LHU Identify Theft Prevention Program

Lock Haven University (“University”) developed this identity Theft Prevention Program
(“Program”) pursuant to the Federal Trade Commission's Red Flags Rule (“Rule”), which
implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003. After
consideration of the size of the University's operations and account systems, and the
nature and scope of the University's activities, the Senior Administration determined that
this Program was appropriate for Lock Haven University, and therefore approved this
Program on May 1, 2009.

Purpose

The purpose of this policy is to establish an Identity Theft Prevention Program designed to
detect, prevent and mitigate identity theft in connection with the opening of a covered
account or an existing covered account and to provide for continued administration of the
Program. The Program shall include reasonable policies and procedures to:

1. Identify relevant red flags for covered accounts it offers or maintains and incorporate
those red flags into the program;
2. Detect red flags that have been incorporated into the Program;
3. Respond appropriately to any red flags that are detected to prevent and mitigate
identity theft; and
4. Ensure the Program is updated periodically to reflect changes in risks to Students and
to the safety and soundness of the creditor from identity theft.

The program shall, as appropriate, incorporate existing policies and procedures that control
reasonably foreseeable risks.

Definitions

Identify theft means fraud committed or attempted using the identifying information of
another person without authority.

A covered account means:

1. An account that a creditor offers or maintains, primarily for personal, family, or
household purposes that involves or is designed to permit multiple payments or
transactions.
2. A red flag means a pattern, practice or specific activity that indicates the possible
existence of identity theft.

Covered Accounts

Lock Haven University has identified five types of accounts, two of which are covered
accounts administered by the University and 3 that are accounts administered by service
providers.

University covered accounts:

1. LHU Foundation Loan Program
2. LHU Foundation Emergency Loan Program

Service provider covered account:

1. Tuition payment plan administered by TMS, refer to “Oversight of Service Provider
Arrangements” on page 4.
2. Federal Perkins Loan servicing administered by ECSI, refer to to “Oversight of Service
Provider Arrangements” on page 4.
3. Online payment portal provided by JPMC/Pay Connexion, refer to “Oversight of Service
Provider Arrangements” on page 4.

Identification of Relevant Red Flags

The Program considers the following risk factors in identifying relevant red flags for
covered accounts:

1. The types of covered accounts as noted above;
2. The methods provided to open covered accounts-- acceptance to the University and
enrollment in classes requires the all of
the following information:
a) Common application with personally identifying information
b) high school transcript
c) official ACT or SAT scores
d) letters of recommendation
e) Entrance Medical Record
f) medical history
g) immunization history
h) insurance card
3. The methods provided to access covered accounts:
a) Disbursement obtained in person require picture identification
b) Disbursements obtained by mail can only be mailed to an address on file
4. The University's previous history of identity theft.

The Program identifies the following red flags:

1. Documents provided for identification appear to have been altered or forged;
2. The photograph or physical description on the identification is not consistent with the
appearance of the student presenting the
identification;
3. A request made from a non-University issued E-mail account;
4. A request to mail something to an address not listed on file; and
5. Notice from customers, victims of identity theft, law enforcement authorities, or other
persons regarding possible identity theft in connection with covered accounts.

Detection of Red Flags

The Program will detect red flags relevant to each type of covered account as follows:

1. LHU Foundation Loans, including Emergency loan - Requests must be made in
person by presenting a picture ID or in writing from the student's University issued
e-mail account. The loan check can only be mailed to an address on file or picked up
in person by showing picture ID. Red Flag - Picture ID not appearing to be authentic
or not matching the appearance of the student presenting it. Request not coming from
a student issued e-mail account.
2. Third Party Service Providers � Students must contact an outside service provider
and p rovide personally identifying information to them. Red Flag � none, see Oversight
of Service Provider Arrangements.

Response

The Program shall provide for appropriate responses to detected red flags to prevent and
mitigate identity theft. The appropriate responses to the relevant red flags are as follows:

1. Deny access to the covered account until other information is available to eliminate
the red flag;
2. Contact the student;
3. Change any passwords, security codes or other security devices that permit access
to a covered account;
4. Notify law enforcement; or
5. Determine no response is warranted under the particular circumstances.

Oversight of the Program

Responsibility for developing, implementing and updating this Program lies with the Vice
President for Finance & Administration. The Program Administrator will be responsible for
the program administration, for ensuring appropriate training of University's staff on the
Program, for reviewing any staff reports regarding the detection of Red Flags and the
steps for preventing and mitigating Identity Theft, determining which steps of prevention
and mitigation should be taken in particular circumstances and considering periodic
changes to the Program.

Updating the Program

This Program will be periodically reviewed and updated to reflect changes in risks to
students and the soundness of the University from identity theft. At least once per year
in March, the Program Administrator will consider the University's experiences with identity
theft, changes in identity theft methods, changes in identity theft detection and
prevention methods, changes in types of accounts the University maintains and changes
in the University's business arrangements with other entities. After considering these
factors, the Program Administrator will determine whether changes to the Program,
including the listing of Red Flags, are warranted. If warranted, the Program Administrator
will update the Program.

Staff Training

University staff responsible for implementing the Program shall be trained either by or under
the direction of the Program Administrator in the detection of Red Flags, and the responsive
steps to be taken when a Red Flag is detected.

Oversight of Service Provider Arrangements

The University shall take steps to ensure that the activity of a service provider is
conducted in accordance with reasonable policies and procedures designed to detect,
prevent and mitigate the risk of identity theft whenever the organization engages a service
provider to perform an activity in connection with one or more covered accounts.

Currently the University uses ECSI to service the Perkins Loan program, TMS as its payment
plan provider, and JPMC/Pay Connexion as its online payment provider. Students contact
these providers directly through their websites or by telephone and provide personally
identifying information to be matched to the records that the University has provided to them.

August 2010