Identity Theft Prevention (C-60)
Original Implementation: April 21, 2009
Last Revision: April 17, 2012
The purpose of this policy is to establish an Identity Theft Program (“Program”) designed to detect, prevent and mitigate identity theft in connection with covered accounts and to provide continued administration of the program in compliance with applicable regulations. The program will include reasonable policies and procedures to:
- Identify risks that signify potentially fraudulent activity within new or existing covered accounts;
- Detect risks when they occur in covered accounts;
- Respond to risks if fraudulent activity has occurred and act if fraud has been attempted or committed; and
- Update the program periodically to reflect changes in risks to students, covered accounts and previous experience with identity theft.
This policy is in addition to any other information security policies currently at Stephen F. Austin State University.
Identity Theft means fraud committed or attempted using the identifying information of another person without authority.
Covered account means:
- An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; and
- Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.
Creditor means any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit
Red Flag means a pattern, practice or specific activity that indicates the possible existence of identity theft.
Red Flag Rules are rules issued by the Federal Trade Commission (FTC) on November 7, 2007 regarding identity theft. These rules implement Sections 114 and 115 of the Fair and Accurate Credit Transactions Act and require certain policies and procedures be developed that are designed to detect, prevent and mitigate identity theft.
Service Provider means a person that provides a service directly to the financial institution or creditor.
Elements of the Program
Identification of Red Flags
The program includes relevant red flags from the following categories as appropriate:
- Alerts, notifications or warnings from a credit reporting agencies;
- The presentation of suspicious documents;
- The presentation of suspicious personal identifying information;
- Unusual use of, or suspicious activity related to, the covered account.
Detecting Red Flags
The program addresses the detection of red flags in connection with the opening of covered accounts and existing covered accounts by:
- Obtaining identifying information about, and verifying the identity of, a person opening a covered account; and
- Authenticating customers, monitoring transactions, and verifying the validity of change of address requests in the case of existing covered accounts.
Responding to Fraudulent Activity
Once potentially fraudulent activity is detected, an employee must act quickly, as a rapid appropriate response can protect employees, students and the university from damages and loss.
- The employee will gather all related documentation and present this information to the designated authority for determination.
- The designated authority will complete additional authentication to determine whether the attempted transaction was fraudulent or authentic and will respond appropriately.
- If the activity is deemed fraudulent, procedures as outlined in the university Fraud Policy (C-46) will be followed.
Periodic Updates to Program
At periodic intervals established in the program, or as required, the program will be re-evaluated to determine whether all aspects of the program are up to date and applicable in the current business environment. Periodic reviews will include, at a minimum, an assessment of:
- The types of covered accounts offered or maintained;
- The methods provided to open covered accounts;
- The methods provided to access covered accounts;
- Previous experience with identity theft;
- Red flags as identified above and the need to define new red flags; and
- Response procedures defined above and their efficacy to reduce damage to the university and its customers.
Oversight of the Program
Oversight of the program will lie with the vice president of finance and administration. The vice president for finance and administration will be responsible for appointing a program officer with the specific responsibility for the program’s development, implementation and administration; reviewing reports prepared by staff regarding compliance with Red Flag rules; and approving material changes to the program as necessary to address changing identity theft risks.
University staff responsible for the development, implementation, and administration of the program should report to the program administrator at least annually, on compliance with the program. The report should address such issues as: the effectiveness of the policy and procedures in addressing the risk of identity theft in connection with covered accounts; service provider arrangements; significant incidents involving identity theft and management’s response and recommendations for material changes to the program.
Staff , officials and contractors for whom it is reasonably foreseeable may come into contact with covered accounts or personally identifiable information that may constitute a risk to the university or its customers must complete the Red Flag Training to ensure compliance with the identity theft prevention policy.
Oversight of Service Provider Arrangements
It is the responsibility of the university to ensure that the activities of all service providers are conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. Contractual arrangements with service providers should specifically require the service provider to maintain its own identity theft prevention program consistent with the guidance of the red flag rules.
Cross Reference: Fair and Accurate Credit Transactions Act of 2003; 16 CFR 681; Fraud (C-46)
Responsible for Implementation: Vice President for Finance and Administration
Contact for Revision: Vice President for Finance and Administration
Board Committee Assignment: Finance and Audit