Breach Services Program Terms
Breach Services Program Terms
PLEASE READ THESE TERMS CAREFULLY AS THEY FORM A LEGALLY BINDING AGREEMENT. BY SIGNING A BREACH SERVICES ENROLLMENT, OR BY OFFERING BREACH SERVICES FOR ENROLLMENT, YOU AGREE TO ALL OF THE FOLLOWING.
These Breach Services Program Terms (“Terms”) together with each applicable Breach Services Engagement (“Engagement”) are between the Gen/NortonLifeLock entity specified in the Engagement (“NortonLifeLock”) and the company identified within the Engagement (“Company”). For information NortonLifeLock merged with Avast in September 2022. The merged entity is known as Gen Digital (“Gen”). Norton and LifeLock products/services are now added to the Gen brand portfolio. The products/services applicable to these Terms are those specifically identified in the Engagement. These Terms and the Engagement are collectively the “Agreement” and serve to govern Company’s participation in the Breach Services Program. NortonLifeLock and Company are each a “Party” and are collectively the “Parties”. Capitalized terms used but not defined in these Terms have the meaning as stated in the Engagement.
1. Program. As a participant in NortonLifeLock’s Breach Services Program, Company may offer NortonLifeLock ITP Services to Prospective End Users in the Territory as set forth in each Engagement between the Parties. NortonLifeLock will provide such ITP Services to each End User for the duration of each paid ITP Services term, pursuant to the End User Terms (as defined below). Company may, in its sole discretion and if specified in an Engagement, purchase additional services (“Additional Services”).
2. Partner Engagement. Any partner participating in NortonLifeLock’s Breach Services Program (“Partner”) must enter into a separate agreement with NortonLifeLock (“Breach Services Partner Agreement”). Where Partner introduces Company to NortonLifeLock, Company and NortonLifeLock must agree the Engagement before NortonLifeLock can provide the Services and all Services will be provided subject always to these Terms. Partner must be clearly indicated in the Engagement. The Engagement will indicate whether Company or its Partner will pay NortonLifeLock for the Services. Where Partner is paying NortonLifeLock for the Services on behalf of Company, Partner shall pay NortonLifeLock applicable fees in accordance with the Breach Services Agreement. Company and Partner may separately agree fees for the Services as between them.
3. Enrollment Process. NortonLifeLock will provide Company with a promotion code or website link, along with ITP Services enrollment instructions, which Company will then provide to Prospective End Users for ITP Services enrollment directly with NortonLifeLock. Company shall not directly enroll any Prospective End User for ITP Services or provide any Enrollment Information (as defined below) to NortonLifeLock.
4. End User Relationship. Upon End User’s enrollment in the ITP Services, NortonLifeLock and the End User will establish a direct and independent relationship governed by NortonLifeLock’s License and Services Agreement and its Global Privacy Statement (together, the “End User Terms”) which will be provided to, and must be agreed by, each Prospective End User on enrollment and prior to ITP Service Activation. Company will direct Services-related questions to NortonLifeLock and will not attempt to provide support for the Services. For clarity, (i) the Parties’ obligations to each other are solely as set forth under the Agreement, (ii) neither Party shall be liable to the other Party for ITP Services provided directly to End Users, and (iii) nothing in the Agreement limits NortonLifeLock’s obligations or liability to End Users under the End User Terms.
5. Enrollment Requirements. Company acknowledges that, in order for a Prospective End User to enroll in or access ITP Services, NortonLifeLock must receive the required enrollment information (“Enrollment Information”). In addition, some ITP Services may have features that require consent, authentication, or other additional action by the Prospective End User (“Actions”). Some features may not be available in all countries. NortonLifeLock may in its sole discretion deny, reduce and/or cancel ITP Services, in whole or in part, to any individual that fails to: (a) provide or maintain full and accurate Enrollment Information, or (b) take any Actions or, if Actions are taken, if a Prospective End User is unable to be verified as necessary for the particular ITP Service or feature (including but not limited to identity verification failure or failure of knowledge based verification). NortonLifeLock will not accept any reduction in fees for Services for any failure of this provision by End User.
6. Ownership; Reservation of Rights. NortonLifeLock and its licensors own all worldwide rights, title, and interests in and to its intellectual property including without limit the Services and related documentation. Company acquires no rights or licenses except as expressly stated in the Agreement. All rights and licenses not expressly granted under the Agreement are expressly reserved by NortonLifeLock.
7. Payment. Unless Partner is paying NortonLifeLock for the Services on behalf of Company as indicated in the Engagement, Company shall pay all fees due within 30 days of date of invoice. Company will be responsible for and will pay all sales, use and other applicable taxes due in connection with the Services, excluding tax due on NortonLifeLock’s income. Fees paid are nonrefundable and Company’s obligation to pay all fees set forth in an Engagement are noncancellable. If any amounts due to NortonLifeLock are not paid within 30 days of their due date, NortonLifeLock may, in its sole discretion (i) suspend or terminate the Services; (ii) require that Company pay in advance for Services; or (iii) charge late payment fees of the greater of 1.5% per month or the highest rate permissible by law on the unpaid amount.
8. Confidentiality. In the course of performing activities under the Agreement each Party will receive information that is confidential or proprietary to the other. Neither Party may use such information except in performance of the Agreement or disclose (or permit disclosure of) such information to third parties. Each Party shall maintain reasonable and appropriate technical and organizational measures to fulfill its obligations under the Agreement.
9. Company Obligations.
a. Company will have all necessary rights and consents to perform under the Agreement and will comply with applicable laws and regulations, including without limit those relating to personal data and to any notices sent to Prospective End Users that refer to NortonLifeLock or any Services;
b. Company shall not offer or make available any Services on behalf of third parties save as provided in these Terms;
c. Company shall not, in any way, refer to, describe, or otherwise characterize the Services as insurance or credit repair services, or indicate that NortonLifeLock is or may be an insurance provider, insurance company, insurance carrier, credit repair organization, credit repair service provider, or credit repair clinic, and/or
d. Company shall not make any representations about the Services (including without limit in any Prospective End User notification except for enrollment instructions as provided by NortonLifeLock), and Company shall not represent or refer to any Services as its own service or as a third party’s service.
10. Indemnity. Company will defend, indemnify and hold NortonLifeLock harmless from and against all third party claims (including End User claims), and any resulting damages, costs, expenses, losses and reasonable attorneys’ fees and court costs incurred by or awarded against NortonLifeLock, arising from (i) Company’s alleged breach of Section 9 (Company Obligations), (ii) NortonLifeLock’s compliance with Company’s express instructions, (iii) Company’s data breach notifications including without limit the content (or omission of content), format, timing and delivery method or (iv) NortonLifeLock’s termination of Services for Company’s breach of the Agreement. NortonLifeLock will (a) provide Company with timely notice of all claims, (b) tender control of all indemnified claims to Company, provided that if conflicts of interests arise between the Parties NortonLifeLock may participate and obtain independent counsel at its own cost, and (c) provide Company and with information and assistance as reasonably needed for Company to fulfill its obligations under the Agreement. Company may not make any admission on behalf of NortonLifeLock or enter into any settlement that obligates NortonLifeLock without NortonLifeLock’s express written consent.
11. Warranties. All warranties shall be as stated in the End User Terms between NortonLifeLock and the End User. Company is not permitted to make any warranties and representations on NortonLifeLock’s behalf regarding the Services. All such express and implied warranties, representations and any other additional terms are expressly excluded to the maximum extent permitted by law. Not all Services or Service features may be available in all jurisdictions.
12. No Legal Services. The Parties acknowledge that Services are provided in connection with a breach (or in anticipation of a potential future breach) of personal data that is processed and/or controlled by company, its affiliates, or its or its affiliates’ third parties. As such, the Parties agree that (i) Company is solely responsible and liable for such breach and all communications, acts and omissions taken in relation to the breach including without limit the content, format, timing and delivery method of all notifications and responses to Frequently Asked questions (FAQ’s), and for the accuracy of all data and information provided to NortonLifeLock including without limit any Prospective End User mailing lists (where applicable), (ii) Company is solely responsible for obtaining independent legal advice in relation to all breaches and anticipated breaches, and related notifications, FAQ’s, remediation and mitigation efforts; (iii) Services do not include, and NortonLifeLock does not and will not provide, any legal advice or recommendations of any kind and no statements or actions by NortonLifeLock or its personnel shall be relied on (or construed ) as legal advice.
13. Waiver of Indirect and Consequential Loss. NortonLifeLock shall not be liable for any of the following that may arise whether directly, indirectly or otherwise under the Agreement: (i) any cost of procurement of substitute or replacement goods and services, loss of profits, loss of use, loss of or corruption to data, business interruption, loss of production, loss of revenues, loss of contracts, loss of goodwill, or anticipated savings or wasted management and staff time; or (ii) any special, consequential, incidental or indirect damages. The foregoing shall apply even if such party or its agents has been advised of the possibility of such damages.
14. Limitation of liability. NortonLifeLock’s liability to Company is limited to the total payments received by NortonLifeLock for the provision of the Services during the twelve (12) months prior to the event giving rise to such liability. Notwithstanding the foregoing, nothing in the Agreement will seek to exclude either party’s liability for fraudulent misrepresentation, willful misconduct, gross negligence, death, personal injury or any other liability to the extent that such liability may not be excluded or limited under applicable law.
15. Termination. Either Party may terminate the Agreement for material breach with immediate effect if such breach is not cured within 30 days after written notice of such breach. Upon any expiration or termination, save as provided in section 16b) below the rights granted under this Agreement are immediately revoked.
16. General.
a. Governing Law; Jurisdiction. The Agreement is governed exclusively by the laws as specified below without regard to principles of conflicts of law. If Company is based in EMEA: The laws of Ireland. Venue for any legal action will be the Irish courts, Dublin; If Company is based in Japan: The laws of Japan. Venue for any legal action will be the Japanese courts; If Company is based in the Asia Pacific region: The laws of Singapore. Venue for any legal action will be the courts of Singapore. If Company is based in the Americas: The laws of California. Venue for any legal action will be the courts of Santa Clara County, California. The English language version of the Agreement will prevail in the event of any translations. Company waives any right to have this Agreement officially written in the language of the applicable Territory where applicable.
b. Effect of Termination. Termination of the Agreement or of a Company’s relationship with Partner or of an End User’s relationship with Company shall not terminate the provision of ITP Services to any End User for the remainder of the paid ITP Services term.
c. Notices. Notices will be sent to the Parties’ respective representatives at the addresses specified in the Engagement. A copy of notices to NortonLifeLock must be sent to: Legal.Department@nortonlifelock.com.
d. Assignment. Company may not assign the Agreement without NortonLifeLock’s written consent except to its affiliates or successors in a merger, acquisition or asset sale. NortonLifeLock may make an assignment in its discretion.
e. Waiver; Severability. A Party’s waiver or failure to exercise any right or require performance under the Agreement shall not be deemed a waiver of any further failure. If any provision of the Agreement is deemed invalid by an applicable court, it will be considered deleted except to the extent the court may modify such provision to be valid and enforceable. The remaining provisions shall remain valid and enforceable.
f. No Publicity; Relationship. The Parties (i) may not make reference to the other Party for marketing or publicity purposes without prior written consent, and (ii) have no right to represent, assume or create any obligation or make representations about or on behalf of the other Party. Neither Party is an agent or subcontractor of the other Party.
g. No Double Recovery. Any purported breach of the Agreement by NortonLifeLock which Company claims causes loss and/or damage to Partner, will be deemed to be only Company’s loss and/or damage with the intent that NortonLifeLock would be liable only to Company instead of to Partner. Any duplicate claims filed by Company and any Partner must be combined and the Parties agree that no double recovery by Company and any Partner will be permitted under this Agreement.
h. Timeframe for Legal Actions. Any legal action arising in connection with the Agreement must be filed within one (1) year of the date that such cause of action arises. All statutory limitation periods (whether arising in contract, tort or otherwise) are expressly excluded.
i. Anti-Corruption and Trade Restrictions. Each Party will (i) comply with all applicable laws and regulations relating to, export compliance, the Foreign Corrupt Practices, U.K. Bribery Act 2010 and all other applicable anti-corruption laws and regulations; laws of the U.S. Department of the Treasury, Office of Foreign Assets Control; and (ii) obtain and maintain in effect all required licenses, permits and authorizations. Additional information on the Services are detailed here: https://www.nortonlifelock.com/us/en/legal/export-compliance/ which may require action on Your behalf prior to export to certain destinations, end users, or for certain end-uses. For the avoidance of doubt, nothing in the Agreement is intended to induce or require either Party to act in any manner which is penalized or prohibited under any applicable laws, rules, regulations or decrees. A breach of this section is deemed to be a material breach of the Agreement.
j. Compliance with Laws. Each Party will comply with all applicable laws and regulations for the purpose of the Agreement.
k. Force Majeure. Neither Party will be in breach of the Agreement if such delay or performance failure results from events outside that Party’s control. In such circumstances, the time for performance shall be extended by a period equivalent to the period during which performance of the specific obligation has been delayed or failed to be performed. If the period continues for 3 months, the Party not affected may terminate the Agreement by giving 30 days-notice to the other Party.
l. Third Party Rights. Nothing in the Agreement confers any rights on any third parties (including but not limited to any Partner) to enforce any term of the Agreement.
m. Construction. The Agreement is the result of negotiations between sophisticated parties and any principle of construction or rule of law that provides that an Agreement shall be construed against the drafter of the Agreement in the event of any inconsistency or ambiguity in such Agreement, shall not apply. Each Party’s waiver or failure to exercise any right or to require any performance of a duty under the Agreement shall not be deemed a waiver of any further such right or duty. Neither Party is an agent of the other Party. It has no right to (i) represent or bind the other Party, (ii) assume or create any obligation or (iii) make any warranty, guarantee or representation about the other Party.
n. Entire Agreement; Amendment. This Agreement constitutes the entire agreement and understanding between the Parties and supersedes all previous promises, proposals, agreements, understandings, representations, communications, undertakings or implications whether made orally or in writing between the Parties relating to the subject matter of the Agreement. It may not be modified except by written amendment to the Agreement.
17. Additional Services. The following applies only to the extent that any applicable Additional Services are specified in an Engagement. For the avoidance of doubt, not all Additional Services are available in all countries.
Additional Services available in Australia and New Zealand only.
A. Call Center Services. NortonLifeLock will provide inbound telephone support to assist Prospective End Users with enrollment in ITP Services and answer specific frequently asked questions (“FAQ”) during the agreed Enrollment Period. Following enrollment, End Users may contact NortonLifeLock’s Member Services for ITP Services support.
I. Proposal. Company in consultation with its own legal counsel will provide NortonLifeLock with information describing the Company’s business drivers. This information may include (i) anticipated notice deadlines, (ii) number of individuals to receive Services, (iii) minors affected, (iv) selection of any ITP Services, (v) anticipated call volumes, and (vi) call center FAQs.
II. First drafts of Company’s FAQ. NortonLifeLock or Partner will provide Company with a template of the FAQs for Company to complete. Company must return this to NortonLifeLock in a standard file format which can be replicated when coded appropriately.
III. Set Go-live Date. Company must schedule a final go-live date. A final go-live date must be set at least five (5) days after all FAQ questions and responses have been finalized (or this may be sooner depending on the size of Prospective End Users).
IV. Go-live and service level requirements. Starting at 12:00 a.m. (midnight) on the agreed upon final go-live date, the NortonLifeLock call center will accept calls from the Company’s Prospective End Users. NortonLifeLock call center support will be available twenty-four (24) hours per day, seven (7) days per week.
V. Reporting. On request, NortonLifeLock will provide a member detail report specific to the Promotional Code.
VI. Closing of the Enrollment Period and completion of Services. Upon completion of the Enrollment Period, NortonLifeLock will discontinue supporting the FAQs. Additionally, the TFN will connect Prospective End Users to NortonLifeLock’s main call center menu, and NortonLifeLock will advise a Prospective End User that the Enrollment Period has ended. For Activated End Users, NortonLifeLock will continue to provide call center support pursuant to the End User Agreement.
Additional Services available in North America only.
A. Mail Notification Services. NortonLifeLock will engage a third party subcontractor to deliver Company’s personal data breach notification to Prospective End Users within the United States via the U.S. Postal Service. NortonLifeLock will include with the notice ITP Services enrollment instructions including the applicable promotion code or website link.
I. Proposal. Company, in consultation with its own legal counsel, will provide NortonLifeLock with information describing the Company’s (i) anticipated notice deadlines, (ii) number of adult Prospective End Users, and (iii) the number of minor Prospective End Users (iv) volume and frequency of breach notification mailings, and (v) ITP Service enrollment periods.
II. Prospective End User List. Company must provide NortonLifeLock with a list of Prospective End Users, in an Excel format, containing the first name, last name and mailing address for the entire population. The list must be formatted consistently with NortonLifeLock’s guidelines, which will be provided to Company. If minors are included in the population, Company must include a column indicating which individuals are minors. Said member list must be encrypted and sent using a secure distribution method as agreed by NortonLifeLock.
III. Validation. NortonLifeLock, through its subcontractor, will validate the addresses contained in the Prospective End User list through the National Change of Address (NCOA) database. If during this validation process the NCOA database highlights any changes to the addresses (eg in the event of decedents, change of locations) this will be communicated to Company and Company shall have the choice as to which address(es) to mail to. If any addresses are not formatted in accordance with the formatting guidelines provided to Company, or if a Prospective End User’s address cannot be validated, that Prospective End User will be removed from the mailing list, and neither NortonLifeLock nor its subcontractors will mail any correspondence to those individuals. NortonLifeLock will notify Company regarding those Prospective End Users that are removed from the mailing list, and Company will not be entitled to a reduction in the applicable purchase price if a Prospective End User is removed from the mailing list pursuant to this section. Note that Company may incur additional fees in the event of multiple mailings. NortonLifeLock is not responsible for correspondence not sent pursuant to this section and Company assumes the responsibility for all associated risks.
IV. Notifications. Company will provide NortonLifeLock with the opportunity to review the notification in advance of delivery. Company is solely responsible for the preparation, content and legal and regulatory compliance of all notifications, provided that Company shall not include in its notifications any representation about NortonLifeLock or the Services (other than enrollment instructions as provided by NortonLifeLock), or any information that could reasonably be interpreted as libelous, unlawful or unethical.
V. Authorize Final Proof. Company will receive a final proof of the notification letter for Company’s approval within one business day of submission of a final draft to NortonLifeLock’s mail services subcontractor by Company. Company must approve the final proof. If the Company requires multiple proofs, Company may incur additional fees. Any changes to the Purchase Price must be documented through a mutually executed change order.
VI. Physical Production and Mail Drop Date. The notification letters will not be printed until after Company has approved all final proofs. After the Company confirms the mail drop date, the notifications will be placed in the delivery channel with the U.S. Postal Service. A final mail drop date must be set at least three (3) business days after the following are completed:
i. Company provides approval of all final proofs, and
ii. If applicable, all Call Center Service requirements and time frames, as documented on the Engagement, have been met. For clarification, if a Company is utilizing Call Center Services in addition to Mail Notification Services, a final mail drop date must be at least five (5) business days after NortonLifeLock receives all required deliverables.
VII. Completion of Mailing and Reporting. Following completion of the mailing, NortonLifeLock will provide mailing confirmation for those letters mailed. NortonLifeLock, through its subcontractor, will provide Company with returned mail updates as soon as reasonably possible after distribution. NortonLifeLock is not responsible for correspondence returned pursuant to this Section and Company assumes the responsibility for all associated risks.
VIII. Personal Data. Company shall only disclose Personal Data to NortonLifeLock as required in the Prospective End User List described above and shall ensure that no Personal Data is provided to NortonLifeLock unless all necessary consents, rights and authority have been obtained for NortonLifeLock and its third parties to utilize the Personal Data for purposes of the Agreement and the provision of Mail Notification Services. “Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
B. Call Center Services. NortonLifeLock will provide inbound telephone support to assist Prospective End Users with enrollment in ITP Services and answer specific frequently asked questions (“FAQ”) during the agreed Enrollment Period. Following enrollment, End Users may contact NortonLifeLock’s Member Services for ITP Services support.
I. Proposal. Company in consultation with its own legal counsel will provide NortonLifeLock with information describing the Company’s business drivers. This information may include (i) anticipated notice deadlines, (ii) number of individuals to receive Services, (iii) minors affected, (iv) selection of any ITP Services, (v) anticipated call volumes, and (vi) call center FAQs.
II. First drafts of Company’s FAQ. NortonLifeLock will provide Company with a template of the FAQs for Company to complete. Company must return this to NortonLifeLock in a standard file format which can be replicated when coded appropriately.
III. Set Go-live Date. Company must schedule a final go-live date. A final go-live date must be set at least five (5) days after all FAQ questions and responses have been finalized (or this may be sooner depending on the size of Prospective End Users).
IV. Go-live and service level requirements. Starting at 12:00 a.m. (midnight) on the agreed upon final go-live date, the NortonLifeLock call center will accept calls from the Company’s Prospective End Users. NortonLifeLock call center support will be available twenty-four (24) hours per day, seven (7) days per week.
V. Reporting. On request, NortonLifeLock will provide call reports for the telephone number assigned to Company (TFN), which will include, (i) total calls; (ii) calls answered, and (iii) abandoned calls. Additionally, NortonLifeLock will provide a member detail report specific to the Promotional Code.
VI. Closing of the Enrollment Period and completion of Services. Upon completion of the Enrollment Period, NortonLifeLock will discontinue supporting the FAQs. Additionally, the TFN will connect Prospective End Users to NortonLifeLock’s main call center menu, and NortonLifeLock will advise a Prospective End User that the Enrollment Period has ended. For Activated End Users, NortonLifeLock will continue to provide call center support pursuant to the End User Agreement.
VII. FAQ Compliance. Company will provide NortonLifeLock with an FAQ. Company’s statement FAQ cannot conflict with its press releases and other public-facing talking points. Company shall be fully responsible for the representations and consequences of the content of the FAQs that it provides to NortonLifeLock for use with the Prospective End Users.
C. Website Enrollment Services. NortonLifeLock will make available a co-branded website through which Prospective End Users may enroll in ITP Services during the agreed Enrollment Period. The website will be comprised of NortonLifeLock standard content and the Company provided FAQ, except as expressly agreed by the Parties in writing. Following the Enrollment Period, End Users may contact NortonLifeLock’s Member Services for Service support. Company grants NortonLifeLock a limited right and license to use and display the Company’s trademarks and logos during the Enrollment Period for the sole purpose of co-branding the enrollment website in order to provide the Website Enrollment Services. NortonLifeLock will comply with Company’s branding guidelines as provided by Company in advance of website go-live.