|
ATTACHMENT A
<br />HIPAA AND DATA SECURITY REQUIREMENTS
<br />penetration tests, and confirm compliance with the security requirements herein. The audit
<br />should include any specific data center facility where the service is deployed, and all
<br />failover facilities unless those facilities provide their own SOC 2 Type 2 audit.
<br />12. Disaster Recovery. Contractor shall document, test and maintain a disaster recovery plan
<br />including an alternate facility to assure the system/service is recovered within 24 hours of
<br />a force majeure event. The recovery plan must protect against more than 24 hours of DOC
<br />data being lost.
<br />12. Insurance Requirements. If this agreement involves the Contractor collecting, storing,
<br />creating, altering, processing, transmitting, routing, or handling any DOC Category 3 or
<br />Category 4 data, then Contractor shall obtain and maintain for the duration of the
<br />Agreement, at Contractor's expense, the following insurance coverages which the parties
<br />agree are unaffected by any limitation of liability language within this Agreement.
<br />a. Technology Professional Liability (errors and omissions)
<br />The Contractor shall maintain Technology Professional Liability (errors and
<br />omissions) insurance, to include coverage of claims involving infringement of
<br />intellectual property. This shall include but is not limited to infringement of
<br />copyright, trademark, trade dress, invasion of privacy violations, information theft,
<br />damage to or destruction of electronic information, release of private information,
<br />alteration of electronic information, extortion, network security, regulatory defense
<br />(including fines and penalties), and notification costs. The coverage limits must be
<br />at least $1,000,000 per covered claim without sublimit, and $2,000,000 annual
<br />aggregate.
<br />b. Crime and Employee Dishonesty
<br />The Contractor shall maintain Employee Dishonesty and (when applicable)
<br />Inside/Outside Money and Securities coverages for property owned by the State
<br />of Washington in the care, custody, and control of Contractor, to include electronic
<br />theft and fraud protection. The coverage limits must be at least $1,000,000 per
<br />covered claim without sublimit, $2,000,000 annual aggregate.
<br />c. Cyber Risk Liability Insurance
<br />The Contractor shall maintain coverage for Cyber Risk Liability, including
<br />information theft, computer and data loss replacement or restoration, release of
<br />private information, alteration of electronic information, notification costs, credit
<br />monitoring, forensic investigation, Cyber extortion, crises management, public
<br />relations expenses, regulatory defense (including fines and penalties), network
<br />security, and liability to third parties from failure(s) of contractor to handle, manage,
<br />store, and control personally identifiable information belonging to others. The
<br />policy must include full prior acts coverage. The coverage limits must be at least
<br />$1,000,000 per covered claim without sublimit, $2,000,000 annual aggregate.
<br />Washington State K14078 Page 19 of 19
<br />Department of Corrections Attachment A 26RAD
<br />
|