Version 13
Contract Information and Signature Form
If contracting as a: Producer only - complete sections 1, 3 & Individual FCRA Authorization Form
Business Entity only - complete sections 2 & 3
Section 1
Business Entity & Principal- complete sections 1, 2, 3 (both signature blocks) & Individual FCRA Authorization Form
Producer Information (Required)
Name: SSN: - - DOB: - -
First Name, Middle Initial, Last Name (as it appears on license) MM DD YYYY
Home Address:
Not a P.O. Box City State Zip Code
Business Address:
P.O. Box Accepted City State Zip Code
Primary Phone Number: - - Business Phone: - - Email Address:
Master
General
Agenc
y (If applicable):
Errors
&
Omission
Insurance
(As Required): $
Background Information (Required - Must be answered)
Carrier Name Minimum $1M Per Claim
Yes No
Has any regulatory authority, such as an insurance department, FINRA or the SEC ever fined or suspended you,
placed you on probation, assessed you any administrative costs, entered into a consent order with you, issued
you a restricted license, or otherwise disciplined you? Are you currently under investigation by any regulatory
authority, such as an insurance department, FINRA or the SEC?
Yes No
Other than minor traffic offenses that did not result in harm to a person or property, have you been (1)
convicted of any offense, or (2) pled guilty or nolo contendre (no contest) to any offense?
NOTE: Answering YES” to the above questions does not automatically preclude you from being contracted.
If Yes, please include county _____________________________________________________________________
Directions: PLEASE PROVIDE A WRITTEN EXPLANATION for any “YESanswer including the disposition and applicable supporting documentation (court documents,
insurance department documents etc.). Failure to answer “YES”, when appropriate, may result in denial of your request to be contracted.
Contracting Selection (Required)
Direct Deposit Information (Complete if you are electing direct deposit - not applicable for Special Agents)
Financial Institution:
Routing Number:
Account Number: Account Type Checking Savings
This is not an assignment of commissions. Form 1099 will be issued to the commission owner.
Express Pay Opt In
Eligibility requires Direct Deposit, Electronic Statements and no active Legal Judgments. Express Pay may not be available for all Marketers.
Express Pay is calculated every day. (If unselected, default pay cycle is Weekly.)
Designation of Beneficiary (if applicable)
Name:
First Name, Middle Initial, Last Name or Business Name
Home Address:
Relationship:
Not a P.O. Box City State Zip Code
SSN: - - or TIN: - DOB: - - Phone Number: - -
W-9 Information
Taxpayer Identification Number (SSN)
Enter your TIN in the appropriate box. For individuals, this is your social security number. For other entities, it is your employer identification number.
Social Security Number --- ---
Certification
Under penalties of perjury, I certify that:
1. The number provided is my correct taxpayer identification number, and
2. I am not subject to backup withholding because: (a) I am exempt from backup withholding, or (b) I have not been notified by the Internal Revenue Service (IRS) that I
am subject to backup withholding as a result of a failure to report all interest or dividends, or (c) the IRS has notified me that I am no longer subject to backup
withholding, and
3. I am a U.S. person (a U.S.
citizen or U.S. resident alien or a partnership, corporation, company or association created or organized in the U.S. or under the laws of the
U.S. or an estate (other than a foreign estate) or a domestic trust (as defined in Regulations section 301.7701-7).
Certification instructions: You must cross out item 2 above if you have been notified by the IRS that you are currently subject to backup withholding because you have
failed t
o report all interest and dividends on your tax return.
The Internal Revenue Service does not require your consent to any provision of this document other than the above-referenced
certifications required to avoid backup withholding.
Sign Here
Signature of
U.S. Person
Date
****Please proceed to Section 3****
I have received, reviewed and agree to be bound by the Terms & Conditions of the General Agent Agreement with
Mutual of Omaha and its
aff
i
liates (BMO151.013)
Please retain a copy of the agreement for your files. A copy will not be returned to
you.
I have received, reviewed and agree to be bound by the Terms & Conditions of the
Special Agent Agreement
with Mutual of Omaha and its
affiliates (BMO152.013)
Please retain a copy of the agreement for your files. A copy will not be returned to you.
Contract Information and Signature Form
Section 2
Business Information (Only complete this section if contracting as an Incorporated Entity, Partnership or LLC)
Name:
TIN: -
(As Shown On Income Tax Returns)
Doing Business As: __________________________________________________________
Address:
P.O. Box Accepted City State Zip Code
Phone: - - Email Address:
Principal Officer:
Master
General
Agency
(If applicable):
Contracting Selection (Required for Corporation)
I have received, reviewed and agree to be bound by the Terms & Conditions of the General Agent Agreement
with Mutual of Omaha and its affiliates (BMO151.013)
Please retain a copy of the agreement for your files. A copy will not be returned to you.
Direct Deposit Information (Complete if you are electing direct deposit)
Financial Institution:
Routing Number: Account Number: Account Type Checking Savings
This is not an assignment of commissions. Form 1099 will be issued to the commission owner.
Express Pay Opt In
Eligibility requires Direct Deposit, Electronic Statements and no active Legal Judgments. Express Pay may not be available for all marketers.
Express Pay is calculated every day. (If unselected, default pay cycle is Weekly.)
W-9 Information
Taxpayer Identification Number (TIN)
Enter your TIN in the appropriate box. For individuals, this is your social security number. For other entities, it is your employer identification number.
Employer Identification Number ---
Certification
Under penalties of perjury, I certify that:
1. The number provided is my correct taxpayer identification number, and
2. I am not subject to backup withholding because: (a) I am exempt from backup withholding, or (b) I have not been notified by the Internal Revenue
Service (IRS) that I am subject to backup withholding as a result of a failure to report all interest or dividends, or (c) the IRS has notified me that I
am no longer subject to backup withholding, and
3. I am a U.S. person (a U.S. citizen or U.S. resident alien or a partnership, corporation, company or association created or organized in the U.S. or
under the laws of the U.S. or an estate (other than a foreign estate) or a domestic trust (as defined in Regulations section 301.7701-7).
Certification i
nstructions: You must cross out item 2 above if you have been notified by the IRS that you are currently subject to backup withholding
because you have failed to report all interest and dividends on your tax return.
The Internal Revenue Service does not require your consent to any provision of this document other than the above-
referenced certifications required to avoid backup withholding.
Sign Here
Signature of
U.S. Person Date
****Please proceed to Section 3*****
Section 3 - Contract Signature, Certification and Direct Deposit Authorization
By signing below:
(a) you agree to be bound by the terms and conditions of the Agreement(s) selected,
(b) you certify that the information that you have provided is true and correct and you agree that you will report immediately any event that would change
any of the information, in any manner, which you have provided,
(c) you agree to maintain your state insurance license in good standing, stay current with required continuing education, and obtain and maintain E&O
coverage as re
quired, and
(d) if you have completed the Direct Deposit section(s) you authorize Mutual of Omaha Insurance Company ("Company") and its affiliates to
electronically credit the bank account and, if necessary, to electronically debit the account to correct erroneous credits. You understand that this
authorization will remain in full force and effect until you notify Company that you wish to revoke this authorization.
Producer Signature Business Signature (If Signing on the behalf of the Business)
Name:
(Signature
Required)
Date:
Name:
Title:
(Required)
*****Please proceed to the FCRA Authorization Form***** Date
Version 13
x
State Appointment Requests- To add the appointment the producer must have an active state license
Please mark the state appointments to be added for this producer: Please include license copies, grid or NIPR report.
All States Licensed
Alabama Kentucky North Carolina
Alaska Louisiana North Dakota
Arizona Maine Ohio
Arkansas Maryland *Oklahoma
California *Massachusetts Oregon
Colorado Michigan *Pennsylvania
Connecticut Minnesota Rhode Island
Delaware Mississippi South Carolina
Florida Missouri South Dakota
*Georgia *Montana Tennessee
Hawaii Nebraska Texas
Idaho Nevada Utah
Illinois New Hampshire Vermont
Indiana New Jersey *Virginia
Iowa *New Mexico Washington
Kansas New York West Virginia
Wisconsin
Wyoming
*IM
PORTANT NOTICE REGARDING COMPENSATION:
*If individuals and corporations do not follow the above guidelines for the states referenced, compensation will be held
on anyone in the hierarchy who does not hold the license and appointment.
*States listed in either red or half red & blue are pre-appointment states and require the producer to be appointed prior
to soliciting business
If no copies, grid or NIPR report are received only the resident state will be added
Producer Name _____________________________ SSN/Producer Number ______________________
FAIR CREDIT REPORTING ACT DISCLOSURE
Disclosure Regarding Consumer Reports
Mutual of Omaha Insurance Company and its affiliates with which you intend to contract
(together, “Mutual of Omaha”) may obtain and use consumer reports about you in order
to evaluate your eligibility to contract with Mutual of Omaha as an insurance producer or
to remain contracted as an insurance producer for Mutual of Omaha.
Your Authorization
By signing below, I authorize Mutual of Omaha to obtain and use consumer reports
about me in order to evaluate my eligibility to contract with Mutual of Omaha as an
insurance producer. If I do contract with Mutual of Omaha as an insurance producer, by
signing below, I also authorize Mutual of Omaha to obtain and use consumer reports
about me while my contract is in effect in order to evaluate my continued eligibility to
remain an insurance producer for Mutual of Omaha.
Candidate Signature Date
Print Name
click to sign
signature
click to edit
Additional Information About Consumer Reports
Consumer reports may include, among other things, information about your credit
history, criminal record and history, and insurance department regulatory actions.
We will obtain a copy of your consumer report from:
Name/Address/Phone
For California, Minnesota and Oklahoma: You have a right to request a copy of the consumer report
which will disclose the nature and scope of the report.
Yes, please provide me a copy of the consumer report
For New York: You have a right, upon written request, to be informed of whether or not a consumer
report was requested. If a consumer report is requested, you will be provided with the name and address
of the consumer reporting agency furnishing the report.
1
M23294_12/19 BMO152.013
SPECIAL AGENT AGREEMENT
This Special Agent Agreement (“Agreement”) is entered into between the undersigned
Special Agent (“Special Agent”) and Mutual of Omaha Insurance Company, and each
affiliated insurance company as specified on the Compensation/Product Schedule(s)
attached to the Agreement (hereinafter referred to as the “Company”). The parties agree that
additional affiliates of the Company may be added to the Agreement at a later date by way of
changes/additions to the Compensation/Product Schedules attached hereto. Any Company
affiliate added to the Agreement will be thereafter included in the definition of “Company”.
SEE SECTION J FOR DEFINITIONS
The parties agree as follows:
A. APPOINTMENT. Company authorizes Special Agent to solicit Product applications.
Company agrees to appoint Special Agent with the appropriate state insurance
departments for Special Agent to solicit Product applications. This appointment is not
exclusive.
B. COMPENSATION. All compensation for Products solicited by Special Agent while
this Agreement is in effect shall be paid to a General Agent or Master General
Agency pursuant to the terms and conditions of the applicable Compensation/Product
Schedule. Company has no obligation to pay compensation to Special Agent for any
services performed pursuant to this Agreement.
C. SPECIAL AGENT’S DUTIES.
1. Licenses and Approvals. Special Agent shall obtain and maintain and
provide copies of all necessary licenses and regulatory approvals to perform
the services under this Agreement.
2. Personal Solicitation and Service. Special Agent shall solicit applications for
Products and provide services to Customers for the Products.
3. Confidentiality and Privacy. Special Agent certifies that they will comply with
the “Confidentiality and Privacy Amendment” which is attached hereto and
incorporated into this Agreement. Company may unilaterally revise the
Confidentiality and Privacy Amendment upon written notice to Special Agent.
4. Compliance with Laws and Conduct. Special Agent shall comply with all
applicable laws and regulations and act in an ethical, professional manner in
connection with this Agreement, including, without limitation, with respect to any
compensation disclosure obligations and any other obligations it may have
governing its relationships with its clients.
5. Compliance with Company Policies. Special Agent shall comply with all
policies, practices, procedures, processes and rules of Company. Special
2
M23294_12/19 BMO152.013
Agent shall promptly notify Company if Special Agent is not in compliance with
any Company policy, procedure, process or rule.
6. Insurance. Special Agent shall have and maintain Errors and Omissions
liability insurance covering Special Agent and Special Agent’s employees
during the term of this Agreement in an amount and nature, and with such
carrier(s) satisfactory to Company and provide evidence of such insurance to
Company upon request.
7. Fiduciary Responsibilities. Special Agent shall be responsible for all money
collected by Special Agent on behalf of Company and shall remit to Company
all payments and collections received for or payable to Company from
applicants, customers, or others no later than 10 days after receipt, or within
any shorter period required by law. All money tendered as payment shall
always be the property of Company and shall be held by Special Agent purely
in a fiduciary capacity and not for Special Agent’s own benefit. Special Agent is
not authorized to spend, cash or deposit for any purpose any portion of such
money.
8. Records. Except as provided in the Confidentiality and Privacy Amendment,
Special Agent shall keep regular and accurate records of all transactions
related to this Agreement for a period of at least five years from the date of
such transactions, or longer if required by federal or state law or regulation.
9. Advertising Materials. Special Agent shall obtain Company’s written approval
prior to using any advertising material or script identifying Company or
Products, except such material provided by Company and used pursuant to
Company’s instructions.
10. Notice of Litigation or Regulatory Proceeding. Special Agent shall promptly
notify Company upon receiving notice of potential, threatened, or actual
litigation or any regulatory inquiry or complaint with respect to this Agreement or
any Product. Company shall have final decision-making authority to assume the
administration and defense of any such action. A copy of the correspondence
or document received shall accompany each notice.
11. Delivery of Documents to Customers. Upon request from Company, Special
Agent shall deliver to its customers any information that Company provides to
Special Agent for the purpose of fulfilling Company’s obligation to provide such
information to the customer, including without limitation, Schedule A to Form
5500 and any other information relating to compensation paid to Special Agent.
Special Agent shall deliver such information to its customers within the time
period required by ERISA or other applicable law or as otherwise instructed by
Company.
3
M23294_12/19 BMO152.013
D. LIMITATIONS. Special Agent shall not:
1. Expense or Liability. Incur any expense or liability on account of, or otherwise
bind Company without specific prior written approval from an Authorized
Representative.
2. Alteration. Alter any advertising materials or make, alter, waive or discharge
any contracts or Products on behalf of Company.
3. Premium Payments and Reinstatement. Extend the time for payment of any
premium or waive any premium, or bind Company to reinstate any terminated
contract, or accept payment in any form other than a customer check or money
order payable to the Company or other method authorized by Company.
4. Respond in Connection with Proceeding. Institute or file a response to any
legal or regulatory proceeding on behalf of Company in connection with any
matter pertaining to this Agreement or any Product, without Company’s prior
written consent.
5. Replacement. Replace any existing insurance product or annuity contract
unless the replacement is in compliance with all applicable laws and regulations
and is in the best interest of the customer. The decision whether to replace an
insurance product or annuity contract should be made by the customer. To
help the customer make a decision regarding any proposed replacement,
Special Agent must provide the customer with full disclosure (both positive and
negative) of all relevant information.
6. Misrepresentation. Misrepresent any provision, benefit, or premium of any
Product.
E. TERMINATION WITH OR WITHOUT CAUSE. In addition to the termination
provisions set forth in the Confidentiality and Privacy Amendment, Special Agent or
Company shall have the right at any time to terminate this Agreement, with or without
cause, upon written notice to the other party. Termination shall be effective as of the
Termination Date.
F. INDEPENDENT CONTRACTOR. Special Agent is an independent contractor and not
an employee of Company. Subject to legal and regulatory requirements, Special
Agent shall be free to exercise Special Agent’s own judgment as to the persons from
whom Special Agent will solicit and the time and place of such solicitation.
G. INSPECTION OF BOOKS AND RECORDS. Company shall have the right, during
normal business hours and with reasonable notice, to inspect, audit and make copies
from the books and records of the Special Agent for the purpose of verifying Special
Agent’s compliance with the provisions of this Agreement.
4
M23294_12/19 BMO152.013
H. INDEMNITY AND HOLD HARMLESS. Each party shall indemnify and hold the other
party harmless from any liability, loss, costs, expenses (including reasonable
attorneys’ fees incurred by the indemnified party) or damages, including punitive and
extra-contractual damages, resulting from any act or omission of its obligations
provided in this Agreement by the indemnifying party or any of its employees or
agents in the performance of its duties under this Agreement or other agreements
with Company, including without limitation, any breach of its obligations provided
under this Agreement.
I. GENERAL.
1. Issue and Product Type. Company shall retain the right to decide whether to
issue or withdraw a Product and determine the type of Product to be issued or
withdrawn. Company may discontinue or change a Product at any time.
2. Producer of Record. The producer of record for any Product shall be
determined by Company records. Company reserves the right to change the
producer of record according to Company procedures and shall have no
obligation to designate a successor producer of record.
3. Notice. Any notice required or permitted to be sent to Company under this
Agreement shall be delivered personally or sent by U.S. Mail with all postage
prepaid or by express mail to:
Producer Services
Mutual of Omaha Insurance Company
Mutual of Omaha Plaza
Omaha, Nebraska 68175-0001
4. Entire Agreement. This Agreement, the Confidentiality and Privacy
Amendment and the Compensation/Product Schedules constitute the entire
agreement between the parties regarding the Products sold under this
Agreement.
5. Governing Law. With respect to Companion Life Insurance Company, this
Agreement shall be governed by the laws of the State of New York, without
giving effect to that State’s principles of conflicts of law. With respect to any
other Company, this Agreement shall be governed by the laws of the State of
Nebraska, without giving effect to that State’s principles of conflicts of law.
6. Severability. In the event any provision of this Agreement is found to be
invalid or unenforceable, the remaining provisions shall remain in effect.
7. No Waiver. Failure of Company to enforce any provision of this Agreement
shall not operate to waive or modify such provision or render such provision
unenforceable.
5
M23294_12/19 BMO152.013
8. No Assignment or Change. Except for Compensation/Product Schedules,
Confidentiality and Privacy Amendments and other amendments to the
Agreement which are required by federal, state or local laws or regulations, no
modification, amendment or assignment of this Agreement shall be valid unless
approved in writing by an Authorized Representative. Compensation/Product
Schedules, Confidentiality and Privacy Amendments and other amendments to
the Agreement which are required by federal, state or local laws or regulations
may be distributed only by Company but need not be signed by either party to
be effective.
9. Survival. Special Agent’s appointment pursuant to Section A of this
Agreement shall immediately terminate on the Termination Date. Except for
Section C.2 of this Agreement, all other provisions of this Agreement shall
survive its termination.
10. Headings. Any section or other heading contained in this Agreement are for
reference purposes and convenience only and shall not affect, in any way, the
meaning and interpretation of this Agreement.
11. Counterparts. This Agreement may be executed in counterparts, each of
which shall be deemed an original, but all of which together shall constitute one
and the same instrument.
J. DEFINITIONS. The following terms have the following meanings. Any singular word
shall include any plural of the same word.
1. Authorized Representative” means the Chief Executive Officer or President
of a Company or an individual authorized in writing by the Chief Executive
Officer or President.
2. Compensation/Product Schedule” means a Company’s distributed
commission schedule that (a) specifies the amounts and conditions under
which commissions will be due and payable to Special Agent’s designee for any
Product, and (b) is made a part of this Agreement.
3. Product” means any insurance policy, contract, investment vehicle or other
offering identified in any Compensation/Product Schedule.
4. Termination Date” means the later to occur of (a) the date on which Special
Agent or Company sends written notice of termination to the other party, or (b)
the date specified by Special Agent or Company in a written notice of
termination to the other party.
6
M23294_12/19 BMO152.013
MUTUAL OF OMAHA INSURANCE COMPANY
ON BEHALF OF IT AND ITS AFFILIATES SET FORTH
IN COMPENSATION/PRODUCT SCHEDULES
ATTACHED TO THIS AGREEMENT
TO BE COMPLETED BY SPECIAL AGENT
FOR ALL STATES
SPECIAL AGENT
By: See signature on Producer Contract Information
and Signature Form
(Signature always required)
M23294_12/19 BMO152.013
SPECIAL AGENT AGREEMENT
MUTUAL OF OMAHA INSURANCE COMPANY
ON BEHALF OF IT AND ITS AFFILIATES SET FORTH IN
COMPENSATION PRODUCT SCHEDULES
ATTACHED TO THIS AGREEMENT
By:
Name:
Title:
Date:
M23294_12/19 BMO152.013
CONFIDENTIALITY AND PRIVACY AMENDMENT
1. Definitions. The following terms will have the following meanings:
(a) Business Information means information, oral, electronic, or in writing, that
is either of such a nature that a party should reasonably believe it to be
confidential or is designated as confidential by either party, including, without
limitation, any information or other materials that either party exchanges with the
other party or its Representatives in any form and in any media now or hereafter
developed, or other information, the tampering with which, or unauthorized Use
of which, would cause a material adverse impact to the business operations or
security of a party. If information is designated as confidential, such designation
will be in any written form which clearly communicates that the nonpublic
business or financial information is confidential. The term “Business
Information” will not include any information that: (i) is or becomes part of the
public domain or is publicly available through no act or omission or through no
breach of any contracts; (ii) is known at the time of disclosure without an
obligation to keep it confidential, as evidenced by documentation in possession at
the time of such disclosure; (iii) becomes rightfully known from another source
without restriction on Use; or (iv) has been independently developed without the
use of or any reference to Business Information.
(b) Confidential Information” means Business Information and Personal
Information, both electronic or otherwise, that a party creates, accesses, uses, or
receives from the other party or a third party, on behalf of a party.
(c) HIPAA Privacy and Security Rules” means the Privacy, Security and Breach
Notification and Enforcement Rules at 45 CFR part 160 and part 164, as may be
amended from time to time.
(d) Information Security Breach” means the unauthorized Use of Confidential
Information which is not permitted by law or by the terms of this Addendum
including, but not limited to, a Security Incident.
(e) Personal Information” means a first name or initial, and last name, in
combination with any: (i) demographic, medical or financial information such as
age, gender, address, Social Security number, driver’s license or non-driver
identification card number, account number, credit or debit card number, or
biometric records; (ii) any security code, access code or password that would
permit access to an individual’s financial account; (iii) past, present or future
physical or mental health condition or treatment; (iv) debt status or history; and
(v) income and other similar individually identifiable personal information that is
not publicly available or that has been designated as such by law or regulation.
The term “Personal Information” includes, but is not limited to, Protected Health
Information.
M23294_12/19 BMO152.013
(f) Protected Health Information” will have the same meaning as that assigned in
the HIPAA Privacy and Security Rules limited to the information acquired,
accessed, used, created, received, stored, or transported from or on behalf of
Company.
(g) Representatives” means all directors, officers, employees, agents, consultants,
Subcontractors, professional advisors and affiliates of a party.
(h) “Security Incident” means the attempted or successful unauthorized Use,
modification or destruction of information, or interference with system operation,
in an electronic information system containing Confidential Information.
(i) “Subcontractors” means all persons to whom SPECIAL AGENT delegates a
function, activity or service under the Agreement, other than in the capacity of a
member of the workforce of SPECIAL AGENT.
(j) “Unsuccessful Security Incident” means an attempted but unsuccessful Security
Incident, and includes, without limitation, pings and other broadcast attacks on
SPECIAL AGENT’s firewall, port scans, unsuccessful log-on attempts, denials
of service attacks, malware such as works or viruses, and any combination of the
above, so long as no such Security Incident results in, or is reasonably anticipated
by SPECIAL AGENT to result in, unauthorized Use, modification, or
destruction of Confidential Information or interference with system operations in
an information system within SPECIAL AGENT’s control.
(k) “Use” means acquisition, access, use, sale, disclosure, transmittal, storage, or
transportation.
2. Obligations Regarding Confidential Information. The performance of the duties and
obligations required under the Agreement may require either party to disclose to the other
certain Confidential Information.
(a) Confidentiality. Each party agrees to retain all Confidential Information in
confidence, and will not Use the other party’s Confidential Information except as
allowed under this Addendum, and for purposes related to the performance of
obligations under the Agreement. Each party will be responsible to the other
party for a breach of the terms of this Addendum and for any Information
Security Breach by itself or its Representatives.
(b) Reporting an Information Security Breach or Security Incident. SPECIAL
AGENT agrees to report to Company any Information Security Breach and any
successful Security Incident of which it becomes aware. Any report made
pursuant to this Section 2(b) will be made as soon as possible, but in no event
later than five (5) business days or such shorter period of time imposed on either
party by federal or state law or regulation following the date that SPECIAL
AGENT becomes aware of the Information Security Breach or successful
M23294_12/19 BMO152.013
Security Incident. SPECIAL AGENT will take action(s) requested by Company
to document and mitigate the Information Security Breach or successful Security
Incident. SPECIAL AGENT will cooperate in evaluating the necessity of
providing any and all notices of an Information Security Breach or successful
Security Incident as deemed advisable or as otherwise required under applicable
laws or regulations.
(c) Return of Confidential Information. During the term of the Agreement,
SPECIAL AGENT will only retain Confidential Information which is necessary
to continue proper management and administration of the services under the
Agreement, or to carry out its legal responsibilities. Upon termination of the
Agreement, SPECIAL AGENT will return, or if agreed to by Company, securely
destroy all Confidential Information that SPECIAL AGENT maintains in any
form. Should Confidential Information be maintained beyond the termination of
the Agreement for legitimate business purposes or as may be required by law,
then SPECIAL AGENT will limit the Use of Confidential Information to the
specific reason requiring retention of Confidential Information, and the
protections of the Agreement and this Addendum will be extended for so long as
Confidential Information is maintained. Once the reason for retention of
Confidential Information has expired, Confidential Information will be returned
or, if agreed to by Company, securely destroyed. The obligation to return or
securely destroy such Confidential Information will not apply to electronic copies
stored solely for back-up and archival purposes (“Backup Copies”) that are not
readily accessible by SPECIAL AGENT. SPECIAL AGENT will not be required
to erase electronically stored Confidential Information that has been saved to
Backup Copies in accordance with its standard electronic back-up practices, on
the condition that, except as otherwise required by applicable law: (i) its
personnel whose functions are not primarily information technology do not
access such Backup Copies; and (ii) its personnel whose functions are primarily
information technology in nature access such Backup Copies only as reasonably
necessary for the performance of their information technology duties (e.g., for
purposes of system recovery). The Backup Copies will continue to be subject to
the remaining terms of this Addendum.
(d) Disposal of Confidential Information. SPECIAL AGENT agrees to maintain a
security policy for the secure disposal of paper and any other media that contains
Confidential Information that includes a technology or methodology that will
render Confidential Information unusable, unreadable or indecipherable.
(e) Cost of an Information Security Breach. SPECIAL AGENT will pay Company
all costs or expenses that result from SPECIAL AGENT’s acts or failure to act
that result in an Information Security Breach.
3. Permitted Uses and Disclosures by SPECIAL AGENT. Unless otherwise prohibited
by the Agreement, this Addendum or applicable federal and state laws and regulations,
M23294_12/19 BMO152.013
including the HIPAA Privacy and Security Rules, SPECIAL AGENT may access, use,
disclose, transmit, store and transport Confidential Information:
(a) for the proper management and administration of SPECIAL AGENT’s business,
provided that the access, use, disclosure, transmittal, storage and transportation
are required by law, or SPECIAL AGENT obtains reasonable assurances from
the entity or person to whom Confidential Information is disclosed that it will
remain confidential and be accessed, used, disclosed, transmitted, stored, or
transported only as required by law or for the purpose for which it was disclosed
to the entity or person;
(b) to carry out the legal responsibilities of SPECIAL AGENT;
(c) to its Representatives if the Representatives are first informed of the confidential
nature of such information and the obligations set forth herein, and agree to be
bound thereby; and
(d) to its Subcontractors if Subcontractors have entered into a written agreement
with SPECIAL AGENT under which Subcontractors agree to be bound by the
obligations in this Addendum.
4. SPECIAL AGENT’s Additional Obligations Regarding Protected Health
Information.
(a) SPECIAL AGENT acknowledges that it is subject to the following requirements
to the same extent as applicable to Company:
(i) to comply with subpart C of 45 CFR part 164 of the HIPAA Privacy and
Security Rules, requiring development, implementation, maintenance and
use of administrative, physical, and technical safeguards that reasonably
and appropriately protect the confidentiality, integrity, and availability of
the Protected Health Information, that it accesses, uses, creates, receives,
maintains, transmits, or transports on behalf of Company;
(ii) at the request of and in the time, manner and means, electronic or
otherwise, as specified by Company, to provide access to Protected Health
Information to Company, or to an individual as directed by Company, in
order to meet the requirements of the HIPAA Privacy and Security Rules;
(iii) to make any amendment(s) to Protected Health Information that Company
directs or agrees to pursuant to HIPAA Privacy and Security Rules in the
time and manner designated by Company;
(iv) to document and maintain information on any disclosure of Protected
Health Information for at least six (6) years, and upon request, in the time,
manner and means designated by Company, make any information about
the disclosure of Protected Health Information available to Company or to
M23294_12/19 BMO152.013
an individual as directed by Company, in order for Company to meet the
accounting requirements of the HIPAA Privacy and Security Rules; and
(v) to make Protected Health Information and its internal practices, books and
records, including policies and procedures, relating to the use and
disclosure of Protected Health Information, available to the Secretary of
Health and Human Services or to a state Attorney General for purposes of
determining SPECIAL AGENT’s or Companys compliance with the
HIPAA Privacy and Security Rules.
(b) The parties acknowledge that this Section 4(b) constitutes notice by SPECIAL
AGENT to Company of the ongoing existence and occurrence of Unsuccessful
Security Incidents for which no additional notice to Company will be required.
5. General Security Requirements.
(a) SPECIAL AGENT will maintain a written, information security program
designed to protect the confidentiality, integrity and availability of Confidential
Information in paper or other records and within its information system,
including computers, devices, applications, and any wireless systems, and
designed to perform the following core information security functions:
(i) identify and assess both internal and external information security risks
(“Risk Assessment”);
(ii) utilize a defensive infrastructure;
(iii) implement policies and procedures that protect Confidential Information
from unauthorized Use;
(iv) detect, respond to, and mitigate, Information Security Breaches and
Security Incidents, restoring normal operations and services; and
(v) fulfill regulatory reporting obligations.
(b) The Risk Assessment performed by SPECIAL AGENT will be:
(i) sufficient to inform the design of the information security program;
(ii) updated as reasonably necessary to address changes to SPECIAL
AGENT’s information systems, records, Confidential Information, and
business operations; and
(iii) documented and carried out in accordance with written policies and
procedures.
M23294_12/19 BMO152.013
(c) SPECIAL AGENT will designate a qualified individual responsible for
overseeing and implementing its information security program and enforcing its
information security policy initiatives.
(d) SPECIAL AGENT will assess the effectiveness of its information security
program through continuous monitoring, periodic penetration testing and
vulnerability assessments, or similar actions, all as dictated by its Risk
Assessment.
(e) SPECIAL AGENT, or SPECIAL AGENT’s designated third party, will:
(i) utilize qualified information security personnel to manage its information
security risks and perform or oversee the performance of SPECIAL
AGENT’s core information security functions; and
(ii) provide or verify that such personnel have obtained periodic information
security training to maintain up-to-date knowledge of changing
information security threats and countermeasures.
(f) SPECIAL AGENT will provide regular information security awareness training
for all personnel.
(g) SPECIAL AGENT will have written policies, implemented and approved by
senior management for the protection of its information systems and Confidential
Information, addressing the following:
(i) data governance and classification;
(ii) asset inventory and device management;
(iii) access controls and identity management;
(iv) business continuity and disaster recovery planning;
(v) system security and monitoring;
(vi) network security and monitoring;
(vii) physical security and environmental controls;
(viii) customer data privacy; and
(ix) vendor and third-party service provider (“TPSP”) management, to include
the following topics:
(A) identification and risk assessment of TPSPs;
(B) minimum information security practices required of TPSPs;
M23294_12/19 BMO152.013
(C) due diligence processes for assessing the information security
practices of TPSPs; and
(D) periodic assessment of TPSPs, based on the risk and the continued
adequacy of the TPSPs’ information security practices.
(h) The following information systems’ controls will be utilized by SPECIAL
AGENT, to the extent prescribed by its written information security program:
(i) limited user access privileges to information systems providing access to
Confidential Information and periodical review of such access privileges,
as dictated by SPECIAL AGENT’s Risk Assessment;
(ii) multi-factor authentication for any individual accessing SPECIAL
AGENT’s internal networks from an external network, and for all
privileged access to SPECIAL AGENT’s cloud-based systems;
(iii) implementation of risk-based policies, procedures and controls designed to
monitor the activity of authorized users and detect unauthorized Use or
tampering with Confidential Information; and
(iv) implementation of encryption to protect Confidential Information, both in
transit over external networks, and at rest.
(i) To the extent dictated by SPECIAL AGENTs Risk Assessment, and for a
duration specified by its records retention standards, SPECIAL AGENT will
maintain audit trails:
(i) for material financial transactions; and
(ii) sufficient to recreate Security Incidents.
(j) SPECIAL AGENT will have written procedures, guidelines and standards for
the secure development of applications created in-house, and procedures for
evaluating and testing the security of externally-developed applications used on
SPECIAL AGENT’s information systems.
(k) SPECIAL AGENT will have a written Security Incident response plan designed
to promptly respond to, and recover from, any Information Security Breach or
successful Security Incident materially affecting the confidentiality, integrity or
availability of the Confidential Information or the continuing functionality of any
aspect of Company’s business or operations. The plan will address the following
areas:
(i) internal processes for responding to an Information Security Breach or
successful Security Incident;
M23294_12/19 BMO152.013
(ii) goals of the plan;
(iii) definition and clear roles, responsibilities and levels of decision-making
authority;
(iv) external and internal communications and information sharing;
(v) identification or requirements for the remediation of any identified
weaknesses in information systems and associated controls;
(vi) documentation and reporting regarding Information Security Breaches or
successful Security Incidents and related incident response activities; and
(vii) evaluation and revision as necessary of the plan following an Information
Security Breach or successful Security Incident.
(l) No transfer of Confidential Information may be made by SPECIAL AGENT
outside of the United States without the prior, express written authorization of
Company.
(m) Company may require SPECIAL AGENT to have an annual review and/or an
annual technical audit of its security policies and practices by Company, or, at
SPECIAL AGENT’s option and expense, an independent auditor, to ensure
compliance with this Addendum. The third-party audit report, including
recommendations for remedying deficiencies where appropriate, will be provided
to Company within seven (7) business days of receipt of the report by SPECIAL
AGENT. SPECIAL AGENT will have thirty (30) calendar days to implement
remedies to any identified deficiencies and notify Company that such
deficiencies have been addressed. SPECIAL AGENT’s failure to remedy the
identified deficiencies will be considered in breach of this Section 5.
6. PCI-DSS Requirements for SPECIAL AGENT. If SPECIAL AGENT stores or
transmits credit or debit card data on behalf of Company, or could impact the security of
Company’s cardholder data environment, SPECIAL AGENT will employ safeguards that
comply with the Payment Card Industry Data Standard (PCI-DSS), as may be amended
from time to time. Depending on services being provided pursuant to the Agreement, and
upon request, SPECIAL AGENT will provide Company a PCI-DSS Attestation of
Compliance.
7. General Provisions.
(a) Compliance with Laws. Each party will promptly: (i) comply with its
obligations under this Addendum and with any federal and state laws and
regulations as may now be in effect or as may hereafter be enacted, adopted or
determined that apply to the confidentiality, security, or Use of Confidential
Information; and (ii) cooperate with and assist the other party in fulfilling its
federal and state legal and regulatory obligations with respect to Confidential
M23294_12/19 BMO152.013
Information a party holds on behalf of the other. Such obligations include any:
(viii) rights of or obligations to customers or consumers whose information is
included in the Confidential Information; (ix) inventory and location of
Confidential Information; and (x) performance of due diligence to ensure
Representatives used in connection with performance of Services under the
Agreement comply with the provisions of this Addendum.
(b) Amendment. This Addendum will be amended to conform to any new or
different legal requirements that result from any changes, revisions or
replacements of any federal or state laws and regulations as may now be in effect
or as may hereafter be enacted, adopted or determined that apply to the security,
confidentiality, or Use of Confidential Information, including, without limitation,
the HIPAA Privacy and Security Rules, on or before the effective compliance
date thereof. Any such amendment will automatically be effective upon the
effective compliance date of such laws and regulations and will become effective
without the signature of either party.
(c) Termination for Cause. In addition to any other termination provisions
contained in the Agreement, a party may terminate the Agreement upon written
notice to the other party that they have breached a term of this Addendum.
(d) Disclosures Required By Law or a Governmental Authority. If either party is
required to disclose the other party’s Confidential Information in response to
legal process or a governmental authority, such party will immediately notify the
other party and, upon request, cooperate with the other party in connection with
obtaining a protective order. The disclosing party will furnish only that portion
of Confidential Information which it is legally required to disclose and will use
commercially reasonable efforts to ensure that Confidential Information is treated
confidentially.
(e) Indemnification. Notwithstanding any other provisions of the Agreement, each
party will indemnify, defend and hold the other party and its affiliates, and their
directors, officers and employees,
harmless for any liabilities, claims, demands,
suits, losses, damages, costs, obligations and expenses, including without
limitation attorneys’ fees, court costs and punitive or similar damages, incurred
by a party which result from any breach of this Addendum by the other party.
(f) Equitable Relief. Both parties acknowledge that Confidential Information it
receives is confidential and/or proprietary to the other party, that disclosure
thereof could be seriously harmful to the business prospects of the other party,
that the other party may not have adequate remedies at law for a breach of the
confidentiality obligations hereunder and that money damages may be difficult or
impossible to determine. Accordingly, each party agrees, in addition to all other
remedies available at law, that, in the event of a breach or threatened breach of
this Addendum, an aggrieved party will be entitled to: (i) seek equitable relief,
M23294_12/19 BMO152.013
including injunctive relief; and (ii) reimbursement of all attorneys’ fees and court
costs arising in connection with seeking and obtaining such equitable relief.
(g) Material Obligation/Survival. Each obligation contained in this Addendum is
deemed to be a material obligation of the parties hereunder and will survive the
termination of the Agreement.
(h) Interpretation. In the event of an inconsistency or conflict between the terms of
the Agreement and the terms of this Addendum, this Addendum will control.
Any such inconsistency or conflict will be resolved in favor of a meaning that
permits the parties to comply with the HIPAA Privacy and Security Rules or any
other federal and state laws and regulations that apply to the confidentiality of
Confidential Information. This provision will supersede any similar provision in
the Agreement. In the event of an inconsistency between the provisions of this
Addendum and mandatory provisions of the HIPAA Privacy and Security Rules
or any other federal and state laws and regulations that apply to the
confidentiality of Confidential Information, as may be amended from time to
time, the HIPAA Privacy and Security Rules or any other federal and state laws
and regulations that apply to the confidentiality of Confidential Information,
including, without limitation, any definitions in any such federal and state laws
and regulations, will control. Where provisions of this Addendum are different
than those mandated in the HIPAA Privacy and Security Rules or any other
federal and state laws and regulations that apply to the confidentiality of
Confidential Information but are nonetheless permitted by such federal and state
laws and regulations, the provisions of this Addendum will control.