2.7.1 Identity Theft Protection
2.7.1 Identity Theft Protection
Revised: August 6, 2007
Edited for grammar: December 2013
Background
As a result of the increasing instances of identity theft, the U.S. Congress passed
the Fair and Accurate Credit Transactions Act of 2003 (FACTA), Public Law 108-159.
This amendment to the Fair Credit Reporting Act dictated that the Federal Trade Commission
(FTC) promulgate rules to address identity theft. The rules promulgated by the FTC
(Red Flag rules) require any financial institution and creditor that holds any type
of consumer account or other account for which a potential risk of identity theft
exists to create and implement a written Identity Theft Prevention Program in order
to tackle identity theft associated with new and existing accounts. This Identity
Theft Prevention Program is appropriate to the size and complexity of the College
and the nature and scope of the College activities.
Purpose
The College adopts this Identity Theft Prevention Program to enact reasonable policies
and procedures to protect students and College employees from damages associated with
the compromise of sensitive personal information.
Definitions
- Creditor – Any organization, including community colleges, which regularly:
- extends, renews, or continues credit; or
- arranges for someone else to extend, renew, or continue credit; or
- is the assignee of a creditor involved in the decision to extend, renew, or continue credit.
- Credit – Deferral of payment of a debt incurred for the purchase of goods or services, including educational services
- Covered account – An account with a creditor used by individuals, families, or households which involves multiple payments to that creditor. Examples include emergency loan accounts, scholarships which could involve repayment if the terms of the scholarship are not met, and deferred payment accounts approved by a college’s trustees.
- Financial institution – Typically a bank, credit union, or other entity that holds for an individual an account from which the owner can make payments and transfers.
- Identifying information – Information which alone, or in combination with other information, can be used to identify a specific individual. Identifying information includes name, social security number, date of birth, driver’s license number, student identification card number, employer or taxpayer’s identification number, biometric data, unique electronic identification numbers, address or routing code, or certain electronic account identifiers associated with telephonic communications.
- Identity theft – A fraud attempt or committed using identifying information of another person without proper authority.
- Red Flag – A pattern, practice, or specific activity which indicates the possibility of identity theft.
- Sensitive information – Personal information belonging to any student, employee, or other person with whom the college is affiliated.
- Service provider – Person providing a service directly to the financial institution or creditor.
Scope
This protection program applies to employees and students at the college, including
all personnel affiliated with third parties.
Identification of Relevant Red Flags
The College shall identify the relevant red flags for covered accounts. The red flags
generally fall into the five categories listed below:
1. Alerts, notifications, or warnings from a consumer reporting agency;
2. Suspicious documents;
3. Suspicious personally identifying information, such as suspicious address;
4. Unusual use of – or suspicious activity relating to – a covered account; and
5. Notices from students, employees, victims of identity theft, law enforcement
authorities, or other businesses about possible identity theft in connection with
a covered account.
Detecting Red Flags
The protection program shall address the detection of red flags in connection with
the opening of covered accounts and existing covered accounts, such as by:
1. Obtaining identifying information about, and verifying the identity of, a person
opening a covered account; and
2. Authenticating students and employees, monitoring transactions, and verifying
the validity of change of address requests in the case of existing covered accounts.
Preventing and Mitigating Identity Theft
In the event that College personnel detect any identified red flags, such personnel
shall take one or more of the following steps, depending on the degree of risk posed
by the red flag:
1. Continue to monitor a covered account for evidence of Identity Theft;
2. Contact the student or applicant;
3. Change any passwords or other security devices that permit access to covered
accounts;
4. Not open a new covered account;
5. Notify the Program Administrator for determination of the appropriate step(s)
to take;
6. Notify law enforcement; or
7. Determine that no response is warranted under the particular circumstances.
In order to further prevent the likelihood of Identity Theft occurring with respect
to covered accounts, the College will take the following steps with respect to its
internal operating procedures to protect student identifying information:
1. Ensure that the college website is secure or provide clear notice that the website
is not secure;
2. Ensure complete and secure destruction of paper documents and computer files
containing covered account information when a decision has been made to no longer
maintain such information;
3. Avoid use of social security numbers;
4. Ensure computer virus protection is up-to-date; and
5. Require and keep only the kinds of covered account information that are necessary
for College purposes.
Responding to Detection of Red Flags
The College shall provide for appropriate responses to detected red flags. The appropriate
responses to the relevant red flags are as follows:
1. Deny access to the covered account until other information is available to eliminate
the red flag;
2. Contact the student or employee;
3. Change any passwords, security codes or other security devises that permit access
to a covered account;
4. Notify law enforcement; or
5. Determine no response is warranted under the particular circumstances.
Update of Identity Theft Program
At periodic intervals, the program will be re-evaluated to determine whether all aspects
are up-to-date and applicable in the current business environment. Periodic reviews
will include an assessment of which accounts are covered by the program. As part of
the review, red flags may be revised, replaced, or eliminated. Defining new red flags
may also be appropriate. Actions to take in the event that fraudulent activity is
discovered may also require revision to reduce damage to the College and its population.
Program Administration
- Program Oversight
The Executive Vice President shall serve as Program Administrator. The Program Administrator shall be responsible for these: program administration, appropriate training of College faculty/staff on the program, reviewing any reports regarding the detection of red flags, the steps for preventing and mitigating Identity Theft, determining which steps of prevention and mitigation should be taken in particular circumstances, and considering periodic changes to the program. - Oversight of Service Providers
It is the responsibility of the College to ensure that the activities of all vendors are conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. A vendor that maintains its own identity theft prevention program, consistent with the guidance of the red flag rules and validation by appropriate due diligence, may be considered to be meeting these requirements. Any specific requirements should be specifically addressed in the appropriate contract agreements.