Effective January 1, 2009, Executive Order 504 establishes new requirements designed to adopt and implement the maximum feasible measures reasonably needed to ensure the security, confidentiality and integrity of personal information, as defined in MG.L. c. 93H and personal data, as defined in M.G.L. c. 66A, maintained by state agencies (herein collectively "personal information"). This requirement only pertains to contracts that require the Contractor's access to personal information owned or controlled by the contracting agency and systems that contain such data. The Executive Order applies to all state agencies in the Executive Department, including all executive offices, boards, commissions, agencies, departments, divisions, councils, bureaus, and offices, now existing and hereafter established.
In order to comply with the contractor certification requirements of Executive Order 504, agencies must require that all vendors executing contracts on or after January 1, 2009 certify compliance with applicable security measures. The Commonwealth's Standard Contract Form and Instructions will be amended to include certification of compliance; however, until such time as the Standard Contract Form has been amended, agencies that are subject to Executive Order 504 can comply with this obligation by having vendors entering into any new agreements execute the separate certification form attached. The instructions below provide guidance concerning how to comply with the certification requirements of Executive Order 504.
1. For procurements that use the Standard Contract Form:
a. Until the revised Standard Contract form is issued, if the RFQ or RFR was posted on or before January 1, 2009, but the contract will not have been executed as of January 1, 2009, then vendors contracting with agencies must execute the separate Executive Order 504 Contractor Certification Form attached hereto as Exhibit A for all new contracts.
b. Once the Commonwealth's Standard Contract Form has been amended, agencies will be in compliance with the certification requirements of Executive Order 504 by having vendors execute the Standard Contract Form as part of the bidder's response to an RFR or RFQ.
2. After January 1, 2009, in any instances where the agency is not using the Commonwealth's Standard Contract Form, the agency must have all vendors execute a separate Executive Order 504 Certification Form, which will be available on OSD's website under " OSD Forms "
3. After January 1, 2009, Departments executing contract amendments or renewals with existing vendors are encouraged to request execution of a separate Executive Order 504 Contractor Certification Form by those vendors if the vendor has not executed the new version of the Standard Contract Form containing the Executive Order 504 certifications.
Executive Order 504 Contractor Certification Form
BIDDER/CONTRACTOR LEGAL NAME:
BIDDER/CONTRACTOR VENDOR/CUSTOMER CODE:
Executive Order 504: For all Contracts involving the Contractor's access to personal information, as defined in M.G.L. c. 93H, and personal data, as defined in M.G.L. c. 66A, owned or controlled by Executive Department agencies, or access to agency systems containing such information or data (herein collectively "personal information"), Contractor certifies under the pains and penalties of perjury that the Contractor (1) has read Commonwealth of Massachusetts Executive Order 504 and agrees to protect any and all personal information; and (2) has reviewed all of the Commonwealth of Massachusetts Information Technology Division's Security Policies .
Notwithstanding any contractual provision to the contrary, in connection with the Contractor's performance under this Contract, for all state agencies in the Executive Department, including all executive offices, boards, commissions, agencies, departments, divisions, councils, bureaus, and offices, now existing and hereafter established, the Contractor shall:
(1)obtain a copy, review, and comply with the contracting agency's Information Security Program (ISP) and any pertinent security guidelines, standards and policies; (2) comply with all of the Commonwealth of Massachusetts Information Technology Division's Security Policies ("Security Policies") ;
(2) communicate and enforce the contracting agency's ISP and such Security Policies against all employees (whether such employees are direct or contracted) and subcontractors;
(3) implement and maintain any other reasonable appropriate security procedures and practices necessary to protect personal information to which the Contractor is given access by the contracting agency from the unauthorized access, destruction, use, modification, disclosure or loss;
(4) be responsible for the full or partial breach of any of these terms by its employees (whether such employees are direct or contracted) or subcontractors during or after the term of this Contract, and any breach of these terms may be regarded as a material breach of this Contract;
(5) in the event of any unauthorized access, destruction, use, modification, disclosure or loss of the personal information (collectively referred to as the "unauthorized use"): (a) immediately notify the contracting agency if the Contractor becomes aware of the unauthorized use; (b) provide full cooperation and access to information necessary for the contracting agency to determine the scope of the unauthorized use; and (c) provide full cooperation and access to information necessary for the contracting agency and the Contractor to fulfill any notification requirements.
Breach of these terms may be regarded as a material breach of this Contract, such that the Commonwealth may exercise any and all contractual rights and remedies, including without limitation indemnification under Section 11 of the Commonwealth's Terms and Conditions, withholding of payments, contract suspension, or termination. In addition, the Contractor may be subject to applicable statutory or regulatory penalties, including and without limitation, those imposed pursuant to M.G.L. c. 93H and under M.G.L. c. 214, § 3B for violations under M.G.L. c. 66A.
Bidder/Contractor Name: .
Bidder/Contractor Authorized Signature: .
Print Name and Title of Authorized Signatory: .
This Certification may be signed once and photocopied to be attached to any Commonwealth Contract that does not already contain this Certification Language and shall be interpreted to be incorporated by reference into any applicable contract subject to Executive Order 504 for this Contractor.
Created 12/24/08: Information provided by the Legal Office