DATA SECURITY AGREEMENT
Addendum#______to Contract# ______
ThisDataSecurityAgreement(Agreement)isincorporatedinandattachedtothatcertainAgreement titled/numberedanddated______(Contract)byandbetweentheUniversityofWashington(University)and______(Contractor).Contractoragreestoincludeallofthe termsandconditionscontainedinthisAgreementinallsubcontractororagency contracts providingservices undercontract number ______.
Unlessdefinedherein,alltermstakethemeaningascribedbyUniversityAdministrative Policy Statement 2.4,InformationSecurityandPrivacyRoles,Responsibilities,and Definitions.
- DisclosureofUniversity Data
Contractorshallnotuse,access,ordiscloseUniversity Datainany mannerthatwould constituteaviolation ofstateorfederal laworcontract oragreement termsincluding, without limitation,by meansofoutsourcing,sharing,retransfer,access,oruse—toany personor entity, except:
- Employeesoragentswhoactuallyandlegitimately needtoaccessoruseUniversityData in theperformanceofContractor’s duties underthis Agreement ortheContract;
- Suchthirdparties,suchasbutnotlimitedto, subcontractors,asmay bespecifically identifiedinthisAgreementortheContract,butonly aftersuchthirdpartyhasagreedin writingandinadvanceofany disclosure,tobeboundby allofthetermsofthis Agreement; or
- AnyotherthirdpartyapprovedbytheUniversityinwritingandinadvanceofany disclosure, but onlyto the extent ofsuch approval.
- Useof, Storageof, orAccess to,University Data
Contractorshall onlyuse, store, or access UniversityData:
- Inaccordancewith,andonlytotheextentpermissibleunderthisAgreementandtheContract; and
- Infullcompliancewithany andallapplicablelaws,regulations,rules,orstandards includingtotheextentapplicable,butwithoutlimitation:Family EducationalRightsand Privacy Act(FERPA), ExportAdministrationRegulations(EAR),InternationalTrafficin ArmsRegulations(ITAR),HealthInsurancePortabilityandAccountabilityAct (HIPAA),theGramm-Leach-BlileyFinancialServicesModernizationAct(GLB), FederalTradeCommissionRedFlagsRule,theSocialSecurityAct,PaymentCardIndustryDataSecurityStandards(PCI-DSS),andRevisedCodeofWashington(RCW)19.255.010 and 42.56.590.
- ContractorshallnotifyUniversityinwritingifContractorobtainsanexportcontrol license forData covered byEARorITAR.
- ForUniversity DatasubjecttoFERPA,Contractorwillbeconsidereda“schoolofficial” witha “legitimate educationalinterest” asthose termsare usedinFERPAandits implementingregulations.
- Anytransmission,transportation,orstorageofUniversityDataoutsidetheUnitedStates is prohibited except on priorwritten authorization bytheUniversity.
- Safeguarding University Data
Contractoragreesthatuse,storage,andaccesstoUniversityDatashallbeperformedwith thatdegreeofskill,care,andjudgmentcustomarily acceptedassound,quality,and professionalpractices.Contractorshallimplementandmaintainsafeguardsnecessary to ensuretheconfidentiality,availability,andintegrity ofUniversity Data.Ifany ofthese safeguards representa changeto aSystem, these changes shall beimplemented byContractor inaccordance with Contractor’sapprovedfieldmodificationprocessatthe time ofSystem installation and shall beincluded in thepriceoftheSystem.
Such safeguards shall include as appropriate, andwithout limitation, the following:
- SystemSecurity.ASystemthatisownedorsupportedbyContractorandcontainsUniversityDatashall besecuredas follows:
- ContractorwarrantsthattheirSystemisfreeofanysystemsettingsordefectsthat would createapotentialbreach.
- Contractor shallprovidethespecificationsandconfigurationsettingsofthe System,including:hardware,operatingsystem,applications,communication ports and protocols.
- The Systemshallusesecureprotocols(e.g. SSH, SSL, SFTPS,TLS,IPSec) to safeguard UniversityDatain transit.
- Contractor understandstheSystemmaybeplacedonapublicnetworkand warrantstheSystemissufficiently protectedfromcompromisesandattacks. Contractormayneedto add ahost-based orexternal firewall to protect theSystem orContractormayallowtheUniversitytoaddahost-basedorexternalfirewall withoutbreachofthisAgreement,Contractor’swarranty orUniversitysupport contract.
- Contractorshall coordinatewith theUniversitytoensurethe following:
- Limit administrative access to theSystem,
- Limit remoteaccess to theSystem,
- Limitaccount accessandprivilegestotheleastnecessaryfortheproper functioningoftheSystem,
- Removeordisableapplicationsandservicesthatarenotnecessaryforthe proper functioningoftheSystem,
- Usenamed useraccountsand not genericorshared accounts,
- UseKerberos,LDAPorotherindustrycompliantservicesforauthentication andauthorization.IftheSystemlacksthecapability toutilizecentralized authenticationand/orauthorization,a secureremote API,batchloadinterface orothermechanismmustbeprovidedforprovisioning useraccountsand privileges, and
- Enableanappropriatelevelofauditingandloggingfortheoperatingsystem and applications.
- The Systemshallnotbe deployedwithdefaultpasswordsandshallallow the changingofSystem anduserpasswords.
- SystemMaintenanceand Support
- ContractorandUniversityshallagreeonaprocessforthetimelyreview,testing, andinstallationofpatchesessentialforsafeguarding theconfidentiality,integrity, or availabilityoftheSystem orUniversityData.
- Proper change management procedures, as defined in this document or inContract # ______shall be followed.
- ContractorshallensurethattheSystemissupported.Contractorshallprovide University withnotice12monthsbeforetheSystemorany componentsbecome unsupported.
- Ifnecessary,Contractorshallprovideremotesupportviaamutuallyagreedupon secureconnectionmethodthatincludesadetailedauditlog ofevents(e.g.,who, what,where,when).Remote accessshallbe limitedtoanasneededor as requested basis; Contractorshall providealist ofaccounts used forremoteaccess.
- DataProtections
- Contractorshall onlyuse, store, disclose, oraccess UniversityData:
- In accordance with, and onlyto theextent permissible under Contract#______; and
- Infullcompliancewithany andallapplicablelaws,regulations,rulesor standards, including, but without limitation, FERPA,HIPAA, GLB, the FederalTrade Commission RedFlags Rule,EAR,ITAR,theSocialSecurity Act, PCI-DSS, RCW19.255.010 and RCW42.56.590.
- Contractorshallhavedocumentedpoliciesandprocedurestoprevent unauthorizeduse,disclosureloss,oracquisitionof,oraccessto,University Data. Thisincludes,butis notlimitedtopersonnelsecurity measures,suchas background checks.
- ContractorshallprovideUniversitywrittennoticeofanyemployeeoragentof Contractorthatwasorisemployed by University thathasaccesstooruseof University Data.Universityshallhavesolediscretiontodisallowaccess tooruse ofUniversityDatato anyperson identified in suchnotice.
- AlltransmissionofUniversityDatabetweenpartiesshallbeperformedusinga mutually agreeduponsecuretransfermethodthatincludesadetailedauditlogof events (e.g., who,what,where,when).
- Oversight
Asecurityaudit,evaluation,orreviewshallbeperformednolessthanannuallytoensure compliancewithContractor’ssafeguards,anysafeguardsrequiredunderthisAgreementor theContract,andindustry bestpracticesfortheprotectionofUniversity Data.Ifan evaluation,audit,orreviewidentifiesany error,flaw,orinadequacy withrespecttoany safeguardthatdoesormayaffectUniversityData,Contractorshallpromptly notify the University.UpontheUniversity’srequest,Contractorshallprovideacopyofany report generatedinconnectionwithany suchevaluation,audit,orreview.TheUniversityand Contractorshalldevelopamutually agreeabletimelinetocorrectany sucherror,flaw,or inadequacy,andif Contractorisunable tomakesuchcorrection,orfailstodosowithina reasonabletimeframeasdetermined by theUniversity,theUniversitymay immediately terminatetheContract.
- Data Breach
- IfContractorhasreasontobelievethatUniversityDatamayhavebeenaccessed, disclosed,oracquiredwithoutproperauthorizationandcontrary tothetermsofthis AgreementortheContract,ContractorshallalerttheUniversityofanyDataBreach withintwobusinessdays,andshallimmediatelytakesuchactionsasmay benecessaryto preserveforensicevidenceandeliminatethecauseoftheDataBreach.Contractorshall givehighestprioritytoimmediatelycorrectinganyDataBreachandshalldevotesuch resourcesasmay berequiredtoaccomplishthatgoal.Contractorshallprovidethe Universityanyandallinformationnecessary toenabletheUniversity tofully understand the natureandscope ofthe DataBreach.Tothe extentthe University,initssole discretion,deemswarranted—whetherinaccordancewithapplicableWashingtonlaw suchasRCW42.56.590orRCW19.255.010,orfederallawsuchasHIPAA,EARor ITAR—theUniversitymayprovidenoticeorrequireContractortoprovidenoticetoand orallpartiesaffectedby any DataBreach.Insuchcase,Contractorshallconsultwiththe University inatimelyfashionregardingappropriatestepsrequiredtonotify thirdparties. ContractorshallprovideUniversity informationaboutwhatContractorhasdoneorplans todotomitigateany deleteriouseffectortheunauthorizeduseordisclosureof,oraccess to,UniversityData.IntheeventthataDataBreachrequiresContractor’sassistancein reinstalling software,suchassistanceshallbeprovidedatnocosttothe University andin accordancewiththeUniversity’spoliciesandstandards.TheUniversity maydiscontinue anyservicesorproductsprovidedbyContractoruntiltheUniversity,initssole discretion, determines that the causeoftheDataBreach has been sufficientlymitigated.
- Contractorshalldefend,indemnify,andsavetheUniversityharmlessfromandagainst any claims,actions,loss,liability, damage,costs,orexpenses,including, butnotlimited to,reasonableattorneys’fees,arisingfromanyorallDataBreaches.The indemnificationprovidedhereunder includesthe fullcostsof forensicsanalysis,System remediationtoeliminatethe cause ofthe DataBreach,andnotice to affectedindividuals, including, but not limited to, theservices ofathirdpartyfirm.
- No Surreptitious Code
Contractor warrantsthat,tothe bestof itsknowledge,the Systemisfree of anddoesnot containany codeormechanismthatcollectsinformationorassertscontroloftheSystem withoutUniversity’sconsent,orwhichmayrestrictUniversity’saccesstooruseof UniversityData.Contractorfurtherwarrantsthatitwillnotknowinglyintroduce,viaany means,spyware,adware,ransomware,rootkit,keylogger,virus,trojan,worm,orothercode ormechanismdesignedtopermitunauthorizedaccesstoUniversity Data,orwhichmay restrict University’s access to oruseofUniversityData.
- CompelledDisclosure
IfContractorisservedwithany subpoena,discovery request,courtorder,orotherlegal requestorcommandthatcallsfordisclosureofanyUniversityData,Contractorshall promptly notify theUniversity inwritingandprovidetheUniversitysufficienttimetoobtain acourtorderortakeany otheractiontheUniversity deemsnecessarytopreventdisclosureor otherwiseprotectUniversityData.Insuchevent,ContractorshallprovideUniversityprompt andfullassistanceinUniversity’seffortstoprotectUniversityData.WhereContractoris prohibitedby lawfromnotifyingtheUniversityofalegalrequestforUniversityData, Contractorwillcomply withallapplicablelawsandregulationswithrespecttotherequested UniversityData.
- TerminationProcedures
Uponexpirationor earlier terminationofthe Contract, Contractor shallensure thatnoData BreachoccursandshallfollowtheUniversity’sinstructionsastothepreservation,transfer, ordestructionofUniversity Data.Themethodofdestructionshallbeaccomplished by “purging” or“physicaldestruction”,in accordance withNationalInstituteof Standardsand Technology (NIST)SpecialPublication800-88.Contractorshallcertify inwritingto Universitythat suchreturn ordestruction has beencompleted.
- Survival;OrderofPrecedence
ThisAgreementshallsurvivetheexpirationorearlierterminationoftheContract.Inthe eventtheprovisionsofthisAgreementconflictwithany provisionoftheContract,or Contractors’warranties,supportcontract,orservice levelagreement,the provisionsofthis Agreement shall prevail.
- Definitions
- UniversityData:UniversityDataisanyandalldatawithintheUniversity’spossession, custody,orcontrol,andany andalldatathattheUniversity hasdisclosedtoContractor. ForthepurposesofthisAgreement,UniversityDatadoesnotceaseto beUniversityData solely becauseitistransferredortransmittedbeyondtheUniversity’simmediate possession, custody, orcontrol.
- ConfidentialData:ConfidentialDataisUniversityDatathatisvery sensitiveinnature andtypically subjecttofederalorstateregulations;proprietaryrightsunderpatent, copyright, trademark, or tradesecret law; orprivileged against disclosurein acivil lawsuit.Unauthorizeddisclosureofthisdatacouldseriouslyandadverselyimpactthe UWortheinterests ofindividuals and organizations associated with theUW.
- DataBreach:DataBreachmeansanyuse,disclosure,loss,acquisitionof,oraccessto, ConfidentialData thatisnotinaccordancewiththe termsof thisAgreement ortheContract.
- System:Anassembly ofcomponentsthatsupportsanoperationalroleoraccomplishesa specificobjective.Thismayincludeadiscretesetofinformationresources(network, server,computer,software,application,operatingsystemorstoragedevices)organized forthecollection,processing,maintenance,use,sharing,dissemination,ordisposition of information.
- ChangeManagement:Aformalprocessusedtoensurethatchangestoasystemare introducedinacontrolledandcoordinatedmanner.Thisreducesthepossibility that unnecessary changeswillbeintroducedtoasystem,thatfaultsorvulnerabilitiesare introduced to thesystem, orthat changes madebyotherusers areundone.
UNIVERSITY
Signature:
Printed Name:
Job Title:
CONTRACTOR
Signature:
Name:
Job Title: