|
that are consumer reports as defined by the Vermont
<br />Fair Credit Reporting Act ("VFCRA"), only after Client
<br />has received prior Consumer consent in accordance
<br />with VFCRA Section 2480e and applicable Vermont
<br />Rules. Client further certifies that a copy of
<br />Section 2480e of the Vermont Fair Credit Reporting
<br />Statute, attached hereto as Exhibit A-1, was received
<br />from Barada.
<br />Client will comply with the applicable provisions of the
<br />FCRA, Federal Equal Credit Opportunity Act and any
<br />amendments to it, all state law counterparts of them,
<br />and all applicable regulations promulgated under any
<br />of them including, without limitation, any provisions
<br />requiring adverse action notification to the Consumer.
<br />Data Security. This Section 6 applies to any means
<br />through which Client orders or accesses EVS
<br />Employment Information including, without limitation,
<br />system -to -system, personal computer or the Internet.
<br />The term "Authorized User" means an employee of
<br />Client that Client has authorized to order the EVS
<br />Employment Information and who is trained on
<br />Client's obligations under this Agreement with respect
<br />to the ordering and use of the EVS Employment
<br />Information, including Client's FCRA and other
<br />obligations with respect to the access and use of
<br />consumer reports.
<br />a) With respect to handling the EVS Employment
<br />Information, Client agrees to:
<br />• ensure that only Authorized Users can order
<br />or have access to EVS Employment
<br />Information,
<br />• ensure that Authorized Users do not order
<br />EVS Employment Information for personal
<br />reasons or provide them to any third party
<br />except as permitted by this Agreement,
<br />inform Authorized Users that unauthorized
<br />access to consumer reports may subject
<br />them to civil and criminal liability under the
<br />FCRA punishable by fines and
<br />imprisonment,
<br />• ensure that all devices used by Client to
<br />order or access the EVS Employment
<br />Information are placed in a secure location
<br />and accessible only by Authorized Users and
<br />that such devices are secured when not in
<br />use through such means as screen locks,
<br />shutting power controls off, or other
<br />commercially reasonable security
<br />procedures,
<br />• take all necessary measures to prevent
<br />unauthorized ordering of EVS Employment
<br />Information by any persons other than
<br />Authorized Users for permissible purposes,
<br />including, without limitation,
<br />• limiting the knowledge of the Client security
<br />codes, member numbers, User IDs, and any
<br />passwords Client may use (collectively,
<br />"Security Information"), to those individuals
<br />with a need to know, (b) changing Client's
<br />user passwords at least every ninety
<br />(90) days, or sooner if an Authorized User is
<br />no longer responsible for accessing the EVS
<br />Employment Information, or if Client
<br />suspects an unauthorized person has
<br />learned the password, and (c) using all
<br />security features in the software and
<br />hardware Client uses to order EVS
<br />Employment Information,
<br />in no event access the EVS Employment
<br />Information via any hand-held wireless
<br />communication device, including but not
<br />limited to, web enabled cell phones,
<br />interactive wireless pagers, personal digital
<br />assistants (PDAs), mobile data terminals,
<br />and portable data terminals,
<br />not use non -company owned assets such as
<br />personal computer hard drives or portable
<br />and/or removable data storage equipment or
<br />media (including but not limited to laptops,
<br />zip drives, tapes, disks, CDs, and DVDs) to
<br />store EVS Employment Information.
<br />encrypt EVS Employment Information when
<br />it is not in use and with respect to all printed
<br />EVS Employment Information store in a
<br />secure, locked container when not in use
<br />and completely destroyed when no longer
<br />needed by cross -cut shredding machines (or
<br />other equally effective destruction method)
<br />such that the results are not readable or
<br />useable for any purpose,
<br />(1) if Client sends, transfers or ships any
<br />EVS Employment Information, encrypt
<br />the EVS Employment Information using
<br />the following minimum standards, which
<br />standards may be modified from time to
<br />time by EVS: Advanced Encryption
<br />Standard (AES), minimum 128-bit key or
<br />Triple Data Encryption Standard
<br />(3DES), minimum 168-bit key encrypted
<br />algorithms,
<br />(2) monitor compliance with the obligations
<br />of this Section 6, and immediately notify
<br />EVS if Client suspects or knows of any
<br />unauthorized access or attempt to
<br />access the EVS Employment
<br />Information, including, without limitation,
<br />a review of EVS invoices for the
<br />purpose of detecting any unauthorized
<br />activity,
<br />not ship hardware or software between
<br />Client's locations or to third parties without
<br />deleting all Security Information and any
<br />EVS Employment Information,
<br />if Client uses a Service Provider to establish
<br />access to EVS Employment Information, be
<br />responsible for the Service Provider's use of
<br />Security Information, and ensure the Service
<br />Provider safeguards Security Information
<br />through the use of security requirements that
<br />are no less stringent than those applicable to
<br />Client under this Section 6,
<br />Barada Master Service Agreement
<br />Confidential and Copyright 2017 Barada Associates Inc.
<br />Page I I
<br />
|