VCOM Institutional Policy and Procedure Manual

4.2 Accounts In order to detect any of the Red Flags identified above for an existing Covered Account, College personnel will take the following steps to monitor transactions on an account:

Detect

1. Verify the identification of students if they request confidential information by asking them to provide identifying information (i.e. student id cards, social security numbers, dates of birth, etc.). 2. Require and only accept address changes that are made on the VCOM portal (a secure intranet that requires the user to enter an id and password), and; 3. Verify changes in banking information given for billing and payment purposes by ensuring that a voided check is provided with the change request, the voided check lists the student as the account owner, and the signature provided on the change form matches the original banking information request form received by VCOM. In order to prevent the likelihood of Identity Theft occurring with respect to Covered Accounts, VCOM will take the following steps with respect to its internal operating procedures to protect student identifying information: 1. Ensure that its website is secure or provide clear notice that the website is not secure; 2. Ensure complete and secure destruction of paper document and computer files containing student account information when a decision has been made to no longer maintain such information; 3. Ensure that office computers with access to Covered Account information are password protected; 4. Avoid use of social security numbers; 5. Ensure computer virus protection is up to date, and; 6. Require and keep only the kinds of student information that is necessary for school. R ESPONSE TO R ED F LAGS Should an employee identify a “red flag” (patterns, practices and specific activities that signal possible identity theft), they are instructed to bring it to the attention of VCOM’s Chief Financial Officer (CFO) immediately. The CFO will investigate the threat of identity theft to determine if there has been a breach and will respond appropriately to prevent future identity theft breaches. Additional actions may include notifying and cooperating with appropriate law enforcement and notifying the student of the attempted fraud. P ERIODIC P ROGRAM U PDATES This policy will be re-evaluated on or about the first day of each calendar year to determine whether all aspects of the program are up to date and applicable in the current business environments, and revised as necessary. Operational responsibility is delegated to the Chief Financial Officer. 6. 7. 5. P REVENT AND M ITIGATE I DENTITY T HEFT