|
State of Minnesota -U.S. Bank Commercial Card Solutions -Participating Addendum
<br />Contract# 75413 Purchasing Card Contract# 75427 Fleet Card
<br />Appendix B-Minnesota General Terms, Conditions and Specifications
<br />conflict. This Security and Data Protection section survives the completion, termination, expiration, or cancellation of
<br />the Contracl/Agreement. For purposes of this Security and Data Protection section, "State" means the State of
<br />Minnesota, or a cooperative purchasing venture ("CPV') member when the CPV member is the purchasing entity (if
<br />CPV purchases are permitted under this Contracl/Agreement).
<br />a, Data Ownership. The State solely and exclusively owns and retains all right, title and interest, whether express or
<br />implied, in and to the State data. For purposes of this section, "data" has the meaning of "government data" in
<br />Minnesota Statutes section 13.02, subdivision 7. Contract Vendor has no and acquires no right, title or interest,
<br />whether express or implied, in and to the State data.
<br />Contract Vendor shall only use State data for the purposes set forth In the ContracUAgreement. Contract Vendor
<br />shall only access State data as necessary for performance of this Contracl/Agreement. Contract Vendor will not
<br />access State user accounts except to respond to service or technical problems or at the State's specific request.
<br />All State data shall be remitted, in a mutually agreeable format and media, to the State by the Contract Vendor
<br />upon request or upon completion, termination or cancellation of the Contracl/Agreement. The foregoing sentence
<br />does not apply if the State Chief Information Security Officer or delegate authorizes in writing the Contract Vendor
<br />to sanitize and/or destroy the data and the Contract Vendor certifies in writing the sanitization and/or destruction of
<br />the data. Ninety days following remittance of such data to the State, Contract Vendor shall, unless otheiwise
<br />instructed by the State in writing, sanitize and/or destroy any remaining data and certify in writing that the
<br />sanitization and/or destruction of the data has occurred. Any such remittance, sanitization or destruction will be at
<br />the Contract Vendor's sole cost and expense,
<br />In the event the Contract Vendor receives a request to release any State data, the Contract Vendor must
<br />immediately notify the State to the extent permitted by applicable law or regulation. The State will give the Contract
<br />Vendor instructions concerning the release of the data to the requesting party before the data is released. The
<br />Contract Vendor must comply with the State's Instructions. The civil remedies of Minnesota Statutes section 13.08
<br />apply to the release of the data by the Contract Vendor.
<br />b. Security Incidents. If Contract Vendor becomes aware of a privacy or security Incident regarding any State data,
<br />Contract Vendor will immediately report the event to the State. The decision to notify and the actual notifications to
<br />the State's data subjects affected by the security or privacy incident is the responsibility of the State.
<br />Notwithstanding anything to the contrary In this Contracl/Agreement, the Contract Vendor shall Indemnify, hold
<br />harmless and defend the State and its officers, and employees for and against any claims, damages, costs and
<br />expenses related to any privacy or security incident. Contract Vendor shall reasonably mitigate any harmful effects
<br />resulting from any privacy or security incident.
<br />For purposes of this sub-section, "security incident" means the successful unauthorized access, use, disclosure,
<br />modification or destruction of data or interference with system operations in an information system. For purposes of
<br />this sub-section, "privacy incident" means violation of the Minnesota Government Data Practices Act (Minnesota
<br />Statutes chapter 13) and/or federal privacy requirements in federal laws, rules and regulations. This includes, but is
<br />not limited to, improper or unauthorized use or disclosure of not public data, improper or unauthorized access to or
<br />alteration of public data, and incidents in which the confidentiality of the data maintained by Contract Vendor has
<br />been breached. For purposes of this section, "not public data" has the meaning in Minnesota Statutes section
<br />13.02, subdivision Sa.
<br />c. Security Program. Contract Vendor must make all commercially reasonable efforts to protect and secure the State
<br />data related to this Contracl/Agreement. Contract Vendor will establish and maintain an Information Security
<br />Program ("Program") that includes an information security policy applicable to any and all cloud computing or
<br />hosting services ("Policy"), Contract Vendor's Program and Policy must align with appropriate industry security
<br />frameworks and standards such as National Institute of Standards and Technology ("NIST") 800-53 Special
<br />Publication Revision 4, Federal Information Processing Standards ("FIPS") 199, Federal Risk and Authorization
<br />Management Program ("FedRamp"), or Control Objectives for Information and Related Technology ("COBIT'1. For
<br />purposes of this section, "cloud computing" has the meaning defined by the U.S. Department of Commerce, NIST
<br />Special Publication 800-145, currently available online at:
<br />http·//csrc.nist.qov/publications/nistpubs/800-145/S PS00-145,pdf.
<br />Contract Vendor will make its Policy available to the State on a confidential, need-to-know basis, along with other
<br />related information reasonably requested by the State regarding Contract Vendor's security practices and policies.
<br />Unless inconsistent with applicable laws, Contract Vendor and the State must treat the Policy and related
<br />information on security practices and policies that are specific to the State as confidential information and as not
<br />public data pursuant to Minnesota Statutes section 13.37.
<br />Page 36 of 37
|