|
10
<br /> disclose confidential and proprietary data, Recipient will Information"), to those individuals with a need to know,
<br /> notify the disclosing party of the request. Thereafter the changing Client's user passwords at least every ninety (90)
<br /> disclosing party may seek a protective order or waive the days, or sooner if an Authorized User is no longer
<br /> confidentiality requirements of this Agreement, provided that responsible for accessing the Information Services, or if
<br /> Recipient may only disclose the minimum amount of Client suspects an unauthorized person has learned the
<br /> information necessary to comply with the requirement. password, and using all security features in the software and
<br /> Recipient will not be obligated to hold confidential any hardware Client uses to order or access the Information
<br /> information from the disclosing party which (a) is or becomes Services,
<br /> publicly known, (b) is received from any person or entity who, (e) in no event access the Information Services via any
<br /> to the best of Recipient's knowledge, has no duty of wireless communication device, including, but not limited to,
<br /> confidentiality to the disclosing party, (c) was already known web enabled cell phones, interactive wireless pagers,
<br /> to Recipient prior to the disclosure, and that knowledge was personal digital assistants (PDAs), mobile data terminals and
<br /> evidenced in writing prior to the date of the other party's portable data terminals,
<br /> disclosure, or(d) is developed by the Recipient without using (f) not use personal computer hard drives or portable and/or
<br /> any of the disclosing party's information. The rights and removable data storage equipment or media (including but
<br /> obligations of this Section VI (i) with respect to confidential not limited to laptops, zip drives, tapes, disks, CDs, DVDs,
<br /> and proprietary data that constitutes a "trade secret" (as software, and code)to store the Information Services,
<br /> defined by applicable law), which includes without limitation (g) encrypt Equifax Information when it is not in use and,with
<br /> all consumer report information received through the respect to all printed Equifax Information, store in a secure,
<br /> Information Services, will survive the termination of this locked container when not in use and completely destroy
<br /> Agreement for so long as such confidential and proprietary such Equifax Information when no longer needed by cross-
<br /> information remains a trade secret under applicable law; and cut shredding machines (or other equally effective destruction
<br /> (ii) with respect to all other confidential and proprietary data, method) such that the results are not readable or useable for
<br /> will survive the termination of this Agreement for the longer of any purpose,
<br /> two (2) years from termination, or the confidentiality period (h) if Client sends, transfers or ships any Equifax Information,
<br /> required by applicable law. encrypt the Equifax Information using minimum standards of
<br /> Advanced Encryption Standard (AES), minimum 128-bit key,
<br /> VII. DATA SECURITY or Triple Data Encryption Standard (3DES), minimum 168-bit
<br /> key, encrypted algorithms, which standards may be modified
<br /> 1. This Section VII applies to any means through which from time to time by Equifax,
<br /> Client orders or accesses the Information Services including, (i) monitor compliance with the obligations of this Section VII,
<br /> without limitation, system-to-system, personal computer or and immediately notify Equifax if Client suspects or knows of
<br /> the Internet; provided, however, if Client orders or accesses any unauthorized access or attempt to access the Information
<br /> the Information Services via the Internet, Client shall fully Services, including, without limitation, a review of each
<br /> comply with Equifax's connectivity security requirements Equifax invoice for the purpose of detecting any unauthorized
<br /> specified in Section VI1.3, below. activity,
<br /> (j) not ship hardware or software between Client's locations
<br /> For the purposes of this Section VII, the term "Authorized or to third parties without deleting all Security Information and
<br /> User" means a Client employee that Client has authorized to any consumer information,
<br /> order or access the Information Services and who is trained (k) if, subject to Section 1.6, Client uses a Service Provider to
<br /> on Client's obligations under this Agreement with respect to establish access to the Information Services, be responsible
<br /> the ordering and use of the Information Services and the for the Service Provider's use of Security Information, and
<br /> Equifax Information, including Client's FCRA and other ensure the Service Provider safeguards such Security
<br /> obligations with respect to the access and use of consumer Information through the use of security requirements that are
<br /> reports. no less stringent than those applicable to Client under this
<br /> Section VII,
<br /> 2. Client will, with respect to handling the Equifax (I) inform Authorized Users that unauthorized access to
<br /> Information: consumer reports may subject them to civil and criminal
<br /> (a) ensure that only Authorized Users can order or have liability under the FCRA punishable by fines and
<br /> access to the Information Services, imprisonment,and
<br /> (b) ensure that Authorized Users do not order consumer (m) use commercially reasonable efforts to assure data
<br /> reports for personal reasons or provide them to any third security when disposing of any consumer report information
<br /> party except as permitted by this Agreement, or record obtained from Equifax. Such efforts must include
<br /> (c) ensure that all devices used by Client to order or access the use of those procedures issued by the federal regulatory
<br /> the Information Services are placed in a secure location and agency charged with oversight of Client's activities (e.g. the
<br /> accessible only by Authorized Users, and that such devices Federal Trade Commission, the applicable banking or credit
<br /> are secured when not in use, through such means as screen union regulator)applicable to the disposal of consumer report
<br /> locks, shutting power controls off, or other commercially information or records.
<br /> reasonable security procedures,
<br /> (d) take all necessary measures to prevent unauthorized 3. Client will, with respect to Client's network security:
<br /> ordering of or access to the Information Services by any (a) use commercially reasonable efforts to protect Equifax
<br /> person other than an Authorized User for permissible Information when stored on servers, subject to the following
<br /> purposes, including, without limitation, limiting the knowledge requirements: (i) Equifax Information must be protected by
<br /> of the Client security codes, member numbers, User IDs, and multiple layers of network security, including but not limited
<br /> any passwords Client may use (collectively, "Security to, firewalls, routers, intrusion detection device; (ii) secure
<br /> Standard Agreement for Service—On Line Services Only LRD 4/29/09 9 5 4
<br /> #43064v17
<br />
|