2.7.1 Identity Theft Protection
Revised: August 6, 2007
Edited for grammar: December 2013
As a result of the increasing instances of identity theft, the U.S. Congress passed the Fair and Accurate Credit Transactions Act of 2003 (FACTA), Public Law 108-159. This amendment to the Fair Credit Reporting Act dictated that the Federal Trade Commission (FTC) promulgate rules to address identity theft. The rules promulgated by the FTC (Red Flag rules) require any financial institution and creditor that holds any type of consumer account or other account for which a potential risk of identity theft exists to create and implement a written Identity Theft Prevention Program in order to tackle identity theft associated with new and existing accounts. This Identity Theft Prevention Program is appropriate to the size and complexity of the College and the nature and scope of the College activities.
The College adopts this Identity Theft Prevention Program to enact reasonable policies and procedures to protect students and College employees from damages associated with the compromise of sensitive personal information.
- Creditor – Any organization, including community colleges, which regularly:
- extends, renews, or continues credit; or
- arranges for someone else to extend, renew, or continue credit; or
- is the assignee of a creditor involved in the decision to extend, renew, or continue credit.
- Credit – Deferral of payment of a debt incurred for the purchase of goods or services, including educational services
- Covered account – An account with a creditor used by individuals, families, or households which involves multiple payments to that creditor. Examples include emergency loan accounts, scholarships which could involve repayment if the terms of the scholarship are not met, and deferred payment accounts approved by a college’s trustees.
- Financial institution – Typically a bank, credit union, or other entity that holds for an individual an account from which the owner can make payments and transfers.
- Identifying information – Information which alone, or in combination with other information, can be used to identify a specific individual. Identifying information includes name, social security number, date of birth, driver’s license number, student identification card number, employer or taxpayer’s identification number, biometric data, unique electronic identification numbers, address or routing code, or certain electronic account identifiers associated with telephonic communications.
- Identity theft – A fraud attempt or committed using identifying information of another person without proper authority.
- Red Flag – A pattern, practice, or specific activity which indicates the possibility of identity theft.
- Sensitive information – Personal information belonging to any student, employee, or other person with whom the college is affiliated.
- Service provider – Person providing a service directly to the financial institution or creditor.
This protection program applies to employees and students at the college, including all personnel affiliated with third parties.
Identification of Relevant Red Flags
The College shall identify the relevant red flags for covered accounts. The red flags generally fall into the five categories listed below:
1. Alerts, notifications, or warnings from a consumer reporting agency;
2. Suspicious documents;
3. Suspicious personally identifying information, such as suspicious address;
4. Unusual use of – or suspicious activity relating to – a covered account; and
5. Notices from students, employees, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with a covered account.
Detecting Red Flags
The protection program shall address the detection of red flags in connection with the opening of covered accounts and existing covered accounts, such as by:
1. Obtaining identifying information about, and verifying the identity of, a person opening a covered account; and
2. Authenticating students and employees, monitoring transactions, and verifying the validity of change of address requests in the case of existing covered accounts.
Preventing and Mitigating Identity Theft
In the event that College personnel detect any identified red flags, such personnel shall take one or more of the following steps, depending on the degree of risk posed by the red flag:
1. Continue to monitor a covered account for evidence of Identity Theft;
2. Contact the student or applicant;
3. Change any passwords or other security devices that permit access to covered accounts;
4. Not open a new covered account;
5. Notify the Program Administrator for determination of the appropriate step(s) to take;
6. Notify law enforcement; or
7. Determine that no response is warranted under the particular circumstances.
In order to further prevent the likelihood of Identity Theft occurring with respect to covered accounts, the College will take the following steps with respect to its internal operating procedures to protect student identifying information:
1. Ensure that the college website is secure or provide clear notice that the website is not secure;
2. Ensure complete and secure destruction of paper documents and computer files containing covered account information when a decision has been made to no longer maintain such information;
3. Avoid use of social security numbers;
4. Ensure computer virus protection is up-to-date; and
5. Require and keep only the kinds of covered account information that are necessary for College purposes.
Responding to Detection of Red Flags
The College shall provide for appropriate responses to detected red flags. The appropriate responses to the relevant red flags are as follows:
1. Deny access to the covered account until other information is available to eliminate the red flag;
2. Contact the student or employee;
3. Change any passwords, security codes or other security devises that permit access to a covered account;
4. Notify law enforcement; or
5. Determine no response is warranted under the particular circumstances.
Update of Identity Theft Program
At periodic intervals, the program will be re-evaluated to determine whether all aspects are up-to-date and applicable in the current business environment. Periodic reviews will include an assessment of which accounts are covered by the program. As part of the review, red flags may be revised, replaced, or eliminated. Defining new red flags may also be appropriate. Actions to take in the event that fraudulent activity is discovered may also require revision to reduce damage to the College and its population.
- Program Oversight
The Executive Vice President shall serve as Program Administrator. The Program Administrator shall be responsible for these: program administration, appropriate training of College faculty/staff on the program, reviewing any reports regarding the detection of red flags, the steps for preventing and mitigating Identity Theft, determining which steps of prevention and mitigation should be taken in particular circumstances, and considering periodic changes to the program.
- Oversight of Service Providers
It is the responsibility of the College to ensure that the activities of all vendors are conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. A vendor that maintains its own identity theft prevention program, consistent with the guidance of the red flag rules and validation by appropriate due diligence, may be considered to be meeting these requirements. Any specific requirements should be specifically addressed in the appropriate contract agreements.