EX-10.13 Reseller Services Agreement - 10/30/01

EX-10.13 5 d95998ex10-13.txt EX-10.13 RESELLER SERVICES AGREEMENT - 10/30/01 EXHIBIT 10.13 RESELLER SERVICE AGREEMENT This Agreement is made by and between FACTUAL DATA, 5200 Hahns Peak Drive, Loveland, CO 80538, ("Reseller") and Trans Union LLC, 555 West Adams Street, Chicago, Illinois 60661 ("Trans Union") to provide for credit reporting services. WHEREAS, Reseller is in the business of obtaining consumer reports from third party sources and providing credit reporting services to its customers ("Customers"); and WHEREAS, Trans Union owns and maintains a national database of consumer credit information ("TU Consumer Database"); and WHEREAS, Reseller desires to resell Trans Union consumer credit reports, or information therefrom, ("Consumer Reports") to Customers who have a permissible purpose in accordance with the Fair Credit Reporting Act (15 USC ss.1681 et seq.) including, without limitation, all amendments thereto ("FCRA"). NOW THEREFORE, in consideration of the premises and the mutual benefits expressed herein, the parties agree as follows: I. Reseller Responsibilities A. Reseller may sell, subject to applicable law, Consumer Reports to the industries and for the purposes outlined in the Reseller's Letter of Intent, a copy of which is attached hereto and incorporated herein by reference. In the event that Reseller wishes to expand its resale business beyond the scope set forth in the Letter of Intent, it may do so only with the prior written consent of Trans Union. B. Reseller shall request, from Trans Union, Consumer Reports only on behalf of Reseller's Customers who have a permissible purpose for obtaining consumer reports, as defined by Section 604 of the FCRA. Such Customers shall be provided access to the TU Consumer Database or Consumer Reports only if all requirements stated in this Agreement are met. C. Prior to Requesting each Consumer Report, Reseller shall identify the end user of the Consumer Report, certify each permissible purpose for which the Consumer Report will be used, and certify that the Consumer Report will be used for no other purpose, as defined by Section 607 of the FCRA, via the method indicated by the Reseller in Section V of this Agreement. D. The Consumer Reports may be transferred without change, may be reformatted by Reseller, or may be merged with similar data obtained from other consumer reporting agencies (Merged Reports). Each Consumer Report obtained by Reseller shall be used only one time, and only by or on behalf of the Customer for whom it was requested. Reseller may not archive or otherwise retain or use any Consumer Report for any other purpose, except to the extent that Reseller is required by law to maintain the Consumer Report for purposes of performing a consumer-initiated investigation and providing, at the consumer's request, a modified version of the same Consumer Report to the Customer for whom it was originally requested. In the event that Reseller has archived Consumer Report for such purpose, and receives a court order or federal grand jury subpoena for that report, such Consumer Report may be produced. In no event, however, should a new Consumer Report be requested from Trans Union in response to any subpoena; rather, Reseller should direct the requesting party to Trans Union. E. Reseller shall obtain Subscriber Agreements that contain the language set forth in Exhibit A (or Exhibit B if for employment purposes) from such Customers, wherein each user will state the nature of its business, certify the specific permissible purpose for which Consumer Reports will be obtained, and agree that Consumer Reports will be obtained for no other purpose, all as required by the FCRA. Said Exhibits A and B are incorporated herein and attached hereto. The permissible purpose specified shall be one or more of the following: 1. In connection with a credit transaction involving the consumer on whom the information is to be furnished and involving the extension of credit to, or review or collection of an account of the consumer; or 2. For employment purposes, in which case the Reseller must resell Trans Union's PEER product and Reseller and its Subscriber must execute an agreement containing the same language as set forth in Exhibit B hereto; or 3. In connection with the underwriting of insurance involving the consumer or review of existing policy holders for insurance underwriting purposes, or in connection with an insurance claim where written permission of the consumer has been obtained (and a copy of such written permission must be retained for three (3) years from the date of inquiry); or Page 1 of 6 4. In connection with a tenant screening application involving the consumer; or 5. In accordance with the written instructions of the consumer (and a copy of such written permission must be retained for three (3) years from the date of inquiry); or 6. For a legitimate business need in connection with a business transaction that is initiated by the consumer; or 7. As a potential investor, servicer or current insurer in connection with a valuation of, or assessment of, the credit or prepayment risks. F. Reseller is prohibited from selling Consumer Reports directly to consumers under this Agreement. Reseller may make disclosures to consumers only to the extent required by Section 609 of the FCRA; provided however, that unless explicitly authorized in a separate agreement, between Reseller and Trans Union, for the resale of a score or as explicitly otherwise authorized in advance and in writing by Trans Union, Reseller, shall not disclose to consumers or any third party, other than Reseller's Customer for whom the score was obtained, any nor all scores provided under this Agreement, unless clearly required by law. G. Reseller may advertise its services on the Internet or another public computer network. In addition, Reseller may transmit Consumer Reports via the Internet; provided however, that Reseller meets or exceeds all of the security requirements set forth in Exhibit C incorporated herein and attached hereto ("Internet Security Requirements"). In order to ensure the Internet Security Requirements are reflective of advances in generally available network security technology, Trans Union reserves the right to reasonably revise or otherwise modify the Internet Security Requirements upon at least one hundred twenty (120) days' prior written notification to Reseller. In the event Reseller so chooses to transmit Consumer Reports and fails to comply with all Internet Security Requirements, this Agreement shall immediately terminate. From time to time, upon at least five (5) days' prior written notification, Trans Union shall have the right to audit (or have its independent auditor audit), at Trans Union's expense, Reseller's compliance with the Internet Security Requirements. Reseller shall reasonably cooperate with Trans Union and any Trans Union requests in conjunction with all such audits including, but not limited to requests to correct any deficiencies discovered during such audits within a period of time mutually agreed upon and/or to suspend any further transmission of Consumer Reports until such deficiencies are corrected. Resellers obligation to comply, with the provision of this Section I.G. and the Internet Security Requirements, shall, in no event, be deemed contingent upon, or otherwise affected by, the aforestated audit rights of Trans Union. H. Reseller may sell Consumer Reports for employment purposes (PEER) to Customers who are members of the media, law enforcement agencies, private investigative agencies, detective agencies, law firms, security services, investigators, and lawyers or attorneys at law, provided such customers shall be issued individual code numbers as set forth in Section V of this Agreement and subject to the requirements in Section E (2) above. However, for reports for any purpose other than employment, or any other products, the prohibition in Section I below shall apply. I. Except as otherwise expressly permitted herein, Reseller shall not sell Consumer Reports to Customers who are: 1. Private investigative agencies 2. Detective agencies 3. Law firms 4. Security services 5. Investigators 6. Lawyers or attorneys at law 7. Law enforcement 8. Credit repair clinics or any similar entity who offers to improve a consumer's credit report 9. Members of the media 10. Other resellers 11. Or such other category of customer as Trans Union may identify from time to time by written notice to Reseller. The foregoing categories are hereinafter referred to as "Unauthorized Users." J. Reseller shall take the steps identified on Exhibit D to verify the identity of Customers who will obtain Consumer Reports to make certain that such Customers are legitimate businesses, have a permissible purpose for obtaining credit reports, and are not Unauthorized Users. Trans Union may amend Exhibit D at any time by providing thirty (30) days written notice to Reseller. Page 2 of 6 K. If, as a result of the verifications outlined on Exhibit D, the prospective Customer is found to be an Unauthorized User, or is found to have no permissible purpose to obtain credit reports, no agreement will be signed and no subscriber number will be issued. L. Trans Union reserves the right to terminate any Customer at any time with or without notice. II. Merged Report Guidelines Reseller agrees to adhere to the following additional guidelines when it sells Merged Reports developed from Consumer Reports: A. Reseller shall comply with the requirements of FCRA dealing with consumer disclosure, interviews and reinvestigation procedures. B. Reseller shall retain each Merged Report so that it can provide a consumer disclosure as required by FCRA. C. Reseller shall be able to easily identify the source(s) of each element of data in the Merged Report. Consumer disclosures must clearly show this data as it was originally reported by each of the sources when providing the consumer disclosure. D. When a Customer requests and reviews a Merged Report and the consumer is denied credit based on information in that Merged Report, the consumer must be referred to the Reseller for a complete disclosure. E. In making a consumer disclosure, the Reseller will provide the names, addresses and telephone numbers of the consumer reporting agency that was used to provide information for the report. F. In making a disclosure, in addition to all other obligations Reseller has under Section 609 of the FCRA, the Reseller also must advise the consumer about her/his FCRA rights to dispute information with the appropriate source credit bureau, to request reinvestigation, and to have corrected reports reissued to previous recipients, all as required by the FCRA and in the format established by the Federal Trade Commission. G. Reseller must obtain information from sources other than the applicant in preparing the Merged Report. The Reseller must obtain information from a minimum of two national consumer reporting agencies. Separate inquiries are necessary when the co-borrowers have individually applied for credit. H. The Merged Report must contain the date the report was created as well as the Reseller's name, address, and phone number as the consumer reporting agency which prepared the Merged Report. The Merged Report must show the names of the repository(ies) from which the information was obtained and must identify the organization that ordered the Merged Report. I. Once the merge logic is applied, the Merged Report must accurately reflect all elements of tradeline or credit grantor information for each tradeline if it was furnished by one or more of the credit reporting agencies. III. Trans Union Responsibilities A. Trans Union shall maintain credit information on individuals as furnished by its subscribers or obtained from other available sources. B. Trans Union shall use good faith in obtaining and assembling such information from sources Trans Union considers reliable, but does not guarantee the accuracy nor completeness of any information reported, and TRANS UNION MAKES NO WARRANTIES, EXPRESS OR IMPLIED INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO CONSUMER REPORTS, FURNISHED UNDER THIS AGREEMENT, WHETHER TO RESELLER OR TO CUSTOMER(S). IV. Indemnification and Limitation of Liability A. Reseller shall indemnify and hold Trans Union harmless from any and all claims, losses and damages, liability, and costs, including attorney's fees, against, or incurred by, Trans Union to the extent such claims, damages, liability and costs result directly or indirectly from either or both of the following: (a) any use of Consumer Reports; or (b) Reseller's breach of its obligations under this Agreement including, but not limited to, any breach which results in the non-permissible use of the Consumer Reports provided to Reseller, Customer(s), or both, under this Agreement. Page 3 of 6 B. IN NO EVENT SHALL TRANS UNION BE LIABLE TO RESELLER IN ANY MANNER WHATSOEVER FOR ANY LOSS OR INJURY TO RESELLER RESULTING FROM TRANS UNION'S OBTAINING OR FURNISHING OF CONSUMER REPORTS. MOREOVER, IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT, SPECIAL, OR PUNITIVE DAMAGES INCURRED BY THE OTHER PARTY AND ARISING OUT OF THE PERFORMANCE OF THIS AGREEMENT, INCLUDING BUT NOT LIMITED TO LOSS OF GOOD WILL AND LOST PROFITS OR REVENUE, WHETHER OR NOT SUCH LOSS OR DAMAGE IS BASED IN CONTRACT, WARRANTY, TORT, NEGLIGENCE, STRICT LIABILITY, INDEMNITY, OR OTHERWISE, EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THESE LIMITATIONS SHALL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. C. THE FOREGOING NOTWITHSTANDING, WITH RESPECT TO RESELLER, IN NO EVENT SHALL THE AFORESTATED LIMITATIONS OF LIABILITY, SET FORTH ABOVE IN PARAGRAPH B OF THIS SECTION IV, APPLY TO DAMAGES INCURRED BY TRANS UNION AS A RESULT OF GOVERNMENTAL, REGULATORY OR JUDICIAL ACTION(S) PERTAINING TO VIOLATIONS OF THE FCRA, OTHER LAWS, REGULATIONS, OR JUDICIAL ACTIONS, OR ANY COMBINATION OF THE FOREGOING, TO THE EXTENT SUCH DAMAGES RESULT FROM RESELLER'S BREACH, DIRECTLY OR INDIRECTLY, OF ITS OBLIGATIONS UNDER THIS AGREEMENT. V. Identify End User A. Reseller shall provide to Trans Union, for each Reseller Customer for whom Reseller will procure Consumer Reports the Customer's identity by subscriber number, name, address and telephone number, and the permissible purpose for which each report is sought, so that such information may be noted on the report for the consumer who is the subject of the report accessed. Such Customer identification shall be made as mutually agreed between Trans Union and Reseller pursuant to one or both of the inquiry methods below. Failure of Reseller to comply with the requirements of this Section V shall result in immediate termination of this Agreement. 1. Individual Code for Each Customer Each Customer signed up by Reseller may access the TU Consumer Database after appropriate identification procedures have been established, and a separate customer code shall be issued for each Customer. When such code is established, Reseller shall provide Trans Union with the Customer's name, address, and telephone number. The permissible purpose shall be identified on each inquiry. 2. Reseller Code Used for All Inquiries No individual customer code will be issued, nor will access to the TU Consumer Database be established, for any Customer by Trans Union. Rather, the code used will be the Reseller's code. The Customer name and permissible purpose for the inquiry shall be identified by Reseller on each Consumer Report accessed. Pursuant to Section 609 of the FCRA, the Customer's name must be the trade name under which the Customer conducts business, written in full. Reseller shall establish and provide Trans Union a toll free number, which will be answered between the hours of 9 a.m. to 5 p.m. Central Time, Monday through Friday, exclusive of federal holidays, that Trans Union can call to obtain the Customer's address and telephone number. B. If any current Customers have been assigned a Trans Union access code, they shall be identified, and Reseller shall determine that the certifications required, and all other obligations stated, in this Agreement are complied with by such Customers. All Unauthorized Users who have an access code for the TU Consumer Database, shall be terminated and access to the TU Consumer Database by them shall be canceled, except as otherwise permitted by Section I.H above. C. Reseller is also required to: 1. Internally identify all Customers engaged in the underwriting of insurance including, but not limited to, auto insurance, casualty insurance, property insurance, surety bond companies, bail bondsmen, and insurance agents (hereinafter referred to as "Insurance Company Customers"). 2. Ensure that all of Insurance Company Customers are identified by means of a separate Trans Union subscriber code. 3. Ensure that all Insurance Company Customers have a Trans Union subscriber code with an "I" KOB. 4. Ensure that all inquiries made by all Insurance Company Customers include the appropriate permissible purpose code, as identified by Trans Union. Page 4 of 6 VI. Fees & Charges A. Reseller shall pay to Trans Union for each access to the TU Consumer Database, by Reseller and for each access by a Customer, the price then in effect for the type of Consumer Report ordered. Trans Union shall have no obligation to collect any account owing from Customers. B. Trans Union shall provide monthly invoices to Reseller for all access to the TU Consumer Database, by Reseller and for all accesses by Customers, and such invoices shall be paid by Reseller within thirty (30) days of receipt. Without limiting any of Trans Union's remedies for non-payment or late payment of invoices, past due amounts shall accrue interest at the rate of one and one-half percent (1.5%) per month (eighteen percent (18%) per year) or the maximum allowed by law if lower than 18% per year. If collection efforts are required, Reseller shall be liable for all cost of collection, including reasonable attorney's fees. VII. Miscellaneous A. This Agreement shall commence upon the last signature date below and shall remain in force and effect until this Agreement is terminated pursuant to Section I.G., Section V., or Section VII.C. or by either party upon at least sixty (60) days' prior written notice to the other party. The foregoing notwithstanding, without limiting any other remedies to which Trans Union may be entitled including, but not limited to, injunctive relief, Trans Union reserves the right, at Trans Union's sole option, to immediately suspend its performance, in whole or in part, under this Agreement, to immediately terminate this Agreement, or both, if Trans Union, in good faith, determines that: (1) Reseller, either directly or indirectly, has materially breached any of its obligations under this Agreement; (2) the requirements of any law, regulation, or judicial action have not been met; or (3) as a result of changes in laws, regulations or regulatory or judicial action, the requirements of any law, regulation or judicial action will not be met. B. Trans Union may make available ancillary products for resale by Reseller, subject to such terms and conditions as Trans Union may impose from time to time. If Reseller refuses to agree to or fails to comply with such terms and conditions, Trans Union shall have no obligation to make such ancillary product available to Reseller. C. This Agreement including, without limitation, all the rights and the obligations set forth in this Agreement, with respect to Reseller are personal to Reseller and may not be subcontracted by Reseller without the prior written consent of Trans Union. Moreover, this Agreement, including the rights and obligations contained in this Agreement, may not be assigned, transferred (e.g., via stock purchase, sale of assets, etc.) or otherwise disposed of, by operation of law or otherwise, in whole or in part, by Reseller. This Agreement shall immediately terminate upon any attempt to so subcontract, assign, or transfer such rights and obligations. D. Each of the parties to this Agreement are independent contractors and nothing contained in this Agreement shall be construed as creating a joint venture, partnership, employer-employee, principal-agent nor mutual agency relationship between or among the parties hereto and no party shall, by virtue of this Agreement, have any right or power to create any obligation, express or implied, on behalf of any other party. No party, nor any employee of a party, shall be deemed to be an employee of the other party by virtue of this Agreement. E. In addition to Trans Union's audit rights under Section I.G. above, during the term of this Agreement and for a period of three (3) years thereafter, Trans Union may audit Reseller's compliance with all other requirements of this Agreement, upon at least five (5) business days' prior written notice and during normal business hours. Trans Union may also audit Reseller to ensure that Reseller accurately outputs Trans Union data on any Consumer Report sold by Reseller, including Merged Reports. Trans Union shall also have the right, upon at least ninety (90) days' prior written notification to Reseller, to require Reseller to output Trans Union data in a specified format in accordance with written Trans Union guidelines as issued, and as may be revised, from time to time. The parties recognize that Trans Union will suffer irreparable harm, and that monetary damages may be incalculable and/or inadequate in the event that Reseller retains Trans Union data in breach of Paragraph I.B. or I.D. of this Agreement, and therefore, such breach shall be entitled to remedy by injunctive relief, in addition to any and all other relief which may be available at law or at equity. F. "Trademarks" shall be defined as all trademarks, trade names, service marks, slogans, logos, designs, Internet universal resource locators (e.g., domain names) and other similar means of distinction, which are owned or controlled by Trans Union. All rights in any Trademarks associated with the business of Trans Union, including all goodwill pertaining thereto, shall be and remain the sole property of Trans Union. If Trans Union grants Reseller the right to use Trademarks pursuant to this Section VII. F., Reseller shall use and display such Trademarks only in the manner and for the purpose(s) authorized in writing in advance by Trans Union, and only during the term of this Agreement. Moreover, Trans Union reserves the right to require Reseller, upon at least ninety (90) days' prior written notification from Trans Page 5 of 6 Union, to use and display such Trademarks in accordance with written Trans Union's guidelines for use of Trademarks as issued, and as may be revised, from time to time. Samples of all materials that may be distributed by Reseller displaying the Trademarks shall be submitted to Trans Union upon Trans Union's reasonable request to verify compliance with Trans Union's guidelines for the use of the Trademarks. Trans Union reserves the right to add to, change, or discontinue the use of any Trademark, on a selective or general basis, at any time. Reseller shall not use any Trademark of Trans Union in any corporate, partnership, or business name without Trans Union's prior written consent. Trans Union may prohibit the use of any or all Trademarks by Resellers if, in Trans Union's sole discretion, Reseller's use of the Trademark(s) is detrimental to Trans Union in any way. G. No failure or successive failures on the part of either party, its respective successors or permitted assigns, to enforce any covenant or agreement, and no waiver or successive waivers on its or their part of any condition of this Agreement shall operate as a discharge of such covenant, agreement, or condition, or render the same invalid, or impair the right of either party, its respective successors and permitted assigns, to enforce the same in the event of any subsequent breach or breaches by the other party, its successors or permitted assigns. H. All references in this Agreement to the singular shall include the plural where applicable. Titles and headings to sections or paragraphs in this Agreement are inserted for convenience of reference only and are not intended to affect the interpretation or construction of this Agreement. If any term or provision of this Agreement is held by a court of competent jurisdiction to be invalid, void, or unenforceable, the remainder of the provisions shall remain in full force and effect and shall in no way be affected, impaired or invalidated. I. Neither party shall be liable to the other for failure to perform or delay in performance under this Agreement if, and to the extent, such failure or delay is caused by conditions beyond its reasonable control and which, by the exercise of reasonable diligence, the delayed party is unable to prevent or provide against. Such conditions include, but are not limited to, acts of God; strikes, boycotts or other concerted acts of workmen; laws, regulations or other orders of public authorities; military action, state of war or other national emergency; fire or flood. The party affected by any such force majeure event or occurrence shall give the other party written notice of said event or occurrence within five (5) business days of such event or occurrence. J. This Agreement shall be governed by and construed in accordance with the laws of the State of Illinois regardless of the laws that might otherwise govern under applicable Illinois principles of conflicts of law. K. The recitals set forth above are an integral part of this Agreement and are hereby incorporated into this Agreement. L. THIS AGREEMENT INCLUDING, BUT NOT LIMITED TO, ALL ASSOCIATED PRICING AGREED UPON, CONSTITUTES THE ENTIRE AGREEMENT BETWEEN THE PARTIES HERETO AND SUPERSEDES ALL PREVIOUS AGREEMENTS AND UNDERSTANDINGS, WHETHER ORAL OR WRITTEN, EXPRESS OR IMPLIED, SOLELY WITH RESPECT TO THE SUBJECT MATTER OF THIS AGREEMENT. THIS AGREEMENT MAY NOT BE ALTERED, AMENDED, OR MODIFIED EXCEPT BY WRITTEN INSTRUMENT SIGNED BY THE DULY AUTHORIZED REPRESENTATIVES OF BOTH PARTIES. IN WITNESS WHEREOF, the parties, intending to be legally bound, have caused this Agreement to be executed by their duly authorized representatives as of the last date and year set forth below. The parties hereto agree that a facsimile transmission of this fully executed Agreement shall constitute an original and legally binding document. FACTUAL DATA TRANS UNION LLC By: /s/ R.D. LITTLEJOHN By: /s/ PASCALE PETRIE-ALBERT -------------------------------- --------------------------------- Name: R.D. Littlejohn Name: Pascale Petrie-Albert ------------------------------- ------------------------------ Title: VP Branch Ops. Title: GVP ------------------------------ ------------------------------ Date: 10/16/01 Date: 10/30/01 ------------------------------- ------------------------------- Page 6 of 6 EXHIBIT A TO RESELLER SERVICE AGREEMENT (REQUIRED TERMS FOR RESELLER AGREEMENT FOR CONSUMER REPORTS BETWEEN RESELLER AND ITS CUSTOMER) 1. Reseller has access to consumer reports from one or more consumer credit reporting agencies. 2. Subscriber is a _________________ and has a permissible purpose for obtaining consumer reports, as defined by Section 604 of the Federal Fair Credit Reporting Act (15 USC 1681b) as amended by the Consumer Credit Reporting Reform Act of 1996, hereinafter called "FCRA." The subscriber certifies their permissible purpose as: o In connection with a credit transaction involving the consumer on whom the information is to be furnished and involving the extension of credit to, or review or collection of an account of the consumer; or o In connection with the underwriting of insurance involving the consumer or review of existing policy holders for insurance underwriting purposes, or in connection with an insurance claim where written permission of the consumer has been obtained; or o In connection with a tenant screen application involving the consumer; or o In accordance with the written instructions of the consumer; or o For a legitimate business need in connection with a business transaction that is initiated by the consumer; or o As a potential investor, servicer or current insurer in connection with a valuation of, or assessment of, the credit or prepayment risks. 3. Subscriber certifies that it will request consumer reports pursuant to procedures prescribed by Reseller from time to time only for the permissible purpose certified above, and will use the reports obtained for no other purpose. 4. Subscriber will maintain copies of all written authorizations for a minimum of three (3) years from the date of inquiry. 5. THE FCRA PROVIDES THAT ANY PERSON WHO KNOWINGLY AND WILLFULLY OBTAINS INFORMATION ON A CONSUMER FROM A CONSUMER REPORTING AGENCY UNDER FALSE PRETENSES SHALL BE FINED UNDER TITLE 18, OR IMPRISONED NOT MORE THAN TWO YEARS, OR BOTH. 6. Subscriber shall use each consumer report only for a one-time use and shall hold the report in strict confidence, and not to disclose it to any third parties; provided, however, that Subscriber may, but is not required to, disclose the report to the subject of the report only in connection with an adverse action based on the report. Moreover, unless explicitly authorized in this Agreement or in a separate agreement, between Reseller and Subscriber, for scores obtained from Trans Union LLC, or as explicitly otherwise authorized in advance and in writing by Trans Union LLC through Reseller, Subscriber shall not disclose to consumers or any third party, any nor all such scores provided under this Agreement, unless clearly required by law. 7. With just cause, such as delinquency or violation of the terms of this contract or a legal requirement, or a material change in existing legal requirements which adversely affects this Agreement, Reseller may, upon its election, discontinue serving the Subscriber and cancel this Agreement immediately. Page 1 of 1 EXHIBIT B TO RESELLER SERVICE AGREEMENT (REQUIRED TERMS FOR RESELLER AGREEMENT FOR CONSUMER REPORTS FOR EMPLOYMENT PURPOSES (PEER) BETWEEN RESELLER AND ITS CUSTOMER) 1. Reseller has access to consumer reports from one or more consumer credit reporting agencies. 2. Subscriber is a _________________ and has a need for consumer credit information in connection with the evaluation of individuals for employment, promotion, reassignment or retention as an employee ("Consumer Report for Employment Purposes"). 3. Subscriber shall request Consumer Report for Employment Purposes pursuant to procedures prescribed by Reseller from time to time only when it is considering the individual inquired upon for employment, promotion, reassignment or retention as an employee, and for no other purpose. 4. Subscriber certifies that it will not request a Consumer Report for Employment Purposes unless: A. A clear and conspicuous disclosure is first made in writing to the consumer before the report is obtained, in a document that consists solely of the disclosure, that a consumer report may be obtained for employment purposes; B. The consumer has authorized in writing the procurement of the report; and C. Information from the Consumer Report for Employment Purposes will not be used in violation of any applicable federal or state equal employment opportunity law or regulation. 5. Subscriber further certifies that before taking adverse action in whole or in part based on the Consumer Report for Employment Purposes, it will provide the consumer: A. A copy of the Consumer Report for Employment Purposes; and B. A copy of the consumer's rights, in the format approved by the Federal Trade Commission, which notice shall be supplied to Subscriber by Reseller. 6. Subscriber shall use Consumer Report for Employment Purposes only for a one-time use, and shall hold the report in strict confidence, and not disclose it to any third parties not involved in the current employment decision. 7. Subscriber will maintain copies of all written authorizations for a minimum of three (3) years from the date of inquiry. 8. With just cause, such as delinquency or violation of the terms of this contract or a legal requirement, or a material change in existing legal requirements which adversely affects this Agreement, Reseller may, upon its election, discontinue serving the Subscriber and cancel this Agreement immediately. Page 1 of 1 EXHIBIT C TO RESELLER SERVICE AGREEMENT INTERNET SECURITY REQUIREMENTS FOR DELIVERING TRANS UNION PRODUCTS TO BUSINESSES This document describes the security measures required for resellers and Trans Union business partners who will use the Internet to distribute Trans Union products to business customers. Resellers and business partners must meet these requirements in order to be in compliance with their respective agreement(s) with Trans Union. If the reseller or business partner has engaged a third party to develop and maintain their Internet delivery system, it is the reseller's/business partner's responsibility to ensure that these security requirements are met by the third party. 1.0 PROTECTION OF TRANS UNION DATA NOTE: In this section, there are several references to web servers. If the reseller or business partner is using a non-web delivery solution, replace the term `web server' with `server that accepts data from the Internet.' 1.1 Trans Union data (such as, but not limited to, consumer credit data and Trans Union-issued subscriber codes/passwords) must be protected when in transit over the Internet. Strong (at least 128-bit) encryption is required. 1.2 Trans Union data must be protected when stored on servers. Specific security measures for all servers involved in delivering Trans Union products are stated below: 1.2.1 The servers storing Trans Union data must be physically separate from the web servers. 1.2.2 The servers storing Trans Union data must not be available for, or exploitable by, any TCP services directly from the Internet and should not be referenced in externally available DNS tables. (Also see Firewall section below.) 1.2.3 Security settings on all servers must include authentication with strong passwords that are changed at least every 90 days. All security controls need to be set to prevent unauthorized access to Trans Union data. 1.2.4 All servers must have all published network operating system patches applied promptly after they become available. 1.3 Web servers must not temporarily store Trans Union data longer than needed to re-send failed transmissions (generally not longer than one day). 1.4 Physical security measures must be in place to ensure only authorized access to servers containing Trans Union data. 2.0 FIREWALLS AND NETWORK CONNECTIONS NOTE: In this section, there are several references to web servers. If the reseller or business partner is using a non-web delivery solution, replace the term `web server' with `server that accepts data from the Internet.' 2.1 The reseller's or business partner's Internet connection must be protected with dedicated, industry-recognized firewalls that are configured and managed to adhere to security industry best practices. Firewalls with ICSA or similar certification are highly recommended. 2.2 The firewall strategy must ensure that only a secure web server can access the server(s) holding Trans Union data: o A single firewall strategy (firewall between the Internet and the web server) would require multiple interfaces to separate the web server and the network server(s) holding Trans Union data. The firewall rules should ensure that only the web server is allowed to access the server(s) holding Trans Union data. Page 1 of 3 o A dual firewall implementation typically requires a firewall between the Internet and the web server and another firewall between the web server and the network server(s) holding Trans Union data. The rules in the second firewall should ensure that only the web server is allowed to access the server(s) holding Trans Union data. o Any other firewall strategy must provide comparable security to that described above. 2.3 Administrative access to the firewall(s) should be allowed only through a secured internal network or through direct serial port access. For remote administration, the preferred method is to dial into an internal local area network (LAN), provide strong authentication (like a token), and use a secure telnet session to access the firewall from inside the network. Modem dial-in access must not be allowed to the firewall serial port. 2.4 All Internet Protocol (IP) addresses of the internal network housing servers with Trans Union data must not be natively routed to the Internet. Devices accessing the Internet from the internal network must use Network Address Translation (NAT), Port Address Translation (PAT), or like technology that keeps internal IP addresses from becoming known to the Internet. 2.5 The reseller's or business partner's network must not allow any "back door" access to any servers holding Trans Union data. Back door access allows connection to the internal network without going through the firewall(s) or a remote access server with strong authentication. 2.6 All network connections to Trans Union must be protected so that the reseller's or business partner's other trusted trading partners cannot attempt to access Trans Union. 2.7 Firewalls must be configured to log exceptions and/or issue alerts. Such exceptions or alerts must be reviewed. 3.0 End User Authentication 3.1 The Trans Union-issued subscriber codes and passwords must be protected from unauthorized use. If such codes and passwords are given to third parties acting on behalf of the reseller or business partner, the third party must agree to protect them accordingly. 3.2 Trans Union-issued subscriber passwords must be changed if there has been any actual or suspected compromise or misuse of the passwords. 3.3 The reseller or business partner must use strong end user authentication mechanisms to ensure that Trans Union products are delivered only to authorized individuals. (Note: If non-web delivery, authentication mechanisms may identify an authorized process, as opposed to an individual, in cases where the reseller or business partner uses an automated process to pull Trans Union products.) 3.4 The authentication process must identify the individual who obtains the report at the end customer's location. Authentication at the company level is not adequate. (Also, see note about non-web delivery in 3.3 above.) 3.5 If identification codes IDs and passwords are being used for authentication: 3.5.1 Strong password policies must be in place (minimum length of 6 alpha and numeric characters, frequent and mandatory password changes - at least every 90 days). 3.5.2 IDs and passwords must be encrypted with strong (at least 128-bit) encryption keys when they travel over the Internet. 3.6 If digital certificates are used for individual authentication, the certificate authority must be trusted, the certification process must be sound, and the certificate must be protected by the end user. (NOTE: If both digital certificates and IDs/passwords are being used, the 90-day password change requirement is not required as long as the certificates are renewed no less frequently than on an annual basis.) 3.7 Servers storing IDs and passwords and/or digital certificate information must be secured with the same security measures as the servers holding Trans Union data. (See 1.2 above.) Page 2 of 3 3.8 The reseller or business partner must ensure that IDs or digital certificates of individual users who are no longer authorized to obtain Trans Union products are disabled or inactivated promptly. 3.9 The reseller or business partner's application must have adequate audit trails and detailed reports that allow early detection of fraudulent access and/or investigation of suspicious activity. 3.10 The application must have a timeout feature so that the end user must re-authenticate after an extended period of inactivity. The recommended setting for the timeout is 30 minutes. 4.0 Other Considerations 4.1 Wherever possible, the reseller's or business partner's application must use measures to reduce the risk of a returned credit report being used fraudulently. For example, social security numbers and/or account numbers would not be displayed if that information is not needed by the end user. 4.2 The application software used to receive and process requests for Trans Union products should comply with the Associated Credit Bureau (ACB) security standards. ACB security certification is strongly recommended. 4.3 ICSA or other third party review of the reseller's or business partner's security measures is highly recommended. 5.0 Security Incidents/System Changes 5.1 Any actual or suspected compromises of the above security measures must be reported to Trans Union as soon as they are known. 5.2 Any significant change to the Internet delivery system must be reviewed against these requirements to ensure continued compliance. Page 3 of 3 EXHIBIT D TO RESELLER SERVICE AGREEMENT (REQUIRED STEPS FOR RESELLER TO VERIFY THE IDENTITY OF ITS CUSTOMERS) 1. The actions taken to verify the type of customer will be notated on either the Subscriber Agreement or separate documentation within the membership file that will be maintained with the Subscriber Agreement. Records which document the investigation, and the Subscriber Agreement, must be retained as long as the customer continues to maintain access and for three (3) years thereafter. Those records (or copies thereof) must be made available to appropriate Trans Union personnel on request. 2. Confirm that the stated permissible purpose for obtaining consumer reports is compatible with the type of business conducted by the potential customer. 3. Conduct a physical inspection of the company's premises to assure that it is a legitimate business facility (not a residence) and that the furnishings, etc. are commensurate with the size and purported type of business, and in order to determine if it is an Unauthorized User. Documentation must be maintained demonstrating when and by whom the physical inspection was conducted and describing the company's premises. ` 4. Confirm that advertisements or signs are compatible with purported business. 5. Verify that the company has a business checking account and that the account balance is compatible with the size and nature of the company. 6. Verify business references to ensure that the potential customer has clientele which would support the stated business. 7. Verify business phone numbers by checking the phone directory or other phone records. 8. Check the yellow pages listings for the area where the customer is located to see if the prospective customer is listed under any of the categories identified previously as Unauthorized Users. If Reseller does not have access to the yellow pages listings for that area, Reseller may, instead, use an Internet Yellow Pages listing. 9. Check the Internet to determine if the prospective customer has a web page. If the prospective customer does have a web page, view the page to verify that the information on the web page is compatible with purported business, that the prospective customer is not an Unauthorized User, and that the prospective customer is a legitimate business. Page 1 of 1