Schedule B

Fraud Solutions Professional Services Agreement - Schedule B

Kroll Background America, Inc.


Section I: Data Breach Preparedness Program

For the duration of Attachment 2 of the Agreement, Kroll shall provide the University ("University," "Client," or "You") a comprehensive program of assessment, training, planning, and updates to mitigate the risk of a data breach and prepare for a response if needed. Notwithstanding anything to the contrary in the Agreement, access to and use of the Data Breach Preparedness Program, and all components thereof, is subject to the terms of the End User License, a copy of which is attached hereto as Exhibit A.

The Data Breach Preparedness Program includes the following components, which are accessible via a CD-ROM unless otherwise noted:

     A.Breach Preparedness Guide
When you implement Kroll's Breach Preparedness Program, the first thing you will receive is the Breach Preparedness Guide, which is an essential tool and the touchstone for the program. The guide is presented in both hard copy (binder) and electronically (CD). The binder establishes both a reference source and a central location to document processes for a breach event. The CD can be used for working versions of the program components. The binder is organized for ease of use, with tabs for each component of the program and readily available contact information.
     B.Risk Assessment and Consultation
The goal of the assessment is to highlight areas that may put your organization at risk for a data breach. The self-scoring assessment is performed by stakeholders identified within the organization. The results of this assessment are analyzed by one of Kroll's information security experts who then consult with the organization on the results. Kroll can help you institute an action plan based on the results that will help you guide your organization to a more secure, defensible position in the event a breach does occur. 
     C.Privacy Awareness Training
Employees represent the single best line of defense for detecting both breach events and the causes that lead to these events. Therefore, it’s important to provide continuing education training that gives them the knowledge base necessary to act as a privacy advocate for your organization. This employee training program delivers best practice instruction for handling sensitive information and the safeguards that must be used to minimize the risk of a data breach. Because the training is in electronic format, it can be deployed by either providing employees with a hyperlink or incorporating into your existing platform. Because of the regulation surrounding personal health information, Kroll also provides privacy awareness training specific to healthcare and protecting PHI as well.
     D.Security Awareness Tools
Keeping privacy and security top of mind for all employees can be a very difficult task that sometimes requires even daily reminders to reinforce what employees already know – they must act as privacy advocates for the entire organization. To that end, you’ll receive tools that include confidentiality memoranda, certificates for acknowledging confidentiality memos and completed training, security awareness posters, and other tools that can be used as-is, or customized by the organization as needed to further raise awareness.
     E.Red Flags Rule Training
If you are considered a covered entity under the Federal Trade Commission’s (FTC) Red Flags Rule, Kroll provides a training program that informs employees of their responsibilities in identifying, detecting, and responding to identity theft red flags, as identified by the organization, as well as how each employee contributes to overall organizational compliance. The format is electronic, so it can be deployed similar to the privacy awareness training.
     F. Red Flags Rule Program Guide
In order to be compliant, all organizations subject to the Red Flags Rule must develop and implement a formal, written and revisable “identity theft prevention program” to detect, prevent, and mitigate identity theft. This customizable Red Flags Rule Program Guide simplifies the process through a template document that contains educational material, guidance on various necessary components, and ultimate design flexibility to create the program that is appropriate to your organization’s size and potential risks of identity theft.
Kroll is committed to providing direct support and direct access when you need it most – this is a Kroll differentiator and a key value point for the Breach Preparedness Program. The best way to complete the mission-critical tasks intrinsic to the program is to keep the lines of communication open, through regular communication and access to your dedicated Kroll specialists. Your client manager will communicate with you on a regular basis concerning milestones within the program that will help keep your organization up-to-date and on task.
     H.Best Practice Materials
From the beginning, you’ll receive best practices material already included in the virtual guide on your CD. You’ll also receive monthly communications, including a Kroll newsletter, and have direct access to valuable information and materials – like our Legislative Library – through the client portal.
     I.The Kroll Team
You’ll receive support from Kroll's entire network of specialists, at your disposal to address any potential risk-oriented need. Your immediate, personal contact begins with a client executive as well as a client manager, who will be available whenever you have questions about your program and will be a constant source of communication. The client manager can facilitate your consultation with our information security experts, who have decades of experience solving problems ranging from data forensics to physical security. This team will also be ready to spring into action in the event sensitive data is breached. Your organization can be confident knowing that, in the event of a breach, Kroll stands ready to immediately consult, notify, and resolve issues

Section II: Data Breach Management Services

     A.Member Enrollment, Notification and Solution Support Center Access
Kroll will provide for the preparation and mailing to the residential addresses of all of those individuals whose names are on the Initial List furnished by the University to Kroll, an Initial Notice, as defined in the Agreement. The Initial Notice is in the general form attached as Exhibit "A' to the Agreement. The Initial Notice shall be mailed by Kroll to each person on the Initial List. This mailing will occur no later than 10 business days after the University notifies Kroll in writing to begin the mailing. [Note to Mark: This is covered in the first section of the agreement.]
A toll-free phone number provided by Kroll and staffed by a Kroll support team is incorporated into the notification to provide Members access to an experienced team to address questions about the service being provided as well as general questions about identity theft. The support team will be knowledgeable about the breach event to the extent included in the finalized notification letter and able to address specific questions about the Services being provided.
The Solution Support Center is the focal point for all calls and callers are triaged based on need. The Solution Support Center is staffed from 8 am to 5 pm, Central Standard Time, Monday through Friday excluding major holidays.

     B.Member Services

1. Continuous Credit Monitoring

Single Bureau Online Continuous Credit Monitoring
Kroll will provide access to single bureau credit monitoring from Experian for the duration specified in Attachment 2 of the Agreement to each Member, if such services are ordered online or via mail by each Member within seventy-five (75) days of the date of Notification mailing. During the claim submission timeframe, members wishing to submit their claim online, will go to and input the Membership id, last name, and zip code as it appears in the notice to gain access to the credit authorization questions which successfully answered will complete their claim for services. Members unable to answer the authentication questions will be directed to the Solution Support Center to manually complete their authorization and complete their claim, giving them access to credit services. During the claim submission timeframe, members wishing to submit their claim offline, will call the Solution Support Center, indicate the member doesn’t have access to a computer and a Credit Authorization form and Business Reply Envelope will be provided via mail. Member will complete and return the form which will complete their claim, giving them access to credit services through the mail. Credit activity involving a new inquiry, new trade line, new derogatory, new public record or change of address will be reported promptly to the Member via email or reported monthly via USPS mail. Monitoring does not affect an individual’s credit score nor does it appear as a hard inquiry on his or her credit report when the credit report is accessed by a third party. Kroll will report the credit activity via email in most cases within 48 hours of receipt or reported monthly via USPS mail.

Credit Specialist Consultation
Upon phoning in via a toll-free number to the Solution Support Center and voicing a non-fraud related question regarding a Member's credit monitoring, the person will be validated and transferred to a credit specialist. The credit specialist’s role is to provide customer service to individuals who have received copies of the credit monitoring alerts and have questions. The credit specialist will answer questions regarding details on the credit report and will open a dispute file if the person feels their credit report contains inaccurate information.  If necessary, credit specialists will also perform a verbal authentication of the person’s identity in order to release their credit reports for online display. Credit Specialist support is available only when credit monitoring is utilized by the Member.

Credit Services Terms and Exclusions
Minors and Deceased Individuals are fundamentally excluded from receiving credit and monitoring services through this program.
Credit services are based upon consumer credit activity occurring in the United States of America.
US citizens who live abroad (expatriates) and no longer have a US residential address are typically unable to receive or validate credit monitoring alerts.

2.Consultation Services
If the Member's situation appears fraud related or identity-theft related following a conversation with the consumer Solution Support Center, the call will be immediately directed to a Licensed Investigator at Kroll's Investigation and Restoration Center. The Licensed Investigator is able to help further identify the nature of the fraud and will assist the Member with gathering and completing necessary documents. They will also further advise the Member about resources, processes, and next steps for the individual's identity recovery work. If there is a case of identity theft, the investigator will recommend that a case be opened regarding restoration. Kroll's Licensed Investigators will be available to answer questions regarding ID Theft and Fraud issues from 7am to 7pm Central Standard Time, Monday through Friday excluding major holidays.

All Members receive access to the following consultative services:
Access to fraud investigators for questions regarding ID theft issues
The latest information on current trends related to ID theft and fraud issues
Recommended steps to reduce ID theft exposure
Attempt to confirm identity fraud and its severity
Investigate the Member's name & Social Security number to identify fraudulent activity
Consult on best practices for the use of a consumer’s Social Security number and Personal Identifying Information (PII)
Discuss best practices for financial transactions
Consult on best practices for consumer privacy
Discuss tactics and best practices while shopping and communicating online
Provide the knowledge to best protect the member from ID Theft using their rights under federal and state law
Help members interpret and analyze their credit report
Consult with members regarding a public record inquiry or background search
Credit Freeze consultation
Provide best practices and consultation regarding Email/Phishing and Pharming
Consultation on common scams and schemes
Consultation and education on Criminal and Medical Identity Theft
Discovery and consultation on Deceased and Minor Identity Theft
With Member's permission, facilitate the placement of 90-day fraud security alerts with credit reporting agencies. If permission is not given, provide a list of contact phone numbers for placing fraud alerts
Provide the contact information for the following agencies for notification of fraud when applicable:
Federal Trade Commission
Social Security Administration
United States Postal Service
Medical Information Bureau

Consultation Services are limited to the solutions, best practices, legislation, and established industry and organizational procedures in place in the United States and Canada.

3.Identity Theft Restoration Services
Kroll will determine whether the Member is: (a) a confirmed victim of identity theft or (b) in imminent danger of becoming a victim of identity theft.  Restoration services (as such services are described herein) will be performed when the Member has a valid identity theft issue and the genesis of the issue occurred after the date of the Data Breach Event.  UH will not approve or review these cases but will expect Kroll to perform its restoration services (as such services are described herein) for all such cases based on Kroll's determination as described above.

Kroll's Licensed Investigators perform the bulk of the restoration work required to attempt to restore the Member's identity to pre-theft status. The following list outlines Kroll's typical identity restoration process. Please note that each case is different and Kroll investigators will typically address a variety of other issues during a restoration case.

Within 24 hours of receiving a fully executed Limited Power of Attorney and copies of the Member's social security card, driver’s license, identity theft police report and most recent utility statement – complete with the Member's current name and address – Kroll shall:
Issue fraud alerts to the Social Security Administration (SSA), the Federal Trade Commission (FTC), and the U.S. Postal Service (USPS)
Place/confirm that 90 day fraud security alerts have been placed with the three credit bureaus

After receiving the Credit Authorization Form, Kroll shall:
Provide access to the Member's credit report
Review credit history and verify if fraud includes items such as:
Public records: Liens, judgments, bankruptcies
Credit accounts: New and/or derogatory
Prior employment
Issue Fraud Alert and notification of fraud dispute—Work with affected financial institutions, collection agencies, check clearinghouse companies, landlords and property managers, and/or credit card companies, where warranted.
Issue Fraud Victim Statements—Work with all three credit bureaus to restore credit accuracy and place seven-year fraud victim statements with the permission of the victim.

Where warranted, Kroll shall:
Search victim’s local county criminal data to detect criminal activity being committed in customer’s name
Use the U.S. Criminal Records Indicator to search a wide variety of national criminal databases
Search victim’s State Department of Motor Vehicle (DMV) records
Perform a Social Security trace to look for additional addresses that may be attached to the victim’s name
Perform a Social Security Death Index search to determine if the victim has been submitted to Social Security Administration as dead for insurance fraud or other reasons
Perform a check-clearinghouse search to determine if victim’s name has been submitted as having been involved in fraudulent banking activities
Notify the DMV and instruct victim on proper procedures in dealing with the DMV
Notify and work with creditors who have extended credit due to misuse of the victim’s identifying information
Notify and work with the collection agencies of those creditors
Notify and work with law enforcement personnel, both local and federal
If disputes are not resolved according to the victim’s rights, escalate disputes to the appropriate government/regulatory agencies, including:
Federal Trade Commission
State Attorney General office by state
Association of Collection Professionals International
Comptroller of the Currency
Federal Reserve Bank
Office of Thrift Supervision
Office of the Inspector General
Provide the additional assistance of investigators who can reasonably assist based on the victim’s issues

In all cases, Kroll provides:
120-day credit bureau report follow-ups
Subscriber updates

Identity Theft Restoration Service Exclusions
The following are excluded from the Services:

Legal Remedy - Any Stolen Identity Event where the Member is unwilling to prosecute or otherwise bring a civil or criminal claim against any person culpable or reasonably believed to be culpable for the fraud or its consequences.

Dishonest Acts - Any dishonest, criminal, malicious or fraudulent acts, if the Member(s) that suffered the fraud personally participated in, directed or had knowledge of such acts.

Financial Loss - Any direct or indirect financial losses attributable to the Stolen Identity Event, including but not limited to, money stolen from a wallet, unauthorized purchases of retail goods or services online, by phone, mail or directly.

Pre-existing Stolen Identity Event Limitations – Any circumstance wherein the
Member had knowledge of, or reasonably should have had knowledge of a pre-existing Stolen Identity Event based on information provided to them prior to enrollment in the program.

Business - The theft or unauthorized or illegal use of any business name, DBA or any other method of identifying business (as distinguished from personal) activity.

Third Parties not Subject to U.S. or Canadian Law- Restoration Services do not remediate issues with third parties not subject to United States or Canadian law that have been impacted by an individual’s Stolen Identity Event, such as financial institutions, government agencies, and other entities.

4.Special Populations

Kroll provides Member Enrollment, Notification and Solution Support Center, Consultation Services, and Restoration Services. Notification is directed to the parent or legal guardian of any minor impacted by an event. All Services must be initiated, managed, and maintained by the parent or guardian of the minor.

B.Deceased Individuals
Kroll provides Member Enrollment, Notification and Solution Support Center, Consultation Services, and Restoration Services. The notification is directed to the estate of the deceased individual. All Services must be initiated, managed, and maintained by appropriate legal authority and representative of the estate.