POLICY TITLE: Identity Theft Prevention Program
ADMINISTRATIVE POLICY TYPE: ADMINISTRATION
Section 114 of the Federal Trade Commission’s Fair and Accurate Credit Transactions Act of 2003 created the Red Flags Rule. This regulation requires the college to have an identity theft prevention program designed to detect, prevent, and mitigate identity theft related to specific types of covered accounts. The college’s program must:
- Identify relevant red flags for covered accounts it offers or maintains and incorporate those red flags into the program.
- Detect red flags that have been incorporated into the program.
- Respond appropriately to any red flags that are detected to prevent and mitigate identity theft.
- Ensure the program is updated periodically to reflect changes in risks to the safety and soundness of the creditor from identity theft.
The following definitions are included as part of this policy:
A. Identity theft – fraud committed or attempted using the identifying information of another person without authority.
B. Covered account – an account that a creditor offers or maintains, primarily for personal, family, or household purposes, that involves multiple payments or transactions; and any other account the college offers or maintains for which there is reasonably foreseeable risk to customers or to the safety and soundness of the college from identity theft.
C. Red flag – a pattern, practice or specific activity that indicates the possible existence of identity theft.
D. Identifying information – any name or number that may be used, alone or in conjunction with any other information, to identify a specific person including name, address, telephone number, social security number, date of birth, driver’s license, identification number, alien registration number, government passport, employer or taxpayer identification number, student identification number, computer’s Internet Protocol address, or routing code.
II. Covered Accounts
The college has identified the following types of accounts or transactions that fall under the definition of “covered accounts”:
III. Identification of Red Flags
- Refund of credit balances involving PLUS loans.
- Refund of credit balances without PLUS loans.
- Tuition payment deferments.
- Emergency loans.
- Direct deposit information.
- 1098-T information.
- Wisconsin Tax Refund Intercept Program accounts.
- Delinquent accounts sent to collection agency. Contracted agreements including third-party arrangements.
A. The following risk factors will be used to identify relevant red flags for covered accounts:
- The types of covered accounts maintained by the college.
- The methods or types of information provided to open covered accounts.
- The methods used to access covered accounts.
- The college’s previous history of identity theft.
B. The following types of red flags will be considered:
IV. Detection of Red Flags
- Notifications and warnings from credit reporting agencies.
- Suspicious documents.
- Suspicious identifying information.
- Suspicious account activity.
- Alerts from others.
The college will develop and provide methods to detect red flags including, but not limited to:
V. Preventing and Mitigating Identity Theft
- Require and verify certain identifying information such as name, date of birth, academic records, home address or other identification.
- Verify changes in banking information given for billing and payment purposes.
- Monitor for and act on irregularities in covered account activities.
A. When a red flag is identified, the following actions may be taken depending on the degree of risk posed by the red flag:
- Continue to monitor a covered account for evidence of identity theft.
- Contact the student or applicant.
- Change any passwords or other security devices that permit access to covered accounts.
- Do not open a new covered account.
- Notify the program administrator for determination of the appropriate step(s) to take.
- Notify law enforcement.
- Determine that no response is warranted under the particular circumstances. Provide ability to apply FERPA block on directory information.
B. In order to further prevent the likelihood of identity theft occurring with respect to covered accounts, the college will take the following steps with respect to its internal operating procedures to protect student identifying information:
VI. Program Oversight
- Require and keep only the kinds of student information that are necessary for college purposes.
- Ensure complete and secure destruction of paper documents and computer files containing student account information when a decision has been made to no longer maintain such information.
- Ensure that office computers with access to covered account information are password protected.
- Avoid use of social security numbers whenever possible.
- Ensure computer virus protection is up to date.
- Ensure that its website is secure or provide clear notice that the website is not secure.
- Require and enforce automatic lock-out for computers.
- Restrict access to college servers and deploy intrusion detection devices within the network environment.
The College Information Security Manager will serve as the program administrator and is responsible for developing, implementing and updating this program. The program administrator will be responsible for ensuring appropriate training of college staff on the program, and for reviewing any staff reports regarding the detection of red flags and the steps for preventing and mitigating identity theft, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the program.VII. Service Provider Arrangements
In the event the college engages a service provider to perform an activity in connection with one or more covered accounts, the college will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft:
VIII. Specific Program Elements and Confidentiality
- Require, by contract, that service providers have such policies and procedures in place.
- Require, by contract, that service providers review the college’s program and report any red flags to the program administrator.
For the effectiveness of this identity theft prevention program, knowledge about specific red flag identification, detection, mitigation and prevention practices may need to be limited to the committee that developed this program and to those employees with a need to know. Any documents that may have been produced or are produced in order to develop or implement this program that list or describe such specific practices and the information those documents contain are considered “confidential” and should not be shared with other college employees or the public. The program administrator shall inform the employees with a need to know of those documents or specific practices which should be maintained in a confidential manner.
IX. Program Updates
The program administrator will periodically review and update this program to reflect changes in risks to students and the soundness of the college from identity theft. In doing so, the program administrator will consider the college’s experiences with identity theft situations, changes in identity theft methods, changes in identity theft detection and prevention methods, and changes in the college’s business arrangements with other entities. After considering these factors, the program administrator will determine whether changes to the program, including the list of red flags, are warranted. If warranted, the program administrator will update the program.X. Disclaimer
While reasonable efforts will be made to detect, prevent and mitigate identify theft, the college makes no representations or guarantees that the program described above will in fact ensure the absence of identity theft or prevent financial losses. All warranties against loss, both express and implied, are hereby disclaimed. Furthermore, the college will not be liable for any damages, whether direct, indirect or consequential.