Act 837 Vendor Contract

ACT 837 Vendor Contract     

 

The State of Louisiana recently enacted new legislation that governs the gathering, disclosure and use of personally identifiable information (PII) of students. The new legislation includes contact requirements between schools or districts and anyone entrusted with such PII. The items enumerated below are specific requirements found to be necessary, as prescribed by law that governs the release of student information.

Sensitive information must be protected at a level that can ensure that only those who reauthorized to view the information are allowed access (secure passwords, encryption, etc.) the vendor’s network must maintain a high level of electronic protection to ensure that integrity of sensitive information and must maintain a high level of electronic protection to ensure the integrity of sensitive information and to prevent unauthorized access in these systems. Regular review of the protection methods used and system auditing are also critical to maintain protection of these systems. Vendor agreements to protect and maintain the security of data with protection security measures that include preserving secure environments that are patched an up to date with all appropriate security updates ad designated by a relevant authority.

In order to guarantee that only appropriate individuals and entities have access to PII student data, organizations must devise and implement various forms of authentication to establish the identity of their requester of the information what a level of certainty that is commensurate with the sensitivity of the data. Each organization must individually determine the appropriate level of assurance that would provide in its specific environment, reasonable means of protecting the privacy of PII student data it maintains. No individual or entity should be allowed unauthenticated access to confidential PII records or data at any time.

Any individual, vendor, or entity shall implement appropriate measures designed to ensure the confidentiality and security of PII, protect against any anticipated access or discloser of such information, and prevent any other action that could result in substantial or significant harm to Delta Charter School or any PII with the data information in the vendor’s custody.

The vendor agrees that any and all of Delta Charter’s PII student data will be stored, processed, and maintained solely on designated servers and that no Delta Charter School data at any time will be processed on or transferred to any portable laptop computing device or any portable storage device, unless that storage device is used as part of the vendor’s designated backup and recovery system processes. All servers, storage, backups, and network paths utilized in the delivery of the service shall be contained within the state, districts and territories of the United States of America unless specifically agreed to in writing by the President and Director of Delta Charter School, thus attested to by each of their signatures.

Each vendor will agree that any and all data exchanged shall be used expressly and only for the purposes listed in the original contract or agreement. Data shall not be distributed, repurposed or shared across other applications, environments, or business units of any vendor. As required by both Federal and State law, the vendor further agrees that no data of any kind shall be revealed, transmitted, exchanged or otherwise passed to other vendors or interested parties. The vendor also agrees that, as required and applicable by both State and Federal law, auditors for State, Federal, and Delta Charter School, or any other agency so designated by the Delta Charter Group Board of Directors, shall have the option to audit the outsourced service. Records pertaining to the service shall be mad available to the auditors and Delta Charter Group Board of Directors during normal working hours if required.

The vendor agrees to comply with the Louisiana Database Breach Notification Law (ACT 499) and all applicable laws that require the notification of individuals in the event of unauthorized release of the vendor’s security obligations or other even requiring notification under applicable law, vendor agrees to notify Delta Charter School and it governing board, Delta Charter Group immediately and assumes responsibility for informing all such individual in accordance with applicable law and to indemnify, hold harmless and defend Delta Charter School and its governing board, Delta Charter Group, and employees from and against any claims, damages or other harm related to Notification Event.

Vendor agrees that if the original Contract is terminated or if the original Contract expires, Vendor shall return all data to the School Board in a useable electronic format. Vendor further agrees to erase, destroy, and render unreadable, all data in its entirety from its servers in a manner that prevents physical reconstruction through the use of commonly available file restoration utilities. Vendor shall certify in writing that these actions have been completed within 30 days of the termination of the Contract or within seven (7) day s from receipt of any request by the School Board, whichever comes first. Vendor also agrees that all data will be erased, destroyed, and rendered unreadable from its backups within 120 days of the deletion of data from the servers.

 The vendor and Delta Charter School acknowledge that unauthorized disclosure or use of the protected PII may irreparably damage Delta Charter School in such a way that adequate compensation could not be obtained from damages in an action at law. Accordingly, the actual or threatened unauthorized disclosure or sue of any PII shall give Delta Charter School the right to seek injunctive relief restraining such unauthorized disclosure or use, in addition to any other remedy otherwise available, including, but not limiting to attorney fees. The vendor hereby waives the posting of a bond with respect to any action or injunctive relief. The vendor further grants Delta Charter School the right, but not the obligation, to enforce these provisions in vendors’ name against any vendor’s employee, officers, board members, owners, representatives, agents, contractors, and subcontractors violating the above provisions.

The vendor must have and must establish, with clear implementation a lucid data breach response, such that will outline the organizational policies and procedures for addressing a potential breach, an essential step in protecting the privacy of PII student data. Quick response is essential for minimizing the risk of any further data loss. Both an appropriate and rapid response plays an important role in mitigating any negative consequences of a breach, including potential harm to affected individuals. A data breach is defined as any instance in which there is an unauthorized release or access to PII or other data not suitable for public release. This definition applies regardless of whether an organization stores and manages that data directly or through a contractor or cloud service provider.

The vendor’s audit strategy will require the following actions to protect and retain audit logs. The storing of audit logs and records on a server separate from the system that generates the audit trail. Access to audit logs must be restricted to prevent tampering or altering or audit data. Holding of audit trails must be based on a schedule determined collaboratively with operational, technical, risk management, and legal staff.

The Vendor is permitted to unveil confidential information to its employees, authorized subcontractors, agents, consultants, and auditor on a need to know basis only. This is conditioned in that such subcontractor’s agents contractors and auditors have written confidentially obligations to vendor and Delta Charter School.

The confidentiality obligations shall survive termination of any agreement with vendor for a period of 15 years, or for so long as the information remains confidential, whichever is longer and will insure the benefit of Delta Charter School.

 

This contract addendum amends any prior agreement or contract between Delta Charter School or its governing board, Delta Charter Group and __________________________is effective as

                                                                                    (Company Name)

of _____________________

            Date

 

______________________________________________________________

Vendor’s Authorized Representative Name (Please Print)

 

_____________________________________________________

Vendor’s Authorized Representative Signature                                                     (Date)

 

 

_____________________________________________________

Delta Charter School’s Director (Print Name)

 

_____________________________________________________

Delta Charter School’s Director Signature                                                             (Date)

 

______________________________________________________

Delta Charter Group’s Board President (Print Name)

 

______________________________________________________

Delta Charter Group’s Board President’s Signature                                               (Date)