大学政策3011

弗吉尼亚法典第23条.第1-1301条，经修正，授予访问委员会制定有关该机构的规则和政策的权力. 第六节.第01(a)(6)条 访客委员会章程 授权校长执行董事会与大学运作有关的政策及程序.

Rules issued by the Federal Trade Commission pursuant to the Fair Credit Reporting Act ("FCRA") 15 U.S.C. §1681

Regulations issued by the Federal Trade Commission, Electronic Code of Federal Regulations, Title 16, Part 681

• 弗吉尼亚法典第18条.2-186.3、身份盗窃
• 参观委员会 Policy 1601 - 身份盗窃 Protection

覆盖帐户 - All student accounts or loans administered by the University.

信贷交易 -学校贷款、延期付款或向个人提供信贷的任何交易.

借记卡 -任何允许余额下降和/或刷新用于购买交易的卡.

身份盗窃 -未经授权使用他人的个人身份信息(PII)的欺诈行为.

Personally Identifiable Information (PII) - Any information used to identify a specific person, 包括, 但不限于, 名字, address, and telephone number when combined with social security number, 出生日期, government-issued numbers (such as passport, 驾照, alien registration or taxpayer identification), 病历编号, 或唯一的电子号码或帐户号码与任何所需的安全码组合, 存取码或密码, or unique biometric data such as fingerprint, 声纹, 或者视网膜或虹膜图像.

红旗 -一个理性的人应该怀疑他们可能在与使用他人身份的个人进行交易. 表明可能存在身份盗窃的模式、做法或特定活动.

Suspicious Activities Report (SAR) -当大学员工遇到危险信号时，报告可疑活动. 报告应以书面形式提交给副财务总监，并应具体说明所涉及的一方或多方, 制造危险信号的行为, 以及由于可疑行为而采取的行动或拒绝采取的行动.

本政策适用于所有通过大学支付工资的员工和附属组织的员工. 员工包括所有员工, 管理员, 教师, 全职或兼职, and classified or non-classified persons who are paid by the University. 附属组织是通过运营协议为大学利益而存在的独立实体，包括基金会, the 社区 Development Corporation, 及校友会.

bet8体育娱乐入口致力于遵守有关检测的联邦法规, prevention and mitigation of identity theft. 根据公平信用报告法(FCRA)和随后的2007年“危险信号规则”, 大学必须建立和维护一个身份盗窃保护计划(以下简称“计划”)来检测, 防止和减少与新账户和现有账户相关的身份盗窃.

此政策适用于影响不同大学选区的三个申请. 第一个应用发生在使用犯罪背景调查来雇用个人. The second application occurs in any credit transaction. 第三种应用发生在借记卡的发行、补发或充值.

大学内各部门或单位进行背景调查或进行任何信贷或借记交易时，应制定合理的书面政策和程序，以便:

1. 识别新账户和现有账户的相关危险信号，并将这些危险信号纳入计划;

2. Detect 红旗s that have been incorporated into the Program;

3. Respond appropriately to any 红旗s that are detected to prevent and mitigate identity theft; and

4. 确保该计划至少每年进行一次审查，以识别和解决学生面临的风险变化, 员工, and/or 求职者s or to the safety and soundness of the student, 员工, and/or 求职者 from identity theft.

1. 识别危险信号

   In order to identify relevant 红旗s, 大学考虑其提供和维护的帐户类型, methods it provides to open its accounts, methods it provides to access its accounts, and its previous experiences with identity theft. 在列出的每个类别中，大学确定了以下危险信号:

   1. Notifications and Warnings from Reporting Agencies

      红色标记:

      1. 收到回应报告要求的地址不符通知;

      2. Non-approval of a credit transaction due to possible fraudulent usage.

   2. 可疑的文件

      红色标记:

      1. 伪造、变造或者不真实的身份证明文件、证件;

      2. 本人的照片或者外貌与出示证件的人不一致的身份证件或者证件;

      3. 其他与现有学生信息不一致的文件, 雇员或求职者 information; and

      4. Application for service that appears to have been altered or forged.

   3. Suspicious Personally Identifiable Information (PII)

      红色标记:

      1. PII presented that is inconsistent with other information the student, 雇员或求职者 provides (example: inconsistent birth dates);

      2. PII与其他信息来源不一致(例如, an address not matching an address on a loan application);

      3. 呈报的个人资料，与其他被发现为欺诈的申请所呈报的资料相同;

      4. 提供的个人信息与欺诈活动一致(例如无效的电话号码或虚构的账单地址);

      5. 出示的社会安全号码与另一名学生出示的号码相同, 雇员或求职者;

      6. 地址:与另一个人相同的地址或电话号码;

      7. A person fails to provide complete PII on an application when reminded to do so; and

      8. 一个人的PII是不一致的信息，是为学生存档, 雇员或求职者.

   4. Suspicious 覆盖帐户 Activity or Unusual Use of Account

      红色标记:

      1. 更改帐户的地址，然后要求更改学生，员工的地址, 或求职者的 名称;

      2. Payments stop on an otherwise consistently up-to-date account;

      3. Account used in a way that is not consistent with prior use;

      4. 发给学生、员工或求职者的邮件，多次被退回无法送达;

      5. Notice to the University that a student, 员工 or 求职者 is not receiving mail sent by the University;

      6. Notice to the University that an account has unauthorized activity;

      7. Breach in the University's computer system security involving PII; and

      8. Unauthorized access to or use of student account information.

   5. 来自他人的提醒

      红色标记:

      Notice to the University from a student, 员工, 求职者, 身份盗窃受害者, 执法人员或大学为从事身份盗窃的人开设或维持欺诈账户的其他人.

2. 检测危险信号

   1. 招生

      以便检测上述与学生注册相关的任何危险信号, 大学人员将采取以下步骤获取和核实开户人的身份:

      1. 需要某些PII，例如名称, 出生日期, 学习成绩, home address or other identification; and

      2. 在发放学生证时核实学生身份(检查驾照或其他政府颁发的带照片的身份证明).

   2. 现有的账户

      以便为现有的承保帐户检测上述识别的任何危险信号, 大学工作人员将采取以下步骤监控账户交易:

      1. 如果学生要求提供信息，核实其身份(当面), 通过电话, 通过传真, 通过电子邮件);

      2. Verify the validity of requests to change billing addresses by mail or email and provide the student a reasonable means of promptly reporting incorrect billing address changes; and

      3. 验证为帐单和付款目的而提供的银行信息的更改.

   3. Criminal Background Check Requests

      为了在需要犯罪背景报告的职位上发现上述任何危险信号, 大学工作人员将采取以下步骤协助识别地址差异:

      1. 需要 written verification from any job applicant that the address provided by the applicant is accurate at the time the request for the background check is made; and

      2. In the event that notice of an address discrepancy is received, verify that the background check pertains to the job applicant for whom the requested report was made.

3. Preventing and Mitigating 身份盗窃

   In the event University personnel detect any identified 红旗s, such personnel shall take one or more of the following steps, depending on the degree of risk posed by the 红旗:

   1. 预防和减轻:

      1. Continue to monitor a covered account for evidence of identity theft;

      2. 联系 the student, 员工 or job 申请人;

      3. 更改允许访问受保帐户的任何密码或其他安全装置;

      4. 不要开设新的承保帐户;

      5. Provide the student, 员工 or job applicant with a new identification number;

      6. 通知项目管理员确定应采取的适当步骤;

      7. 通知执法部门;

      8. File or assist in filing a Suspicious Activities Report ("SAR"); or

      9. 确定在特定情况下无需作出回应.

   2. Protect Personally Identifiable Information (PII):

      为了进一步防止有关账户发生身份盗窃的可能性, 大学会就其内部操作程序采取以下步骤，以保护个人资料:

      1. 确保包含个人资料的网站是安全的，或提供网站不安全的明确通知;

      2. 确保完整和安全地销毁包含学生的纸质文件和计算机文件, 员工 or 求职者 account information when a decision has been made to no longer maintain such information; ensure that those records containing PII are destroyed within six months of the expiration of their retention period;

      3. 确保计算机系统遵循IT安全程序，并检查处理个人身份信息的系统是否存在风险, 适当的分类, and that appropriate controls are used;

      4. Avoid use of social security numbers;

      5. 需要 and keep only the kinds of student, 员工 and job applicant information that are necessary for University purposes; and

      6. 坚持 Information 技术服务 (ITS) Standard 2.3.0, Data 政府 and Classification, for all PII maintained in any electronic format.

4. 项目管理

   1. 监督

      开发责任, 执行和更新本计划由副总监负责.

   2. 员工培训及报告

      Each department or unit that conducts background checks, 负责发放借记卡或信用卡交易，确保员工接受必要的培训, to effectively implement the Program. 一旦大学员工意识到身份盗窃事件或大学未能遵守本计划，他们应通知副财务总监.

      大学内进行背景调查的各部门或单位, 每年(11月1日前)应向副总监提供一份年度培训中使用的书面程序和签到表. 副财务主任应向审计委员会提供所有程序和培训的摘要，供其审查并提出建议, 如果有任何, of suggested changes to better identify and react to 红旗s.

   3. 服务提供者安排

      如果大学聘请服务提供商执行与一个或多个覆盖帐户相关的活动, 大学将采取以下步骤，以确保服务提供者按照合理的政策和程序执行其活动，旨在检测, prevent and mitigate the risk of identity theft.

      1. 需要, 契约式, that service providers have such policies and procedures in place; and

      2. 需要, 契约式, 服务提供商审查大学的计划，并将任何危险信号报告给副总监或负责监督服务提供商关系的大学员工.

   4. 程序更新

      副总监将定期审查和更新该计划，以反映学生面临的风险变化, 员工与工作 申请人. 这样做的时候, 副财务主任将考虑大学处理身份盗窃事件的经验, 身份盗窃方法的变化, changes in identity theft detection and prevention methods, and changes in the University's business arrangements with other entities. 在考虑了这些因素之后, the Associate Controller will determine whether changes to the Program, 包括红旗公司的名单, 是必要的. If warranted, the Associate Controller will update the Program.

适用的记录必须保留三年，然后按照 联邦记录保留计划102，系列012103(财务账户报告).

Assistant Vice 总统 for Finance/University Controller

• University Policy 1002 - Code of Ethics
• University Policy 1003 - University Responsibility for Compliance
• University Policy 3002 - 权威 of Internal Audit Department