“Gramm-Leach-Bliley Act STANDARD CONTRACT LANGAUGE”

Gramm-Leach-Bliley Act Contract Clause

Include the standard language printed below in all future contracts with third party service providers that have access to the institution’s customers’ non-public financial information.

Throughout the term of this Agreement, Service Provider shall implement and maintain ‘appropriate safeguards,’ as that term is used in § 314.4(d) of the FTC Safeguard Rule, 16 C.F.R. § 314, for all ‘customer information,’ as that term is defined in § 314.2(b) of the FTC Safeguard Rule, delivered to Service Provider by Institution pursuant to this Agreement. The Service Provider shall implement an Information Security Program (‘the Program’) as required by the FTC Safeguard Rule. Service Provider shall promptly notify the Institution, in writing, of each instance of (i) unauthorized access to or use of that nonpublic financial customer information that could result in substantial harm or inconvenience to a customer of the Institution or (ii) unauthorized disclosure, misuse, alteration, destruction or other compromise of that nonpublic financial customer information.

Service Provider shall forever defend and hold Institution harmless from all claims, liabilities, damages, or judgments involving a third party, including Institution’s costs and attorney fees, which arise as a result of Service Provider’s failure to meet any of its obligations under this Addendum. Service Provider shall further agree to reimburse the Institution for its direct damages (e.g., costs to reconstruct lost or altered information) resulting from any security breach, loss, or alteration of nonpublic financial customer information caused by the Service Provider or its subcontractors or agents.

Service Provider grants Institution the right to conduct on-site audits, as deemed necessary by the Institution, of the Service Provider’s Program to ensure the integrity of the Service Provider’s safeguarding of the Institution’s customers’ nonpublic financial information.

Institution retains the right to unilaterally terminate the Agreement if Service Provider has allowed a material breach of its Program in violation of its obligations under the GLBA, if Service Provider has lost or materially altered nonpublic financial customer information, or if the Institution reasonably determines that Service Provider’s Program is inadequate.

Within thirty (30) days of the termination or expiration of this Agreement, Service Provider shall, at the election of Institution, either: (1) return to the Institution or (2) destroy (and shall cause each of its agents to destroy) all records, electronic or otherwise, in its or its agent’s possession that contain such nonpublic financial customer information and shall deliver to the Institution a written certification of the destruction.