2.7.1 Identity Theft Protection

2.7.1 Identity Theft Protection

Revised: August 6, 2007; February 6, 2023
Edited for grammar: December 2013

Background 

As a result of the increasing instances of identity theft, the U.S. Congress passed the Fair and Accurate Credit Transactions Act of 2003 (FACTA), Public Law 108-159. This amendment to the Fair Credit Reporting Act dictated that the Federal Trade Commission (FTC) promulgate rules to address identity theft. The rules promulgated by the FTC (Red Flags Rule) requires many businesses and organizations to implement a written identity theft prevention program designed to detect the “red flags” of identity theft in their day-to-day operations, take steps to prevent the crime, and mitigate its damage..  

Purpose 

The College adopts this Identity Theft Prevention Program to enact reasonable policies and procedures to protect students and College employees from damages associated with the compromise of sensitive personal information. 

Definitions 

  1. The term “creditor” means any organization, including community colleges, that regularly and in the ordinary course of business:
    1. obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction; or
    2. furnishes information to consumer reporting agencies in connection with a credit transaction; or advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.
  2. The term “credit” means the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment, including educational services
  3. The term “covered account” means an account with a creditor used by individuals, families, or households which involves multiple payments to that creditor. Examples include emergency loan accounts, scholarships which could involve repayment if the terms of the scholarship are not met, and deferred payment accounts approved by a college’s trustees.
  4. The term “financial institution” means a bank, credit union, or other entity that holds for an individual an account from which the owner can make payments and transfers.
  5. The term “identifying information” means information which alone, or in combination with other information, can be used to identify a specific individual. Identifying information includes name, social security number, date of birth, driver’s license number, student identification card number, employer or taxpayer’s identification number, biometric data, unique electronic identification numbers, address or routing code, or certain electronic account identifiers associated with telephonic communications.
  6. The term “identity theft” means a fraud attempt or committed using identifying information of another person without proper authority.
  7. The term “red flag” means a pattern, practice, or specific activity which indicates the possibility of identity theft.
  8. The term “sensitive information” means personal information belonging to any student, employee, or other person with whom the college is affiliated.
  9. The term “service provider” means a person providing a service directly to the financial institution or creditor. 

Scope 

This protection program applies to employees and students at the college, including all personnel affiliated with third parties. 

Identification of Relevant Red Flags 

The College shall identify the relevant red flags for covered accounts. The red flags generally fall into the five categories listed below: 

  1. Alerts, notifications, or warnings from a consumer reporting agency;
  2. Suspicious documents;
  3. Suspicious personally identifying information, such as suspicious address;
  4. Unusual use of – or suspicious activity relating to – a covered account; and
  5. Notices from students, employees, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with a covered account.

Detecting Red Flags 

The protection program shall address the detection of red flags in connection with the opening of covered accounts and existing covered accounts by: 

  1. Obtaining identifying information about, and verifying the identity of, a person opening a covered account; and
  2. Authenticating students and employees, monitoring transactions, and verifying the validity of change of address requests in the case of existing covered accounts.

Preventing and Mitigating Identity Theft 

In the event that College personnel detects any identified red flags, such personnel shall take one or more of the following steps, depending on the degree of risk posed by the red flag: 

  1. Continue to monitor a covered account for evidence of Identity Theft;
  2. Contact the student or applicant;
  3. Change any passwords or other security devices that permit access to covered accounts;
  4. Not open a new covered account;
  5. Notify the Program Administrator for determination of the appropriate step(s) to take;
  6. Notify law enforcement; or
  7. Determine that no response is warranted under the particular circumstances.

In order to further prevent the likelihood of Identity Theft occurring with respect to covered accounts, the College will take the following steps with respect to its internal operating procedures to protect student identifying information: 

  1. Ensure that the college website is secure or provide clear notice that the website is not secure;
  2. Ensure complete and secure destruction of paper documents and computer files containing covered account information when a decision has been made to no longer maintain such information;
  3. Avoid use of social security numbers;
  4. Ensure computer virus protection is up-to-date; and
  5. Require and keep only the kinds of covered account information that are necessary for College purposes.

Responding to Detection of Red Flags 

The College shall provide for appropriate responses to detected red flags. The appropriate responses to the relevant red flags are as follows: 

  1. Deny access to the covered account until other information is available to eliminate the red flag;
  2. Contact the student or employee;
  3. Change any passwords, security codes or other security devises that permit access to a covered account;
  4. Notify law enforcement; or
  5. Determine no response is warranted under the particular circumstances.

Update of Identity Theft Program 

At periodic intervals, the program will be re-evaluated to determine whether all aspects are up-to-date and applicable in the current business environment. Periodic reviews will include an assessment of which accounts are covered by the program. As part of the review, red flags may be revised, replaced, or eliminated. Defining new red flags may also be appropriate. Actions to take in the event that fraudulent activity is discovered may also require revision to reduce damage to the College and its population. 

Program Administration 

a. Program Oversight

The Chief Operating Officer shall serve as Program Administrator. The Program Administrator shall be responsible for these: program administration, appropriate training of College faculty/staff on the program, reviewing any reports regarding the detection of red flags, the steps for preventing and mitigating Identity Theft, determining which steps of prevention and mitigation should be taken in particular circumstances, and considering periodic changes to the program.

b. Oversight of Service Providers 

It is the responsibility of the College to ensure that the activities of all vendors are conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. A vendor that maintains its own identity theft prevention program, consistent with the guidance of the red flag rules and validation by appropriate due diligence, may be considered to be meeting these requirements. Any specific requirements should be specifically addressed in the appropriate contract agreements. 

<< Back to the policy