This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Commercial Express Dealer Agreement
Cover Sheet
Please attach this sheet to ALL COMMERCIAL EXPRESS faxes
or other dwelling units used primarily for residential purposes), or (ii) any satellite master antenna television
or private cable system in a commercial or residential multiple dwelling unit (i.e., hotels, hospitals,
dormitories, etc.) be considered a Commercial Establishment; provided, however, that Commercial
Establishments within such multiple dwelling units (e.g., bars or restaurants within a hotel) shall still be
considered Commercial Establishments. For purposes of this Agreement, “Commercial Establishments” shall
consist of Public Viewing Locations, Business Viewing Locations and Private Offices (except where such term
is used in the definitions of such locations and offices). DIRECTV shall have the right to determine, in its
reasonable discretion, whether a Commercial Establishment constitutes a Public Viewing Location, Business
Viewing Location, Private Office or none of the foregoing under the applicable terms of this Agreement.
1.5 “Commercial Subscribers” shall mean those Commercial Establishments authorized by DIRECTV to
receive DIRECTV Service, including those activated following an Order by MSO DEALER or those activated
independently of MSO DEALER.
1.6 “MSO DEALER-Acquired Subscriber” means a Commercial Establishment located in the Territory
(i) which has not previously received any DIRECTV Service at such Commercial Establishment at any time
during the previous two (2) years (or such other period of time set forth in DIRECTV’s then-current standard
policies and procedures), (ii) which is not a National Account or Potential National Account (iii) which has
activated a DIRECTV Programming Package following the submission of an Order by MSO DEALER, (iv)
for which MSO DEALER validly submits such initial Order to DSI in accordance with the Order Procedures
(v) which makes the time-period commitment set forth in DIRECTV’s then-current standard policies and
procedures to subscribe to a DIRECTV Programming Package (including, if applicable, the National
Commercial Offer requirements), and (vi) which meets any other standard DIRECTV eligibility
requirements, including all requirements in order for MSO DEALER to be able to submit an Order.
1.7 “DSI Public Web Site” shall mean the DSI MSO DEALER Center is available for viewing by DSI MSO
Dealer at the DSI Public Web Site. https://www.dsisystemsinc.com/.
1.8 DIRECTV Subscriber Information” shall mean all information collected in connection with creating
and maintaining an MSO DEALER-Acquired Subscriber’s DIRECTV Services (or additional services that
may be provided by DSI/DIRECTV in the future) account, including, without limitation, the fact that an
MSO DEALER-Acquired Subscriber is or was a subscriber to DIRECTV Services (or additional services that
may be provided by DIRECTV in the future), programming purchases, credit and payment histories, credit
card or bank routing information, social security number, and profiles related solely to DIRECTV Services.
1.9 “National Account” means National Account” means a Commercial Establishment that has been
identified by DSI/DIRECTV, in its sole and absolute discretion, to MSO DEALER pursuant to Section 1.5 as
a “National Account” of DSI/DIRECTV. “Potential National Account” means a Commercial Establishment
that is not on the list of National Accounts but is a Commercial Establishment that MSO DEALER knows,
or following reasonable diligence should know, is, or is controlled by, an entity with 20 or more owned,
franchised, or otherwise affiliated similar type of Commercial Establishments, or a Commercial
Establishment that has been otherwise identified by DIRECTV, in its sole and absolute discretion, to MSO
DEALER as a “Potential National Account” of DIRECTV.
1.10 “New Activation” means an Activation of one of the DIRECTV Programming Packages eligible for a
Prepaid Programming Commission (as set forth at the MSO DEALER Center or in other MSO DEALER
Notifications) at a Commercial Establishment which is not a Commercial Subscriber on the date of Activation
(i.e., a new Commercial Subscriber, but not any previous Commercial Subscriber).
1.11 “Private Office Location” means a Commercial Establishment wherein the usage and viewing of the
DIRECTV Service is (i) generally not accessible to the public nor a common area to which there is
substantially unrestricted access by two or more persons and (ii) not generally made available for television
viewing to parties other than the individual(s) exercising control over, or working in such location. For
clarity, even though more than two people working in an office can view the DIRECTV Service in a conference
room or break room, so long as the programming is not viewed by the general public, such office still
constitutes a “Private Office.”
1.12 “Programming Packages Sales Revenue” shall mean gross receipts actually received by
DSI/DIRECTV (net of any applicable Taxes, discounts, refunds, credits or applicable governmental charges)
from the sale of DIRECTV Programming Packages to MSO DEALER-Acquired Subscribers. For the
avoidance of doubt, “Programming Package Sales Revenue” does not include additional outlet/mirroring fees,
warranties, hardware or equipment fees, the cost of tangible products purchased by MSO DEALER-Acquired
Subscribers, video-on-demand fees, DVR service fees, pay-per-view, game services, interactive services, late
fees, early termination fees, non-recovered box fees, protection plans, installation, service and repair,
shipping, downgrade, re-connect fees or other similar fees.
1.13 “Public Viewing Location” means a Commercial Establishment wherein the usage and viewing of
DIRECTV Service is generally accessible to the public and/or the establishment’s clientele and/or in common
areas (such as waiting room/area or lobby) and (i) the Commercial Establishment’s primary source of revenue
is derived from the sale of food/beverage for immediate consumption, or (ii) the Commercial Establishment
is located within or affiliated with a hospitality or entertainment establishment (such as a bar, restaurant,
diner, stadium, casino, club, cafe, theater) and food/beverage is served for immediate consumption, or (iii)
the Commercial Establishment charges, as part of its primary business operation, admission, a cover charge
or a minimum charge.
1.14 “Subcontractor” or “subcontractor” means any person or entity (including an agent) supplying labor
or materials to perform any or all of MSO DEALER’s obligations under this Agreement as well as any person
or entity that is providing any type data processing services including data manipulation, data storage, data
retrieval, data disposal, or other data-related services that involve DSI/DIRECTV, AT&T or any AT&T
customer’s data. The terms “Subcontractor” or “subcontractor” specifically includes any person or entity at
any tier of subcontractors, and shall not be limited to those persons or entities with a direct relationship with
MSO DEALER.
1.15 “Territory” shall mean the United States and its territorial waters, unless otherwise limited to certain
geographical areas by DSI/DIRECTV.
SCHEDULE 1.6
OTHER LIMITATIONS OR RIGHTS
(Attached if Applicable)
SCHEDULE 2.2
SERVICE RESPONSE REQUIREMENTS
(Terms herein may be unilaterally updated by DSI/DIRECTV from time to time upon written notice to
MSO DEALER)
Call Center and Reporting Requirements. MSO DEALER must comply with the following:
MSO DEALER shall answer calls with a live operator between the hours of 8:30 am and 6:30 pm
local time (a/k/a business hours). At all other times, MSO DEALER shall maintain an answering system for
messages.
MSO DEALER Response Times. MSO DEALER must comply with the following:
MSO DEALER shall respond to customer service requests within four (4) business hours of the
request having been made by a MSO DEALER-Acquired Subscriber.
MSO DEALER shall promptly perform any required on-site service for a MSO DEALER-Acquired
Subscriber at commercially reasonable prices.
MSO DEALER shall participate in DSI/DIRECTV’s automated and manual service notification
process (including by email or phone), as updated by DSI/DIRECTV from time to time, and as more fully
defined in the Policies (the “DTV Notification Process”).
If a MSO DEALER-Acquired Subscriber contacts DSI to request service or report that MSO DEALER
failed to respond to a service request, DSI will notify (a “Service Notice”) MSO DEALER via the DSI
Notification Process.
Upon delivery of the Service Notice by DSI (the time of delivery being called the “DTV Service Notice
Time”), MSO DEALER must immediately contact the MSO DEALER-Acquired Subscriber to assist the MSO
DEALER-Acquired Subscriber (“Service Contact”) and, if the MSO DEALER-Acquired Subscriber’s issue
cannot be resolved over the phone, schedule an on-site service appointment. In some cases, DSI will notify
MSO DEALER through a three-way call with the MSO DEALER-Acquired Subscriber, in which case the
Service Contact and any required on-site service scheduling must be done during such call.
Service Contact must be completed no later than 48 hours (the “Routine Response Window”) after
the DTV Service Notice Time; provided, however, if the request for service is Emergent, the Service Contact
and any required on-site service (unless waived by the MSO DEALER-Acquired Subscriber) must be
completed before the earlier of the Routine Response Window or the time the MSO DEALER-Acquired
Subscriber contacts DSI again regarding the same issue (the “Emergent Response Window” and together
with the Routine Response Window, the “Response Windows” but each individually, also a “Response
Window”). “Emergent” means any service request for which MSO DEALER has already received a Service
Notice, and (i) the service request is from a Public Viewing Establishment or a 5-heart (as that term is
defined by DSI/DIRECTV) MSO DEALER-Acquired Subscriber or (ii) the service request is made less than
48 hours prior to or during any NFL football game, the Super Bowl, World Series, NBA Finals, Stanley Cup,
Soccer World Cup, Olympics or other major sporting event (as determined by DSI/DIRECTV) or (iii) MSO
DEALER failed to show up for the on-site service call or (iv) MSO DEALER did not provide the MSO
DEALER-Acquired Subscriber with an acceptable on-site service appointment.
Failure to Comply with Response Requirement.
If MSO DEALER fails to make Service Contact within the Response Window, or DSI is unable to
contact MSO DEALER for a three-way call to schedule an Emergent service request or MSO DEALER
refuses to fulfill the service request (a “Service Breach”), DSI may respond to the service call in its sole and
absolute discretion, and if DSI/responds to the service appointment, DSI may charge MSO DEALER a service
fee in the amount of $125.00 (the “Service Fee”), plus any other costs incurred by DSI and not paid for by the
MSO DEALER-Acquired Subscriber. Service Fees are due within 10 days of receipt of DSI invoice or DSI
may offset compensation payable to MSO DEALER by the amount of Service Fees due.
Repeated Failure to Comply or Opt-out by MSO DEALER-Acquired Subscriber.
If a Service Breach occurs for the same MSO DEALER-Acquired Subscriber two (2) or more times or
MSO DEALER informs DSI/DIRECTV that a MSO DEALER-Acquired Subscriber declines the
service call offered by MSO DEALER or no longer wishes for MSO DEALER to perform on-site
service, DSI may Disassociate the MSO DEALER-Acquired Subscriber from MSO DEALER.
“Disassociation” means the separation of the MSO DEALER-Acquired Subscriber from the MSO
DEALER. Upon Disassociation, MSO DEALER is no longer authorized to act as a MSO DEALER
with respect to the MSO DEALER-Acquired Subscriber and will cease receiving any Continuing
Service Commission related to the MSO DEALER-Acquired Subscriber.
SCHEDULE 2.5(b)
SUBCONTRACTOR APPROVAL PROCESS
(To be determined)
SCHEDULE 2.6
TELEMARKETING POLICY
DSI/DIRECTV POLICY
FOR COMMERCIAL ACCOUNT TELEMARKETING
The information provided in this Commercial Telemarketing Policy is in summary form only and is
not intended to provide legal advice or counsel, nor is it an exhaustive list of all laws and regulations
applicable to your activities. Legal requirements may differ from jurisdiction to jurisdiction, and are
constantly evolving. You are solely and independently responsible for complete compliance with, and
consequences of noncompliance with, applicable laws and regulations. Therefore, it is imperative that you
consult your legal counsel for full details on the requirements of all applicable marketing laws and
regulations before undertaking any marketing campaign.
Please review this Policy carefully. You (including your employees) are expected to know and comply
with all marketing laws applicable to your activities.
DIRECTV’s policy is to adhere to all laws and regulations, including those relating to marketing
activities, and to conduct marketing activities in a respectful manner that does not impugn DSI/DIRECTV’s
reputation and goodwill. Each MSO Dealer is responsible for making sure that its own marketing activities
conform to the law and are conducted respectfully. You must take all steps necessary to tailor your marketing
efforts to conform to the law and DIRECTV’s policies.
MSO Dealers are independent contractors and must properly identify themselves in all activities,
and cannot hold themselves out as DSI/DIRECTV. In making any outbound or taking any inbound
calls, retailers cannot state that they are calling or answering calls "on behalf of" DSI/DIRECTV.
You are not authorized to hold yourself out as an agent of DSI/DIRECTV.
DSI maintains the right to immediately terminate its Agreement with any MSO Dealer that DSI believes,
in its sole discretion, may have breached the Agreement, violated DIRECTV’s policies, or otherwise engaged
in illegal, objectionable, inappropriate, or otherwise forbidden marketing activities. DSI will also
immediately terminate the Agreement of any MSO Dealer found to have made misrepresentations to
DSI/DIRECTV about its marketing activities.
Business to Business (B2B) Telemarketing The federal Telephone Consumer Protection Act, 47 U.S.C. § 227 et. seq., (“TCPA”) places restrictions
on the use of telephone equipment to market or promote products and services. Numerous states have
adopted statutes modeled after or more restrictive than the TCPA, each with its own penalty scheme.
Both the FCC and FTC have federal enforcement responsibilities in connection with telemarketing
activities. The Rules adopted by both agencies focus primarily on telemarketing to consumers,
residential phone numbers and cellular phones. Nevertheless, certain restrictions do apply to B2B
telemarketing, and DSI/DIRECTV as a company disapproves of certain other telemarketing activities
in connection with B2B telemarketing.
Following are DIRECTV’s specific policies and guidelines regarding outbound B2B telemarketing, but you
are required to review the TCPA and FCC and FTC Rules to ensure compliance with all aspects applicable
to B2B calls:
“Live operator” outbound telemarketing calls.
DIRECTV will permit MSO Dealers to make outbound B2B telemarketing calls by “live operator” so long as
such calls are in full compliance with the TCPA, applicable FCC and/or FTC rules, any applicable State laws,
and DIRECTV’s guidelines stated herein.
MSO Dealers must take care to assemble call lists that contain only land-line Business telephone numbers. Calls to residential telephone lines and calls to cellular phones are not permitted.
The TCPA prohibits any calls to emergency lines and guest rooms. Therefore, MSO Dealers must ensure that
no such numbers are on call lists. Particular care must be taken if a MSO Dealer intends to make calls to
hospitals, medical offices, health care facilities, fire or police departments, and hotels, motels, retirement
homes and so forth.
MSO Dealers may not use auto-dialers in a way that could tie up two or more lines of a multi-line business.
MSO Dealers must properly and at the outset identify themselves and not indicate or suggest that they are
“DSI/DIRECTV.”
Out of respect for the businesses called, and in furtherance of your reputation and goodwill, as well as the
reputation and goodwill of the “DSI/DIRECTV” brand, MSO Dealers must also be courteous, honest and
ethical, avoid calling on holidays or outside of normal business hours, and if requested by the business not
to be called again, maintain a list of such “Do Not Call” requests that is scrubbed before implementing
additional B2B telemarketing campaigns.
Before undertaking any Commercial, B2B telemarketing campaign, the MSO Dealer must submit a copy of
its telemarketing plan to DSI/DIRECTV. Such plan must include the following:
- a list of all States in which B2B telemarketing is planned to take place, along with a sworn
statement that the laws of such States have been reviewed to ensure compliance with
particular State telemarketing laws applicable to B2B calls; if any such State laws require
registration and/or purchase of a State “Do Not Call” database to conduct B2B telemarketing,
a separate sworn statement of compliance with all such registration and/or purchase and
DNC scrubbing requirements;
- all scripts to be used in the B2B telemarketing campaign;
- copies of materials used to train the live operators who will be making the calls (such
materials should address proper business identification, courteous treatment of prospects,
honesty and ethics, appropriate call times and honoring Do Not Call requests from
Commercial prospects);
- a description of how the call list was compiled, which description shall address how
residential, cellular, emergency and guest/resident phone lines were omitted from inclusion;
- if auto-dialers are to be used, a description of how calls to multiple phone lines of one business
are avoided and how all applicable “call abandonment” Rules are implemented and honored;
- a sworn statement regarding internal DNC compliance.
Facsimile advertising.
Facsimile advertising is a form of outbound telemarketing solicitation that is expressly disapproved of for
ANY use in advertising “DIRECTV” branded products and services. In addition, it is considered a violation
of this Commercial Telemarketing Policy for any independent MSO Dealer to use facsimile advertising in
connection with any “satellite television” product if such advertisement is likely to lead to confusion and the
mistaken belief that such advertising relates to DIRECTV-brand products or services.
Pre-recorded messages (including text and/or SMS messagesi).
Pre-recorded message and text/SMS advertising is also a form of outbound telemarketing solicitation that is
expressly disapproved of for ANY use in advertising “DIRECTV” branded products and services. In addition,
it is considered a violation of this Commercial Telemarketing Policy for any independent MSO Dealer to use
pre-recorded message advertising in connection with any “satellite television” product if such advertisement
is likely to lead to confusion and the mistaken belief that such advertising relates to DIRECTV-brand
products or services.
Returning Calls to Prospective Commercial Customers
Return calls must be made with a live operator; no pre-recorded messages, including “Press 1” or other
approaches, should be used.
In addition, the FCC announced stricter rules under the TCPA in 2012, particularly as it relates to calls to
cellular phones. From time to time, a representative at a prospective Commercial Account may provide a cellular phone as a preferred method of contact. However, the new FCC rules do not allow telemarketing calls to be made using automatic dialing equipment to cellular phones absent proof of WRITTEN consent (ESIGN compliant proof may constitute written consent). Therefore, best practices suggest screening for
cellular phones and having operators initiate manually dialed calls to cellular phone numbers provided by
prospects, to avoid potential problems in demonstrating written consent.
If automatic dialing equipment is to be used to return calls to prospective Commercial Account
representatives at a cellular phone, special steps must be taken to avoid violations. First, return calls shall
not be made with automatic dialing equipment to any number simply “captured” through a caller ID or other
system. Return calls may only be placed to cellular phone numbers provided by Commercial Account
representatives who talked to an agent and provided clear consent to future calls at the cellular number.
Second, because using automatic dialing equipment to make telemarketing calls to cellular phones requires
WRITTEN consent, calls in which consent is obtained must be recorded and stored to maintain ESIGN proof
of consent. Either all calls need to be recorded and preserved, or, policies and procedures could be developed
for identifying cellular telephones (including asking the Commercial Account representative if the number
they are providing is a cellular number) and recording and maintaining written consents only insofar as
cellular phones are concerned.
No Third Party Solicitors/Marketing Agents
Your Agreement with DSI does not allow the use of third parties to solicit sales absent express written
approval of DIRECTV. Approval must be given by both the Vice President – Sales and Director, Business
Affairs. No other employee is authorized to provide approval, written or otherwise. You are not authorized
to use any agent, independent contractor or any other third party to conduct marketing campaigns as
addressed in this Policy. In the event that DSI/DIRECTV suspects you are using a third party to telemarket,
DSI may immediately terminate your Agreement.
* * * * * *
While telemarketing may be an effective means of reaching new Commercial prospects, care must be
taken to ensure compliance. Please proceed responsibly, in accordance with the law and
DSI/DIRECTV’s Commercial Telemarketing Policy, and only after consultation with your own legal
counsel. Thank you in advance for your attention to these matters and for your responsible promotion
of DIRECTV-brand DBS Products and Commercial Service in a positive and lawful manner.
i Outbound call lists for B2B calls shall only contain land-based business telephone lines. But to be clear, text and SMS
messages are not permitted.
SCHEDULE 6.1
COMMISSION SCHEDULE
Prepaid Programming Commissions
DSI shall pay MSO DEALER the Prepaid Programming Commissions per Activation of the qualifying Public
Viewing Programming Package, Business Viewing Programming Package or Private Viewing Programming
Package, at the rates and upon the terms and conditions set forth in the MSO DEALER Compensation Guide.
MSO DEALER Compensation Guide is available for viewing by DSI MSO Dealer at the DSI Public Web Site.
https://www.dsisystemsinc.com. The terms and conditions set forth in the MSO DEALER Compensation Guide
relating to Prepaid Programming Commissions are hereby incorporated into this Agreement by this specific
reference. In addition, payment of such Prepaid Programming Commission is subject to the restrictions,
chargeback terms and changes described in Sections 6.3, 6.4 and 6.5 in the Agreement.
Bonus Amounts
DSI shall also pay MSO DEALER earned Bonus Amounts for its services in procuring Activations of certain
other DIRECTV Programming Packages or services not covered by the Prepaid Programming Commissions.
These Bonus Amounts include an International Bonus, Sports Bonus and DVR Service Bonus. The actual
Bonus Amounts and their related terms and conditions are set forth in the MSO DEALER Compensation
Guide. MSO DEALER Compensation Guide is available for viewing by DSI MSO Dealer at the DSI Public Web Site.
https://www.dsisystemsinc.com. The terms and conditions set forth in the MSO DEALER Compensation Guide
relating to Bonus Amounts are hereby incorporated into this Agreement by this specific reference. Bonus
Amounts will not be subject to chargeback, unless otherwise set forth in the MSO DEALER Compensation
Guide. To the extent not set forth in the MSO DEALER Compensation Guide, payment of such Bonus
Amounts is subject to the restrictions described in the Agreement, including, without limitation, those set
forth in Section 6.3 thereof.
The current MSO DEALER Compensation Guide, DSI/DIRECTV Rate Card and additional programming
and pricing information is available for viewing by DSI MSO Dealer at the DSI Public Web Site.
https://www.dsisystemsinc.com.
NOTE: MSO DEALER will not receive a Prepaid Programming Commission or Bonus Amount if a MSO
DEALER-Acquired Subscriber’s DIRECTV Service is terminated, canceled, or disconnected (whether
initiated by the MSO DEALER-Acquired Subscriber or DSI/DIRECTV) within thirty (30) days of the date of
the Activation (or will be charged back if payment was already made).
SCHEDULE 6.2
CONTINUING SERVICE COMMISSION SCHEDULE
DSI shall pay to MSO DEALER Continuing Service Commissions on the terms and conditions in the
Agreement and as set forth in the MSO DEALER Compensation Guide made available at the MSO DEALER
Center. The terms and conditions set forth in the MSO DEALER Compensation Guide relating to Continuing
Service Commissions is available for viewing by DSI MSO Dealer at the DSI Public Web Site.
https://www.dsisystemsinc.com.
MSO DEALERS will receive a Continuing Service Commission the default Continuing Service Commission
shall be the default rate set forth in the MSO DEALER Compensation Guide. Continuing Service
Commissions is available for viewing by DSI MSO Dealer at the DSI Public Web Site.
Information (CPNI), software source code for software developed or customized for AT&T, information
security incident reports, nonpublic marketing and financial information, and AT&T end user customer
contact lists.
“Mobile and Portable Devices” means mobile and/or portable computers, devices, media and systems capable
of being easily carried, moved, transported or conveyed that are used in connection with the Agreement.
Examples of such devices include laptop computers, tablets, USB hard drives, USB memory sticks, Personal
Digital Assistants (PDAs), and wireless phones, such as smartphones.
“Multi-Factor Authentication” (also known as Two-Factor Authentication and Strong Authentication) means
the use of at least two of the following three types of authentication factors:
A physical or logical credential the user has, such as an electronically readable badge, a token card
or a digital certificate;
A knowledge-based credential, such as a password or PIN; and
A biometric credential, such as a fingerprint or retina image.
“Nonpublic Information Resources” means those Information Resources used in connection with the
Agreement to which access is restricted and requires proper authentication and authorization.
“Sensitive Personal Information” or “SPI” means the data elements listed in the “Table of AT&T SPI Data
Elements” located at the end of this appendix. All SPI Data Elements are considered In-Scope Information.
“Security Gateway” means a set of control mechanisms between two or more networks having different trust
levels which filter and log traffic passing, or attempting to pass, between networks, and the associated
administrative and management servers. Examples of Security Gateways include firewalls, firewall
management servers, hop boxes, session border controllers, proxy servers, and intrusion prevention devices.
“Strong Encryption” means the use of encryption technologies with minimum key lengths of 128-bits for
symmetric encryption and 1024-bits for asymmetric encryption whose strength provides reasonable
assurance that it will protect the encrypted information from unauthorized access and is adequate to protect
the confidentiality and privacy of the encrypted information, and which incorporates a documented policy
for the management of the encryption keys and associated processes adequate to protect the confidentiality
and privacy of the keys and passwords used as inputs to the encryption algorithm.
“MSO DEALER Entity” or “MSO DEALER Entities” means MSO DEALER, its affiliates and subcontractors.
In accordance with the foregoing, MSO DEALER shall:
System Security
1. At least monthly, ensure all software (including operating systems, plug-ins, and applications) is patched
for any newly identified security vulnerabilities.
2. Ensure that security settings of host operating systems cannot be changed by unauthorized users.
3. Host operating systems must be hardened to reduce available ways of attack. Hardening typically
includes use of host basedfirewalls, changing default passwords, removing unnecessary software,
unnecessary UserIDs, usernames or logins, and the disabling or removing unnecessary services. This
hardening of the system’s security configurations, operating system software, firmware and applications
are to prevent exploits that attack flaws in the underlying code.
4. Limit authorized system administrators (also known as root, privileged, or super user) access to
operating systems intended for use by multiple users only to individuals requiring such high-level access
in the performance of their jobs. All usage of system administrator access must ensure that individual
accountability is maintained. All privileged activities must be enforced with appropriate segregation of
duties.
5. Enforce the rule of least privilege by restricting access of users to only the Information and applications
needed for them to perform business functions. Additionally, AT&T data and applications must only be
used for work authorized in the agreement.
Network Security
6. Use Strong Encryption for the transfer of In-Scope Information.
Information Security
7. Limit access to In-Scope Information only to authorized users or systems on a need to know basis, and
for the performance of In-Scope Work.
Identification and Authentication
8. For access to In-Scope Information and for host devices that support it, assign unique credentials (eg.
User IDs, passwords) to authorized individual users, assign individual ownership to system service
accounts, and ensure that system service accounts are not shared by administrators.
9. Limit failed login attempts by no more than six (6) consecutive failed login attempts by locking the user
account. Access to the user account can be reactivated through the use of a manual process requiring
verification of the user’s identity or, where such capability exists, can be automatically reactivated after
at least three (3) minutes from the last failed login attempt.
10. Terminate interactive sessions on a user’s workstation, or activate a secure, locking screensaver
requiring authentication, after a period of inactivity not to exceed fifteen (15) minutes. On all other
Information Resources terminate inactive sessions not to exceed thirty (30) minutes.
11. a. Use an authentication method based on the sensitivity of In-Scope Information. Whenever
authentication credentials are stored, MSO DEALER shall use Strong Encryption and/or one-way
hashing based upon strong cryptography.
b. Passwords must be complex and meet the following password construction requirements:
Be a minimum of eight (8) characters in length.
Include characters from at least two (2) of these groupings: alpha, numeric, and special
characters.
Not be the same as the UserID with which they are associated.
Not contain repeating or sequential characters or numbers.
c. PINs must meet the following:
Be a minimum of four (4) numbers; and
Not contain repeating or sequential numbers.
d. Require password and PIN expiration at regular intervals not to exceed ninety (90) calendar days.
12. When providing users with a new or reset password, or other authentication credentials, use a secure
method to provide this information, and require reset at first login whenever a temporary credential is
used.
Software and Data Integrity
13. Have current antivirus software installed and running to scan for and promptly remove or quarantine
viruses and other malware.
Reporting Violations
14. Maintain a documented procedure to be followed in the event of a suspected attack upon, intrusion upon,
unauthorized access to, loss of, or other security breach involving In-Scope Information in which MSO
DEALER shall:
a. Promptly investigate and make a determination if such an attack has occurred; and
b. In the event that a successful attack has occurred involving In-Scope Information or it is impossible
to determine whether the attack was successful then MSO DEALER shall promptly notify AT&T by
contacting:
i. Asset Protection by telephone at 1-800-807-4205 from within the US and at 1-908-658-0380 from
elsewhere; and
ii. MSO DEALER’s contact within AT&T for service-related issues.
15. After notifying AT&T whenever there is a successful attack upon, intrusion upon, unauthorized access
to, loss of, or other breach of In-Scope Information, provide AT&T with regular status updates, including,
actions taken to resolve such incident, at mutually agreed intervals or times for the duration of the
incident and, within seven (7) calendar days of the closure of the incident, provide AT&T with a written
report describing the incident, actions taken by the MSO DEALER during its response and MSO
DEALER’s plans for future actions to prevent a similar incident from occurring.
Mobile and Portable Devices
16. Use Strong Encryption to protect all In-Scope Information stored on Mobile and Portable Devices.
17. Use Strong Encryption to protect all In-Scope Information transmitted using or remotely accessed by
network-aware Mobile and Portable Devices.
18. Maintain documented policies, standards and procedures for Mobile and Portable Devices used to access
and/or store In-Scope Information that include the following requirements:
a. All users must be authorized for such access and their identity authenticated;
b. Mobile and Portable devices must be physically secured and/or in the physical possession of
authorized individuals;
c. Where technically feasible, use a remote wipe capability on such devices to promptly and securely
delete In-Scope Information, when such devices are not in the physical possession of authorized
individuals nor otherwise physically secured; and
d. Jailbroken or rooted smartphones cannot be used to perform In-Scope Work.
19. Implement and maintain a documented policy that prohibits the use of any:
a. MSO DEALER -issued Mobile and Portable Devices to access and/or store In-Scope Information
unless the device is administered and/or managed by MSO DEALER; and
b. Non- MSO DEALER issued Mobile and Portable Devices to access and/or store In-Scope Information,
as in cases where MSO DEALER has a “Bring Your Own Devices” (BYOD) program, unless
adequately segregated and protected such as by a MSO DEALER administered and/or managed
secure container-based solution.
Security Gateways
20. For access to Security Gateways ensure that user authorization levels to administer and manage
Security Gateways are appropriate, and that all rule sets either explicitly or implicitly “DENY ALL”
inbound access except where there is a business need, and then with strong authentication. For access
to In-Scope Information and for host devices that support it, assign unique credentials (eg. UserIDs,
passwords) to authorized individual users, assign individual ownership to system service accounts, and
ensure that system service accounts are not shared by administrators.
Wireless Networking
21. Use strong encryption when transmitting AT&T In Scope Information over WIFI. Bluetooth should not
be used to transmit AT&T In Scope Information unless the data is encrypted separately before
transmission.
22. Use strong passwords, and WPA2 to protect all In-Scope Information accessed or transmitted over a
wireless network.
MSO DEALER Entity Compliance
23. MSO DEALER shall:
Ensure all MSO DEALER Entities performing In-Scope Work are aware of, and in compliance with,
these Security Requirements. MSO DEALER shall contractually obligate, or cause (as the case may be)
its Subcontractors that perform any In-Scope work to comply with these Security Requirements, or in
any event, requirements that are no less stringent. Upon AT&T’s request, MSO DEALER will provide
documentation and/or evidence to substantiate such compliance to AT&T’s satisfaction.
Protection of AT&T’s SPI
24. Use Strong Encryption to protect AT&T’s SPI when transmitted over any network.
25. Use Strong Encryption to protect AT&T’s SPI when stored.
Table of AT&T SPI Data Elements
Data elements in the following tables are classified as AT&T Proprietary (Sensitive Personal Information) and must be treated as such when used in their entirety, unless:
a. Explicitly stated in the following tables.
— or —
b. It relates to an individual's own information kept for their own purposes (This type of
personal data should not be stored on AT&T assets or premises).
The following are true for all data formats including scanned images, PDFs, JPGs.
The following “Privacy” data elements have been classified as AT&T Proprietary (Sensitive Personal
Information) when they apply to an employee, contractor, customer or MSO DEALER, except where
explicitly stated otherwise.
Individual Identification
Data Element Description
Driver’s License Number
Taxpayer Identification Number
U.S. Social Security Number (SSN)
Nationally-Issued Identification Number Includes visa and/or passport values. Excludes any
such numbers that are issued on the
understanding that they must be a matter of public
record, e.g., U.S. FCC Radio License.
State or Province-Issued Identification Number
Financial Data
Data Element Description
Payment Card Number Primary Account Number (PAN) for all types of
payment card (corporate, personal, etc.)
Payment Card Security Data The security data used in association with a
payment card (corporate, personal, etc.) in order to
confirm legitimate use. Includes for
example Personal Identification Numbers (PINs)
used with payment cards but excludes PINs used
to authenticate access to AT&T systems.
Bank Account Number Includes all types of bank accounts (savings,
checking, etc.) both personal and business in an
individual's name. Excludes bank routing number.
Computer Identification and Authentication
Data Element Description
Customer Authentication Credentials
Applies to Customers only
Values used by customers to authenticate and
permit access to:
The customers' personal information,
including CPNI and AT&T Proprietary
(Sensitive Personal Information)
— or —
An application enabling the customer to
subscribe to, or unsubscribe from, AT&T
services
— or —
An AT&T service the customer is subscribed to
Includes: Personal Identification Numbers (PINs),
passwords or passcodes. Excludes Card Security
Codes and PINs used in association with payment
cards.
Customer Authentication Credential Hints
Applies to Customers only
Answers to questions used to retrieve customer
authentication credentials, for example mother's
maiden name.
Location-Based Information (LBI) Information that identifies the current or past
location of a specific individuals' mobile device.
This element contains two factors both of which
must be present and able to be associated with
each other:
1. A mobile device's location (e.g. a map
address, or latitude and longitude together with
altitude where known) derived from the mobile
device through activities such as GPS or network
connectivity rather than as a result of user action
(e.g. revealing location in the content of an email,
or SMS)
-and -
2. An individual's identity derived from a unique
identifier assigned to that mobile device such as
customer name, MSISDN, IMSI, IMEI or ICCID.
Other Data
Data Element Description
Date of Birth (DOB) An individual's full and complete DOB, i.e.
including Month, Day and Year. Excludes
partial DOB where only Month and Day are
used without Year. This element contains two
factors both of which must be present and able
to be associated with each other:
1. A full and complete DOB
- and -
2. The individual's identity, either explicitly or
via a unique identifier that can be linked to that
individual.
Biometric Data Measures of human physical and behavioral
characteristics used for authentication
purposes, for example fingerprint, voiceprint,
retina or iris image. Excludes templates that
contain discrete data points derived from
biometric data that do not hold the complete
biometric image, where the template cannot be
reverse engineered back to the original
biometric image.
Criminal History
Subject to non-U.S. jurisdiction1
Information about an individual's criminal
history, e.g. criminal check portion of a
background check.
Racial or Ethnic Origin
Subject to non-U.S. jurisdiction1
Data specifying and/or confirming an
individual's racial or ethnic origin.
Trade Union Membership
Subject to non-U.S. jurisdiction1
Data specifying and/or confirming an individual
is a member of a trade union outside of the U.S.
Information Related to an Individual's Political
Affiliation, Religious Belief, or Sexual
Orientation
Subject to non-U.S. jurisdiction1
Data specifying and/or confirming an
individual's political affiliation, religious or
similar beliefs, or sexual life or orientation.
The following “Human Resources” data elements have been classified as AT&T Proprietary (Sensitive
Personal Information) when they apply to an employee, contractor, customer or MSO DEALER:
Health Data
Data Element Description
U.S. Protected Health Information (PHI) Includes any U.S. health information used in
AT&T's Group Health Care plans or belonging
to AT&T's customers that identifies the
individual or for which there is a reasonable
basis to believe it can be used to identify the
individuals that include information about:
The individual's past, present or future
physical or mental health or condition,
The provision of health care to the
individual
— or —
The past, present, or future payment for the
provision of health care to the individual.
Health information of retirees, employees, or
employee beneficiaries used by AT&T for
purposes other than a group health plan is not
PHI.
Medical and Health Information
Subject to non-U.S. jurisdiction1
Any information concerning physical or mental
health or condition. Includes disability
information.
Footnotes:
Where data elements have the term “Subject to non-U.S. jurisdiction” associated with them,
that data element is to be classified as AT&T Proprietary (Sensitive Personal Information)
when applied to data elements subject to non-U.S. jurisdiction, irrespective of whether the
data is created, handled, processed, destroyed or sanitized inside or outside the U.S.
Data Management - Sensitive Customer Data (SCD)
Data Element Description
Customer Set Top Box Viewing
History
Information about programs watched or
recorded, games and applications used, etc. by
AT&T customers.
Customer Web Browsing History Information about what websites the AT&T
customers visit and applications they use on
any network (wireline and wireless including
Wi-Fi); this does not include browsing and
activities associated with the AT&T customers’
use of official AT&T corporate websites.
Digital Life Data Includes video files, sensor data and other data
that is generated by our customers’ use of the
Digital Life service.
SCHEDULE 8
INSURANCE REQUIREMENTS
1. With respect to MSO DEALER’s performance under this Agreement, and in addition to MSO
DEALER’s obligation to indemnify, MSO DEALER shall at its sole cost and expense:
a. maintain the insurance coverages and limits required by this section and any
additional insurance and/or bonds required by law:
b. at all times during the term of this Agreement; and
c. with respect to any coverage maintained in a “claims-made” policy, for two (2) years
following the term of this Agreement. If a “claims-made” policy is maintained, the
retroactive date must precede the commencement of work under this Agreement;
2. Require each subcontractor who may perform work on MSO DEALER’s behalf to maintain
coverage, requirements, and limits at least as broad as those listed in this section from the time
when the subcontractor begins work, throughout the term of the subcontractor’s work and, with
respect to any coverage maintained on a “claims-made” policy, for two (2) years thereafter;
3. Procure the required insurance from an insurance company eligible to do business in the state or
states where work will be performed and having and maintaining a Financial Strength Rating of
“A-” or better and a Financial Size Category of “VII” or better, as rated in the A.M. Best Key Rating
Guide for Property and Casualty Insurance Companies, except that, in the case of Workers’
Compensation insurance, MSO DEALER may procure insurance from the state fund of the state
where work is to be performed; and
4. Provide to DSI certificates of insurance stating the types of insurance and policy limits. MSO
DEALER shall provide or will have the issuing insurance company provide at least 30 days
advance written notice of cancellation, non-renewal, or reduction in coverage, terms, or limits to
DSI/DIRECTV. MSO DEALER shall deliver such certificates:
a. prior to the commencement of work, but not later than forty-five (45) days following
the Effective Date of the Agreement if the work has not commenced;
b. prior to expiration of any insurance policy required in this section; and
c. for any coverage maintained on a “claims-made” policy, for two (2) years following the
term of this Agreement or completion of all work associated with this Agreement,
whichever is later.
5. The Parties agree:
a. The failure of DSI to demand such certificate of insurance or failure of DSI to identify
a deficiency will not be construed as a waiver of MSO DEALER’s obligation to maintain
the insurance required under this Agreement;
b. That the insurance required under this Agreement does not represent that coverage
and limits will necessarily be adequate to protect MSO DEALER, nor be deemed as a
limitation on MSO DEALER’s liability to DSI in this Agreement;
c. MSO DEALER may meet the required insurance coverages and limits with any
combination of primary and Umbrella/Excess liability insurance; and
d. MSO DEALER is responsible for any deductible or self-insured retention.
6. The insurance coverage required by this section includes:
A. Workers’ Compensation insurance with benefits afforded under the laws of any state
in which the Work is to be performed and Employer’s Liability insurance with limits
of at least:
$500,000 for Bodily Injury – each accident
$500,000 for Bodily Injury by disease – policy limits
$500,000 for Bodily Injury by disease – each employee
To the fullest extent allowable by Law, the policy must include a waiver of subrogation
in favor of DSI Systems, Inc., its affiliates, and their directors, officers and employees.
In states where Workers’ Compensation insurance is a monopolistic state-run system,
MSO DEALER shall add Stop Gap Employer’s Liability with limits not less than
$500,000 each accident or disease.
B. Commercial General Liability insurance written on Insurance Services Office (ISO)
Form CG 00 01 04 13 or a substitute form providing equivalent coverage, covering
liability arising from premises, operations, personal injury, products/completed
operations, and liability assumed under an insured contract (including the tort liability
of another assumed in a business contract) with limits of at least:
$2,000,000 General Aggregate limit
$1,000,000 each occurrence limit for all bodily injury or property damage incurred in
any one (1) occurrence$1,000,000 each occurrence limit for Personal Injury and Advertising
proposes to have perform any Service that permits Physical Entry or virtual or other access
to DSI/DIRECTV’s or its customers’ systems, networks, or information (“Access”) at any time
during the term:
(1) has been convicted of any felony, or has been convicted of any misdemeanor involving
violence, sexual misconduct, theft or computer crimes, fraud or financial crimes, drug
distribution, or crimes involving unlawful possession or use of a dangerous weapon
(“Conviction”) or
(2) is identified on any government registry as a sex offender (“Sex Offender Status”); and
(ii) in addition to the requirements of (i), perform a Drug Screen on any MSO DEALER Person
whom MSO DEALER proposes to have Physical Entry onto DSI/DIRECTV’s or its customers’
premises and not permit any such MSO DEALER Person presenting a positive Drug Screen
to have Physical Entry onto DSI/DIRECTV’s or its customers’ premises.
MSO DEALER shall comply with the obligations of Subsection a(i) above through the use of a third
party service which shall perform a review of applicable records for those counties, states, and
federal court districts in which a proposed MSO DEALER Person has identified as having resided,
worked, or attended school in the previous ten (10) years, unless a shorter period is required by
any federal, state, or local law.
b. MSO DEALER acknowledges and agrees that it is MSO DEALER’s sole and exclusive
responsibility to determine whether a MSO DEALER Person’s Conviction or Sex Offender Status
has a reasonable relationship to the individual’s fitness or trustworthiness to perform the Service, subject to any federal, state, or local restrictions on the consideration of criminal convictions in
making employment decisions and whether such MSO DEALER Person should be permitted
Access during the term under the terms of this Agreement and in compliance with all federal,
state, and local laws, unless an exception is granted by DSI under paragraph e. of this Section.
c. MSO DEALER represents and warrants to DSI that, to the best of its knowledge, no MSO
DEALER Person has (i) falsified any of his or her Identification Credentials, or (ii) failed to disclose
any material information in the hiring process relevant to the performance of any Service. MSO
DEALER shall not permit any MSO DEALER Person who has falsified such Identification
Credentials or failed to disclose such information to perform any Service that permits Access.
d. The following definitions apply:
1. “Physical Entry” means that an individual (i) is permitted to bodily enter, on an unsupervised
(or badged) basis, into secured areas not available to the general public, or (ii) is permitted on
a regular basis to have supervised or escorted bodily access into secured areas not available to
the general public for more than thirty (30) days in the aggregate annually.
2. “Identification Credentials” includes, with respect to each MSO DEALER Person, his or her
Social Security number, driver’s license, educational credentials, employment history, home
address, and citizenship indicia.
3. “Drug Screen” means the testing of any individual for the use of illicit drugs (including opiates,
cocaine, cannabinoids, amphetamines, and phencyclidine (PCP)).
e. The failure of MSO DEALER to comply with the requirements of this Section shall be considered
a material breach of this Agreement. Notwithstanding any of the foregoing, exceptions for
individual MSO DEALER Persons may be granted by DSI n a case-by-case basis.
SCHEDULE 15(a)
AGREEMENT REGARDING NON-EMPLOYMENT STATUS WITH DSI/DIRECTV
This Agreement (“Agreement”) is made by the individual named below (“I” or “me”), who is an
employee of __________________________________(“MSO DEALER”), and who has been hired or
engaged to perform work for MSO DEALER in fulfillment of the terms and conditions of the
agreement(s) between MSO DEALER and DSI/DIRECTV, LLC, a California limited liability company
and a wholly-owned subsidiary of AT&T, Inc., and/or their respective affiliates (collectively “AT&T
Company”).
I. Status
I hereby agree and acknowledge that I have been engaged by MSO DEALER to provide services
on behalf of MSO DEALER in fulfillment of its contractual obligations to AT&T Company. I
am not being hired or engaged by any AT&T Company in any capacity. I have no right or
authority to assume or to create any obligation or responsibility on behalf of any AT&T
Company.
No employment, joint venture or partnership relationship has been created between me and
AT&T Company by this Agreement or by any other agreement between me and MSO DEALER
for the provision of services on behalf of the MSO DEALER.
I acknowledge and agree that MSO DEALER shall be solely responsible for all payments to
me for my work performed on the MSO DEALER’s behalf under its agreement(s) for services
with any AT&T Company, including payment of compensation, premium payments for
overtime, bonuses, and other incentive payments, if any, and payments for vacation, holiday,
sick days or other personal days, if any. Also, I will be solely responsible for negotiating and
agreeing with MSO DEALER for participation in any MSO DEALER benefit plans, including
any pension, savings, or health and welfare plan. Unless AT&T Company expressly provides
otherwise in writing, I further understand and agree that I am not eligible to participate in or
receive any benefits under the terms of any AT&T Company’s pension plans, savings plans,
health plans, vision plans, disability plans, life insurance plans, stock option plans, or any
employee benefit plan sponsored by any AT&T Company for any period of time. I understand
and agree that the cash payments and benefits which I receive from MSO DEALER shall
represent the sole compensation to which I am entitled, and that MSO DEALER will be solely
responsible for all matters relating to compliance with all employer tax obligations, arising
from any work performed by me on behalf of MSO DEALER in fulfillment of its contractual
obligations with any AT&T Company. These tax obligations include but are not limited to the
obligation to withhold employee taxes under local, state and federal income tax laws,
unemployment compensation insurance tax laws, state disability insurance tax laws, social
security and Medicare tax laws, and all other payroll tax laws or similar laws.
II. Work Policies and Rules
1. I understand that AT&T Company policy requires MSO DEALER to ensure that its
employees, including me, engage in personal conduct and comments in the workplace that
support a professional environment free of inappropriate behavior, language, jokes or
actions which could be perceived as sexual harassment or as biased, demeaning, offensive,
derogatory to others based upon race, color, religion, national origin, sex, age, sexual
orientation, marital status, veteran’s status or disability, or words or conduct that is
threatening and/or disrespectful of others.
2. If AT&T Company provides me access to its computer systems, I understand that AT&T
Company requirements for MSO DEALER includes the following and agree: (a) to use such
systems in a professional manner, (b) to use such systems only for AT&T Company
business purposes, (c) to use such systems in compliance with AT&T Company’s applicable
requirements standards and guidelines for computer systems use and applicable laws, and
(d) to use password devices, if applicable and if requested by AT&T Company. Without
limiting the foregoing, AT&T Company property, including but not limited to Intranet and
Internet services, shall not be used for personal purposes or for any purpose which is not
directly related to the performance of work in fulfillment of MSO DEALER’s agreement(s)
with any AT&T Company. I acknowledge and agree that I must have a valid MSO
DEALER-supported AT&T Company business reason to access the Intranet and/ or the
Internet from within AT&T Company’s private corporate network.
III. Administrative Terms
1. This Agreement shall be effective as of the date executed below, and shall remain in effect
through my termination of employment or engagement with MSO DEALER or my
reassignment by MSO DEALER to another job unrelated to the MSO DEALER’s
provisioning of services to any AT&T Company.
2. If any provision of this Agreement is held to be invalid or unenforceable, then such invalid
or enforceable provisions shall be severed, and the remaining provisions shall remain in
full force and effect to the fullest extent permitted by law.
My signature below attests to the fact that I have read, understand and agree to be legally bound by
the terms of this Agreement Regarding Non-Employment Status with DSI/DIRECTV and AT&T