C. Processor Duties Relative to PII 1. The Processor shall use reasonable security measures to protect the privacy of PII including, but not limited to the following: a. Limit disclosure of the information and details relating to a PII loss only to those with a need to know and who are bound by confidentiality obligations at least as restrictive as those set forth in this Agreement. b. Safeguard PII always, regardless of whether the Processor’s employee, contractor, or agent is at their regular duty station. c. Train individuals to whom access to PII is granted about privacy, IT Security, and confidentiality best practices and require their signed acknowledgment of understanding of and abidance to the training prior to credentialing them to access PII data and regularly, thereafter. (See Appendix B: List of Processor personnel with Access to State PII) d. Send emails containing PII only if encrypted and being sent to and being received by email addresses of persons authorized to receive such information. e. If Processor uses a non-affiliated third party to perform services and discloses Personally Identifiable Information to the third party, such shall be pursuant to a written agreement between the parties which must require the third party to implement and maintain reasonable security procedures no less stringent than those required in this Agreement; f. Regularly review privacy and IT security policies, procedures, and practices to ensure compliance with PIGA and this Agreement; g. Designate a person who addresses any complaints or questions an Entity may have regarding the Processor’s privacy practice;, and,
