Appropriate safeguards (HIPAA standard)
Copy to Clipboard  |  Share Example

Data Protection. [PARTY B] shall implement appropriate safeguards to prevent unauthorized access to, use of, or disclosure of the Protected Information. 


Tags
Neutral Data Protection and Security
Intermediate: Use Only for Purpose + Security Measures + Encryption
Compare | Copy to Clipboard  |  Share Example

Data Protection

Data Security Policies. [PARTY B] shall implement appropriate safeguards to prevent unauthorized access to, use of, or disclosure of Protected Information.

Network Security. [PARTY B] shall maintain network security conforming to generally recognized industry standards and the network security practices it uses for its own internal network, including at a minimum, 

network firewall provisioning,

intrusion detection, and

vulnerability assessments conducted at least three times each calendar year by independent third-party assessors.

Data Security. [PARTY B] shall protect the integrity, and accessibility of the Protected Information using administrative, technical, and physical measures conforming to generally recognized industry standards and the best practices the [PARTY B] applies to its own data and processing environment, including at a minimum,

password protection systems, 

timely application of patches, and

fixes and updates to operating systems.

Data Storage

Designated Target Servers. [PARTY B] shall store, process, and maintain all the Protected Information only on designated target servers.

Portable or Laptop Storage. [PARTY B] will not store, process, or maintain any of the Protected Information on, or transfer any Protected Information to, any portable or laptop computing device or portable storage medium, unless that device or storage medium is part of [PARTY B]'s designated backup and recovery processes and encrypted according to paragraph [DATA ENCRYPTION].

Data Transmission[PARTY B] shall ensure that all electronic transmission or exchange of system and application data with the disclosing party and with any third parties designated by the [PARTY B] takes place using secure means, including using HTTPS, SFTP, or an equivalent.

Data Encryption

Backup Data. [PARTY B] shall use commercially supported encryption solutions to encrypt all of the Protected Information, as part of [PARTY B]'s designated backup and recovery processes.

PII on Portable Devices. [PARTY B] shall use commercially supported encryption solutions to encrypt all personally identifiable information, as defined under current legislation, that is stored on portable or laptop computing devices or portable storage mediums.

Encryption Standards. [PARTY B] shall use encryption solutions with at least a 128-bit key length for symmetric encryption, and at least a 1024-bit key length for asymmetric encryption.

Confidentiality Obligations. [PARTY B] shall treat the Protected Information as Confidential Information subject to the confidentiality obligations under section [CONFIDENTIALITY OBLIGATIONS].

Handling of Data on End of Agreement. Within 30 days after the expiration or termination of this agreement, [PARTY B] shall

erase, destroy, or otherwise render unrecoverable all Protected Information, and

give [PARTY A] written certification that the Protected Information is erased, destroyed, or otherwise unrecoverable.


Tags
Slight Pro-Provider Data Protection and Security
Basic: Reasonable safeguards (confidentiality standard)
Compare | Copy to Clipboard  |  Share Example

Data Protection. [PARTY B] shall implement reasonable safeguards to prevent unauthorized access to, use of, or disclosure of the disclosing party's Data.


Tags
Slight Pro-Providee Data Protection and Security
Robust: Use for Purpose + Security Measures + Encryption + Notice + Audits + Standard
Compare | Copy to Clipboard  |  Share Example

Data Protection

Data Protection Policies. [PARTY B] shall implement appropriate safeguards to prevent unauthorized access to, use of, or disclosure of Protected Information.

Network Security. [PARTY B] shall maintain network security conforming to generally recognized industry standards and the network security practices it uses for its own internal network, including at a minimum, 

network firewall provisioning,

intrusion detection, and

vulnerability assessments conducted at least three times each calendar year by independent third-party assessors.

Data Security. [PARTY B] shall protect the integrity, and accessibility of the Protected Information using administrative, technical, and physical measures conforming to generally recognized industry standards and the best practices the [PARTY B] applies to its own data and processing environment, including at a minimum,

password protection systems, 

timely application of patches, and

fixes and updates to operating systems.

Data Storage

Designated Target Servers. [PARTY B] shall store, process, and maintain all the Protected Information only on designated target servers.

Portable or Laptop Storage. [PARTY B] will not store, process, or maintain any of the Protected Information on, or transfer any Protected Information to, any portable or laptop computing device or portable storage medium, unless that device or storage medium is part of [PARTY B]'s designated backup and recovery processes and encrypted according to paragraph [DATA ENCRYPTION].

Data Transmission[PARTY B] shall ensure that all electronic transmission or exchange of system and application data with the disclosing party and with any third parties designated by the [PARTY B] takes place using secure means, including using HTTPS, SFTP, or an equivalent.

Data Encryption

Backup Data. [PARTY B] shall use commercially supported encryption solutions to encrypt all of the Protected Information, as part of [PARTY B]'s designated backup and recovery processes.

PII on Portable Devices. [PARTY B] shall use commercially supported encryption solutions to encrypt all personally identifiable information, as defined under current legislation, that is stored on portable or laptop computing devices or portable storage mediums.

Encryption Standards. [PARTY B] shall use encryption solutions with at least a 128-bit key length for symmetric encryption, and at least a 1024-bit key length for asymmetric encryption.

Confidentiality Obligations. [PARTY B] shall treat the Protected Information as Confidential Information subject to the confidentiality obligations under section [CONFIDENTIALITY OBLIGATIONS].

Limits on Data Distribution. Unless [PARTY A] gives its written consent, [PARTY B] will not distribute, repurpose, or share Protected Information to or with any third parties, or to or with the receiving party's applications, environments, or business units that are outside the scope of this agreement.

Notification of Security Breaches 

Compliance with Notification Laws. [PARTY B] shall comply with all applicable Laws regarding the notification of individuals in the event of an unauthorized release of personally identifiable information and notification other unauthorized data and information disclosures.

Procedure After Unauthorized Disclosure. Within 24 hours of discovering any breach of [PARTY B]'s security obligations or of any other event requiring notification under applicable Law, [PARTY B] shall notify [PARTY A], and any other individuals Law requires to be notified, of the breach or another event by telephone and e-mail.

Indemnification Related to Unauthorized Disclosure. [PARTY B] shall indemnify and defend [PARTY A] and its Representatives, against any losses arising out of claims related to any unauthorized disclosure or other events requiring notification under applicable Law.

Handling of Data on End of Agreement. Within 30 days after the expiration or termination of this agreement, [PARTY B] shall

erase, destroy, or otherwise render unrecoverable all Protected Information, and

give [PARTY A] written certification that the Protected Information is erased, destroyed, or otherwise unrecoverable.

Audits

Right to Audit on Notice. On 10 Business Days' written notice to [PARTY B], [PARTY A] may, or may appoint an audit firm (the "Auditors") to, audit [PARTY B], and the [PARTY B]'s sub-vendors or Affiliates that provide a service for the processing, transport, or storage of the Protected Information, for compliance with the data security obligations under this section.

Scope of Audit. [PARTY A] shall include in its notice of an upcoming audit the scope, date, and time of the audit, and any deliverables the disclosing party reasonably requests for the audit.

Onsite Audit 

Need for Onsite Audit. If the deliverables [PARTY A] requests cannot reasonably be removed from [PARTY B]'s premises,[PARTY B] shall provide [PARTY A] or the Auditors access to [PARTY B]'s premises, and if necessary, a personal site guide for [PARTY A] or the Auditors while on [PARTY B]'s premises.

Audit Accommodations. If an onsite audit is necessary, [PARTY B] shall provide [PARTY A] or the Auditors with private accommodation on [PARTY B]'s premises for data analysis and meetings, including a reasonable workspace, appropriate lighting, electrical, printer, and internet connectivity.

Access to Employees. [PARTY B] shall make designated employees or contractors available for interviews in person or over the phone during the time frame specified for the audit.

Receiving Party Self-Audit. In lieu of [PARTY B] or the Auditors performing the audit, if [PARTY B] has an external audit firm that performs a certified Type II SAS 70 review, [PARTY A] may

review the controls tested and the results of the audit by [PARTY B]'s audit firm, and

request additional controls to be added to the audit by [PARTY B]'s audit firm, to test the controls that have an impact on the Protected Information.

Audit Expenses. [PARTY A] shall bear all expenses in connection with audits, unless an audit reveals material noncompliance with contract specifications, in which case [PARTY B] shall bear the expenses.

Industry Standards. For the purpose of this section [DATA SECURITY], generally recognized industry standards include the current standards and benchmarks listed and maintained by the

Center for Internet Security (available at http://www.cisecurity.org),

Payment Card Industry/Data Security Standards (PCI/DSS) (available at http://www.pcisecuritystandards.org/),

National Institute for Standards and Technology (available at http://csrc.nist.gov),

Federal Information Security Management Act (FISMA) (available at http://csrc.nist.gov),

ISO/IEC 27000-series (available at http://www.iso27001security.com/), and

Organization for the Advancement of Structured Information Standards (OASIS) (available at http://www.oasis-open.org/).


Tags
Heavy Pro-Provider Data Protection and Security

About

  • Clause Taxonomy: Data Protection and Security
  • Organization: Public
  • Updated: 04/04/2018
  • Rating

Overview

The Data Protection or Data Security clause is found in a variety of agreements, from Master Service Agreements to Data Sharing Agreements, and stipulates how the recipient will use appropriate safeguards to protect shared or hosted data.

Which language is used depends on the type of data involved, the risk of authorized access or disclosure, and the potential harm caused by unauthorized access or disclosure.