Fraud Solutions Professional Services Agreement - Schedule B
Kroll Background America, Inc.
The Data Breach Preparedness Program includes the following components, which are accessible via a CD-ROM unless otherwise noted:
A.Breach Preparedness Guide
When you implement Kroll's Breach Preparedness Program, the first thing you will receive is the Breach Preparedness Guide, which is an essential tool and the touchstone for the program. The guide is presented in both hard copy (binder) and electronically (CD). The binder establishes both a reference source and a central location to document processes for a breach event. The CD can be used for working versions of the program components. The binder is organized for ease of use, with tabs for each component of the program and readily available contact information.
B.Risk Assessment and Consultation
The goal of the assessment is to highlight areas that may put your organization at risk for a data breach. The self-scoring assessment is performed by stakeholders identified within the organization. The results of this assessment are analyzed by one of Kroll's information security experts who then consult with the organization on the results. Kroll can help you institute an action plan based on the results that will help you guide your organization to a more secure, defensible position in the event a breach does occur.
C.Privacy Awareness Training
Employees represent the single best line of defense for detecting both breach events and the causes that lead to these events. Therefore, it’s important to provide continuing education training that gives them the knowledge base necessary to act as a privacy advocate for your organization. This employee training program delivers best practice instruction for handling sensitive information and the safeguards that must be used to minimize the risk of a data breach. Because the training is in electronic format, it can be deployed by either providing employees with a hyperlink or incorporating into your existing platform. Because of the regulation surrounding personal health information, Kroll also provides privacy awareness training specific to healthcare and protecting PHI as well.
D.Security Awareness Tools
Keeping privacy and security top of mind for all employees can be a very difficult task that sometimes requires even daily reminders to reinforce what employees already know – they must act as privacy advocates for the entire organization. To that end, you’ll receive tools that include confidentiality memoranda, certificates for acknowledging confidentiality memos and completed training, security awareness posters, and other tools that can be used as-is, or customized by the organization as needed to further raise awareness.
E.Red Flags Rule Training
If you are considered a covered entity under the Federal Trade Commission’s (FTC) Red Flags Rule, Kroll provides a training program that informs employees of their responsibilities in identifying, detecting, and responding to identity theft red flags, as identified by the organization, as well as how each employee contributes to overall organizational compliance. The format is electronic, so it can be deployed similar to the privacy awareness training.
F. Red Flags Rule Program Guide
In order to be compliant, all organizations subject to the Red Flags Rule must develop and implement a formal, written and revisable “identity theft prevention program” to detect, prevent, and mitigate identity theft. This customizable Red Flags Rule Program Guide simplifies the process through a template document that contains educational material, guidance on various necessary components, and ultimate design flexibility to create the program that is appropriate to your organization’s size and potential risks of identity theft.
Kroll is committed to providing direct support and direct access when you need it most – this is a Kroll differentiator and a key value point for the Breach Preparedness Program. The best way to complete the mission-critical tasks intrinsic to the program is to keep the lines of communication open, through regular communication and access to your dedicated Kroll specialists. Your client manager will communicate with you on a regular basis concerning milestones within the program that will help keep your organization up-to-date and on task.
H.Best Practice Materials
From the beginning, you’ll receive best practices material already included in the virtual guide on your CD. You’ll also receive monthly communications, including a Kroll newsletter, and have direct access to valuable information and materials – like our Legislative Library – through the client portal.
I.The Kroll Team
You’ll receive support from Kroll's entire network of specialists, at your disposal to address any potential risk-oriented need. Your immediate, personal contact begins with a client executive as well as a client manager, who will be available whenever you have questions about your program and will be a constant source of communication. The client manager can facilitate your consultation with our information security experts, who have decades of experience solving problems ranging from data forensics to physical security. This team will also be ready to spring into action in the event sensitive data is breached. Your organization can be confident knowing that, in the event of a breach, Kroll stands ready to immediately consult, notify, and resolve issues
Section II: Data Breach Management Services
A.Member Enrollment, Notification and Solution Support Center Access
Kroll will provide for the preparation and mailing to the residential addresses of all of those individuals whose names are on the Initial List furnished by the University to Kroll, an Initial Notice, as defined in the Agreement. The Initial Notice is in the general form attached as Exhibit "A' to the Agreement. The Initial Notice shall be mailed by Kroll to each person on the Initial List. This mailing will occur no later than 10 business days after the University notifies Kroll in writing to begin the mailing. [Note to Mark: This is covered in the first section of the agreement.]
A toll-free phone number provided by Kroll and staffed by a Kroll support team is incorporated into the notification to provide Members access to an experienced team to address questions about the service being provided as well as general questions about identity theft. The support team will be knowledgeable about the breach event to the extent included in the finalized notification letter and able to address specific questions about the Services being provided.
The Solution Support Center is the focal point for all calls and callers are triaged based on need. The Solution Support Center is staffed from 8 am to 5 pm, Central Standard Time, Monday through Friday excluding major holidays.
1. Continuous Credit Monitoring
Single Bureau Online Continuous Credit Monitoring
Credit Specialist Consultation
Credit Services Terms and Exclusions
All Members receive access to the following consultative services:
Consultation Services are limited to the solutions, best practices, legislation, and established industry and organizational procedures in place in the United States and Canada.
3.Identity Theft Restoration Services
Kroll's Licensed Investigators perform the bulk of the restoration work required to attempt to restore the Member's identity to pre-theft status. The following list outlines Kroll's typical identity restoration process. Please note that each case is different and Kroll investigators will typically address a variety of other issues during a restoration case.
Within 24 hours of receiving a fully executed Limited Power of Attorney and copies of the Member's social security card, driver’s license, identity theft police report and most recent utility statement – complete with the Member's current name and address – Kroll shall:
After receiving the Credit Authorization Form, Kroll shall:
Where warranted, Kroll shall:
In all cases, Kroll provides:
Identity Theft Restoration Service Exclusions
Legal Remedy - Any Stolen Identity Event where the Member is unwilling to prosecute or otherwise bring a civil or criminal claim against any person culpable or reasonably believed to be culpable for the fraud or its consequences.
Dishonest Acts - Any dishonest, criminal, malicious or fraudulent acts, if the Member(s) that suffered the fraud personally participated in, directed or had knowledge of such acts.
Financial Loss - Any direct or indirect financial losses attributable to the Stolen Identity Event, including but not limited to, money stolen from a wallet, unauthorized purchases of retail goods or services online, by phone, mail or directly.
Pre-existing Stolen Identity Event Limitations – Any circumstance wherein the
Business - The theft or unauthorized or illegal use of any business name, DBA or any other method of identifying business (as distinguished from personal) activity.
Third Parties not Subject to U.S. or Canadian Law- Restoration Services do not remediate issues with third parties not subject to United States or Canadian law that have been impacted by an individual’s Stolen Identity Event, such as financial institutions, government agencies, and other entities.