- All information collected by the Virginia Employment Commission ("VEC") for the Unemployment Compensation ("UC") program is extremely sensitive and confidential. Contractors, agents and vendors, including their officers, directors, employees and subcontractors ("Vendor") with access to VEC confidential information must follow the stricter of: (i) security standards published by the Virginia Information Technologies Agency, or (ii) the same information security guidelines as VEC staff and agree to require all individuals with access to VEC confidential information to comply with all confidentiality and security safeguards, including those mandated by Federal Regulations, Title 20: Employees' Benefits, Chapter 5, Part 603 -Federal-State Unemployment Compensation (UC) Program: Confidentiality and Disclosure of State UC Information ("20 CFR Part 603").
- Redisclosure of VEC information is prohibited without the expressed permission of VEC. Vendor shall notify the VEC immediately upon receipt of any legal order or request for confidential UC information issued by a court or government agency federal, state or local law, regulation or a valid order issued by a court or governmental agency (a "Legal Order"). Disclosure mandated by Legal Order shall not be an unauthorized disclosure under this Agreement provided that: (a) prompt written notice to VEC of such requirement so that the VEC may seek, at its sole cost and expense, a protective order or other remedy; and (b) reasonable assistance, at the VEC's sole cost and expense, in opposing such disclosure or seeking a protective order or other limitations on disclosure. If, after providing such notice and assistance as required herein, the VEC remains subject to a Legal Order to disclose any Confidential Information, Vendors (or their Representatives or other persons to whom such Legal Order is directed) shall disclose no more than that portion of the Confidential Information which, the Legal Order specifically requires them to disclose.
- Vendor shall take all commercially reasonable precautions and measures, but in no event less than those industry standard precautions and measures employed by industry leading information technology providers, necessary to ensure the integrity, nondisclosure, confidentiality and protection of all VEC data and information, including but not limited to all original reporting forms and data in any other form. Vendor understands that all VEC data and information that is accessed, obtained, or derived will be held in the strictest confidence by Vendor and its subcontractors and their respective officers, directors, agents, and employees. Vendor and its officers, directors, agents or contractors and employees shall be governed by, and comply with Federal and Virginia laws prohibiting the disclosure of information obtained or compiled during the course of their work for the VEC.
- Vendor agrees that all individuals with access to VEC information shall comply with all applicable statutes, rules and regulations and understands that disclosure of any information, by any means, for a purpose or to an extent unauthorized herein, shall be a breach of these requirements and grounds for immediate termination of the underlying agreement, contract, order or agreement and may subject the offender to criminal and civil sanctions. Federal rules found in 20 CFR §603.9 establish safeguards and security requirements over the confidentiality and disclosure of state unemployment compensation (UC) information. Vendor agrees to require all individuals, including subcontractors, who may have access to VEC data to adhere to the following requirements:
- Use disclosed information only for purpose(s) authorized by law and the VEC;
- Store disclosed data in a place physically secure from access by unauthorized persons;
- Store and process disclosed information that is maintained in any format, electronic or otherwise, in such a way that is designed to prevent unauthorized persons from obtaining the information by any means;
- Undertake precautions reasonably designed to ensure that only authorized individuals are given access to the disclosed information stored in computer systems;
- Instruct all individuals having access to the disclosed information about confidentiality requirements and the penalty specified in Section 18.2-186.6 of the Code of Virginia, whereby the Office of the Attorney General may impose a civil penalty and an individual may recover direct economic damages; and,
- Dispose of information obtained, and any copies made thereof, within thirty (30) days after its contracted purpose has been met by shredding paper copies or properly wiping information from electronic media meeting, or exceeding, Commonwealth of Virginia standards, which require proof of disposal of confidential or sensitive information be provided to VEC within thirty (30) days.
- Vendor shall provide a listing to VEC of all individuals having access to VEC confidential information and sign an acknowledgment upon request by VEC attesting that all individuals having access to VEC confidential information have been instructed about the confidentiality and security requirements of and will comply with VEC's confidentiality requirements and procedures.
- Vendor agrees to comply with Commonwealth of Virginia Information Technology Resource Management (COV ITRM) Policies, Standards, and Guidelines including current Standards SEC SOl, SEC 519 and SEC525.
- Vendor agrees that confidential UC information shall not be stored on mobile data storage media (including laptops) unless there is a documented business necessity approved in writing by the Commission"er of the VEC and that all data storage media containing sensitive data are physically and logically secured (such as using locks, authentication and encryption).
- Vendor agrees to comply with Records Retention and Disposition Schedules authorized by the Library of Virginia applicable for any public records under its care and control.
- If Vendor knows or reasonably suspects that any confidential or sensitive VEC information has been lost, stolen, subject to unauthorized use, exposure, access, disclosure, compromise or modification, Vendor shall immediately notify the Chief Information Security Officer (CISO) at the Virginia Information Technologies Agency (VITA), VEC's Information Security Officer (ISO), and
. The notification must be made within twenty-four (24) hours of discovery or reasonable belief and include the following information:
- Cause(s) of the breach inCident
- Date(s) of the breach incident
- Estimated size of the affected population (number of personal records)
- The type of data exposed
- Any mitigating factors
- Unlawful access, disclosure, or use of sensitive and confidential information by Vendor or its Representatives shall result in reimbursement to the VEC for costs associated with special investigations, audits, credit monitoring and any legal action that ensues. The VEC must undertake any other action under the Agreement, or under any State or Federal law, to enforce the Agreement and secure satisfactory corrective action, and must take other remedial actions permitted under State or Federal law to effect adherence, including seeking damages, penalties, and restitution as permitted under such law for any charges to granted funds and all costs incurred by the VEC in pursuing the breach of the agreement and enforcement of the agreement (20 CFR 603.10 (c)(2)).
- Should an unauthorized disclosure of confidential VEC information take place, Vendor shall jOintly participate in the investigation of the incident; however, VEC, as the data owner, shall have control over any decisions regarding external reporting. Vendor shall indemnify and hold harmless the Commonwealth, the VEC, and any of their respective officers, employees, agents, and attorneys from all costs including fines and penalties related to the investigation, notification to affected individuals, and remediation of the data breach, and from all costs (including reasonable attorney fees, expert witness fees, and expenses of litigation), claims, injuries, and damages incurred resulting in whole or in part from any actions or failures to act by Vendor or its subcontractor(s) relating to the information or to a breach of this Agreement.
- VEC has the right to implement additional controls over the maintenance and safekeeping of confidential VEC data. Vendor will be responsible for implementing and maintaining any additional controls as required by federal or state mandates after sufficient notification in writing.
- Vendor and subcontractor(s) are subject to periodic audit, compliance reviews and on-site inspections by the VEC to ensure that the requirements in this agreement are being met. Vendor agrees to provide on an annual basis, as requested by VEC, the results of the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) audit performed on their organization. The results should be identified within the Service Organization Control (SOC) Report format relevant to the contract. In most cases this will be a SOC 2 Type 2 report.
- The requirements governing confidentiality and non-disclosure of VEC information shall survive termination of any underlying contract.
- If Vendor fails to comply with any security requirements, VEC must, in accordance with 20 CFR 603.10(c), suspend access, and not make further disclosure until VEC is satisfied that corrective action has been taken and there will be no further breach. In the absence of prompt and satisfactory action. VEC will cancel the contract or agreement, and Vendor will surrender or destroy all VEC confidential information (and copies thereof).
Contact Information for the Virginia Employment Commission:
Information Security Officer