internal <br />applications resulting in potential compromise of SCE data or information. <br />(ii) Loss of physical devices or media, e.g., laptops, portable media, paper files, <br />etc., containing SCE data. <br />(iii) Lapses in, or degradation of, Implementer's security controls, methods, <br />processes or procedures. <br />(iv) The unauthorized disclosure of SCE data or information. <br />(v) Any and all incidents adversely affecting SCE's or its affiliates', as the case <br />may be, information assets. <br />16.2.2 SIRP General Requirements. Implementer's SIRP will include Security <br />Incident handling and response procedures, specific contacts in an event of a <br />Security Incident, the contacts' roles and responsibilities, and their plans to notify <br />SCE or its affiliates, as the case may be, concerning the Security Incident. The SIRP <br />must be based on and meet all requirements of the following: <br />16.2.2.1 Federal and applicable state laws, statutes and regulations concerning the <br />custody, care and integrity of data and information. In particular and without <br />limitation, Implementer shall ensure that its SIRP and its business practices in <br />performing work on behalf of SCE comply with California's Information Practices <br />Act of 1977, California Civil Code §§ 1798.80 et seq., which addresses among other <br />things the provision of notice to SCE or its affiliates, as the case may be, of any <br />breach of the security of SCE Personal Information if it is reasonably believed to <br />have been acquired by an unauthorized person. <br />20B-20