FERPA & Red Flag Rule

FERPA

ONFIDENTIALITY OF STUDENT RECORDS

The Family Educational Rights and Privacy Act of 1974 (FERPA) gives students certain rights,
consistent with the privacy of others, to review records, files and data held about them on an
official basis by MERCAZ HATORAH OF BELLE HARBOR and also gives students the right to
challenge the content of those records, files and data which they believe to be misleading,
inaccurate or otherwise in violation of their privacy and other rights. Disclosure of information in
educational records to persons within or outside of MHBH requires written consent of the
student. The written consent must be signed and dated and include a specification of the records
to be disclosed, the purpose of disclosure, and the party to whom the disclosure may be made.

Specifically, the student’s rights under FERPA include the following:

A: THE RIGHT TO INSPECT AND REVIEW THE STUDENT’S EDUCATIONAL RECORDS WITHIN 45 DAYS OF THE DAY MHBH RECEIVES A REQUEST FOR ACCESS. STUDENTS SHOULD SUBMIT TO THE REGISTRAR, DEAN, OR OTHER APPROPRIATE OFFICIAL, WRITTEN REQUESTS THAT IDENTIFY THE RECORD(S) THEY WISH TO INSPECT. THE SCHOOL OFFICIAL WILL MAKE ARRANGEMENTS FOR ACCESS AND NOTIFY THE STUDENTS OF THE TIME AND PLACE WHERE THE RECORDS MAY BE INSPECTED. IF THE RECORDS ARE NOT MAINTAINED BY THE SCHOOL OFFICIAL TO WHOM THE REQUEST WAS SUBMITTED, THAT OFFICIAL SHALL ADVISE THE STUDENT OF THE CORRECT OFFICIAL TO WHOM THE REQUEST SHOULD BE ADDRESSED.

MHBH reserves the right to refuse to permit a student to inspect the following records:

1. The financial statement of the student’s parents.
2. Letters and statements of recommendation for which the student has waived his or her
right of access, or which were placed in file before January 1, 1975.
3. Records connected with an application to attend MHBH, if that application was denied.
4. Those records which are excluded from the FERPA definition of education record.

B: THE RIGHT TO REQUEST THE AMENDMENT OF THE STUDENT’S EDUCATION RECORDS THAT THE STUDENT BELIEVES ARE INACCURATE OR MISLEADING. STUDENTS MAY ASK MHBH TO AMEND A RECORD THAT THEY BELIEVE IS INACCURATE OR MISLEADING. THEY SHOULD WRITE THE SCHOOL’S OFFICIAL RESPONSIBLE FOR THE RECORD, CLEARLY IDENTIFYING THE PART OF THE RECORD THEY WANT CHANGED, AND SPECIFY WHY IT IS INACCURATE OR MISLEADING. IF THE SCHOOL DECIDES NOT TO AMEND THE RECORD, AS REQUESTED BY THE STUDENT, THE SCHOOL WILL NOTIFY THE STUDENT OF THE DECISION AND ADVISE THE STUDENT OF HIS RIGHT TO A HEARING REGARDING THE REQUEST FOR THE AMENDMENT. ADDITIONAL INFORMATION REGARDING THE HEARING PROCEDURES WILL BE PROVIDED TO THE STUDENT WHEN NOTIFIED OF THE RIGHT TO A HEARING.

The following educational records are maintained by MHBH and are considered subject to this
law:

1. Admissions Records – maintained by the Office of Admissions.
2. Academic Transcripts – maintained by the Office of the Registrar.
3. Financial Records – maintained by the tuition and business offices.

C: THE RIGHT TO CONSENT TO DISCLOSURES OF PERSONALLY IDENTIFIABLE INFORMATION CONTAINED IN THE STUDENT’S EDUCATIONAL RECORDS, EXCEPT TO THE EXTENT THAT FERPA AUTHORIZES DISCLOSURE WITHOUT CONSENT.

One exception which permits disclosure without consent is disclosure to school officials with
legitimate educational interests. A school official is a person employed by the school in an
administrative, supervisory, academic or research, or support staff position (including law
enforcement unit personnel and health staff); a person or company with whom the school has
contracted (such as an attorney, auditor, or collection agent); a person serving on the Board of
Trustees; or a student serving on an official committee, such as a disciplinary or grievance
committee, or assisting another school official in performing his or her tasks.

A school official has a legitimate educational interest if the official needs to review an education
record in order to fulfill his or her professional responsibility.

Upon request, the school discloses education records without consent to officials of another
school in which a student seeks or intends to enroll.

D: THE RELEASE OF DIRECTORY TYPE INFORMATION TO THIRD PARTIES OUTSIDE THE INSTITUTION, WITHOUT WRITTEN CONSENT OF THE STUDENT, PROVIDED THAT THE STUDENT HAS BEEN GIVEN THE OPPORTUNITY TO WITHHOLD SUCH DISCLOSURE. MHBH, AT ITS DISCRETION, WILL RELEASE THE FOLLOWING AS DIRECTORY INFORMATION: STUDENT’S NAME, COLLEGE, CLASS, MAJOR, DATES OF ATTENDANCE, DEGREES RECEIVED. STUDENTS WHO DO NOT WISH THIS
INFORMATION TO BE RELEASED OUTSIDE OF THE SCHOOL MUST SUBMIT WRITTEN NOTICE TO THE OFFICE OF THE REGISTRAR.

With the exception of directory information, MHBH does not permit access to or the release of
education records without written consent of the student, other than the following : (a) to MHBH
officials, including faculty, who require such records in the proper performance of their duties;
(b) in connection with the student’s financial aid; (c) to organizations conducting studies for
educational or governmental agencies (in which case individual students are neither identified
nor identifiable); (d) U.S. government agencies as listed in Public Law 93-380; (e) parents of a
dependent student as defined in the Internal Revenue Code of 1954; (f) accrediting agencies; (g)
appropriate persons in connection with an emergency if the knowledge of such information is
necessary to protect the health or safety of a student or any other person.

E: THE RIGHT TO FILE A COMPLAINT WITH THE U.S. DEPARTMENT OF EDUCATION CONCERNING ALLEGED FAILURES BY MHBH TO COMPLY WITH THE REQUIREMENTS OF FERPA.

The name and address of the Office that administers FERPA are:

Family Policy Compliance Office/U.S. Department of Education/600 Independence Avenue,
SW/Washington, DC 20202-4605

Red Flag Rule

Red Flag Identity Theft Prevention Program

The Federal Trade Commission (FTC) issued a regulation known as the Red Flag Rule (Sections
114 and 315 of the Fair and Accurate Credit Transactions Act), to be implemented no later than
May 1, 2009 that is intended to reduce the risk of identity theft. This policy is intended to detect,
prevent, and mitigate opportunities for identity theft at Yeshiva Mercaz Hatorah of Belle Harobor
(YMHBH). The Red Flag Rule applies to YMHBH because YMHBH offers or maintains covered
accounts.

Identity theft is fraud committed or attempted using the identifying information of another
person without authority.

A covered account includes all student accounts of loans that are administered by the Rabbinical
Seminary.

A red flag is a pattern, practice or specific activity that indicates the possible existence of identity
theft.

Personally, identifiable information includes the first, middle or last name in combination with
the following items whether stored in electronic or printed format: Consumer’s Date of Birth,
Address, Telephone or wireless numbers, Social Security number, Government-issued
identification number, Maiden name, or Account number. Also included is Credit card
information or Medical information for any customer.

Existing Policies and Practices
Many offices at YMHBH maintain files, both electronic and paper, of student biographical,
academic, health, financial, and admission records. These records may also include student billing
information, Perkins Loan records, and personal correspondence with students and parents.
Compliance with Gramm-Leach –Billey Act (GLB), Family Educational Rights and Privacy Act
(FERPA), and Payment Card Industry security standards (PCI), system and application security,
and internal control procedures provides an environment where identity theft opportunities are
mitigated. Records are safeguarded to ensure the privacy and confidentially of students, parents,
alumni and employees.

Parents may obtain information with a signed FERPA release form submitted by the student at
the discretion of the institution. Staff who have access to data have been versed on the FERPA
regulations that state information is not provided unless approved in writing.
The student is required to give written authorization to the Registrar’s Office if their information
is permitted to be shared with another party. A FERPA disclosure statement is available to
students informing them of their rights under FERPA.

Occasionally, YMHBH will extend short term credit to a student for payment of their bill which
thus creates a covered account. If we receive information of an address change (which is a red
flag), we verify the change by contacting the student before making the change in the system.
Access to non-directory student data in our system is restricted to those employees of the
YMHBH with a need to properly perform their duties. These employees are trained to know
FERPA and “Red Flag” regulations.

Social Security numbers are not used as identification numbers and these data are classified as
non-directory student data.

All paper files are required to be maintained in locked filing cabinets when not in use. All offices,
when not occupied are to be locked.
Staff is required to report all changes in name, address, telephone or marital status to the
Administrative Office as soon as possible; they also must periodically verify those persons listed
as contacts in case of emergency, and those persons designated as beneficiaries to life and/or
retirement policies.

YMHBH is sensitive to the personal data (unlisted phone numbers, dates of birth, etc.) that it
maintains in its personnel files and databases. We will not disclose personal information, except
by written request or signed permission of the employee, or unless there is a legitimate business
“need-to-know”, or if compelled by law.

Every effort is made to limit the access to private information to those employees on campus
with a legitimate “need-to-know”. Staff who have approved access to the administrative
information databases understand that they are restricted in using the information obtained only
in the conduct of their official duties. The inappropriate use of such access and/or use of
administrative data may result in disciplinary action up to, and including dismissal from YMHBH.
YMHBH’s official personnel files for all employees are retained in the office. Employees have the
right to review the materials contained in their personnel file.

Detecting Red Flag Activity
• Address discrepancies
• Presentation of suspicious documents
• Photograph or physical description on the identification consistent with the appearance
of the person presenting the identification
• Personal identifying information provided is not consistent with other personal
identifying information on file with YMHBH
• Documents provided for identification that appear to have been altered or forged
• Unusual of suspicious activity related to covered accounts
• Notification from students, borrowers, law enforcement, of service providers of unusual
activity related to a covered account
• Notification from a credit bureau of fraudulent activity
• FAFSA fraud alert

Responding to Red Flags
Should and employee identify a “red flag” (patterns, practices and specific activities that signal
possible identify theft), they are instructed to bring it to the attention of the Administrative Office
immediately. The administrator will investigate the threat of identity theft to determine if there
has been a breach and will respond appropriately to prevent future identity theft breaches.
Additional actions may include notifying and cooperating with appropriate law enforcement and
notifying the student or employee of the attempted fraud.

Oversight of service providers
Mercaz Hatorah of Belle Harbor currently does not employ outside contractors for administrative
functions.

Administration of the Program
The Executive Director of YMHBH shall be responsible for the development, implantation,
oversight and continued administration of the Program. Operatio0nal responsibility of the
Program will be delegated to appropriate employees as selected by the Executive Director.

Periodic Update of Plan
This policy will be re-evaluated on or about the first day of each calendar year to determine
whether all aspects of the program are up to date and applicable in the current business
environments, and revised as necessary.

Copyright Policy

Copyright infringement is the act of exercising, without permission or legal authority, one or more of the exclusive rights granted to the copyright owner under section 106 of the Copyright Act (Title 17 of the United States Code). These rights include the right to reproduce or distribute a copyrighted work. In the file-sharing context, downloading or uploading substantial parts of a copyrighted work without authority constitutes an infringement. Penalties for copyright infringement include civil and criminal penalties. In general, anyone found liable for civil copyright infringement may be ordered to pay either actual damages or “statutory” damages affixed at not less than $750 and not more than $30,000 per work infringed. For “willful” infringement, a court may award up to $150,000 per work infringed. A court can, in its discretion, also assess costs and attorneys’ fees. For details, see Title 17, United States Code, Sections 504, 505. Willful copyright infringement can also result in criminal penalties, including imprisonment of up to five years and fines of up to $250,000 per offense. For more information, please see the website of the U.S. Copyright Office at www.copyright.gov.