Red Flag Identity Theft Prevention Policy

Sponsor:

Office of Administration

Contact:

Vice President for Administration or Assistant Vice President for Administration

Category:

Administration and Facilities Management

Number:

400.006

Effective Date:

2009/09/01

Review Date:

2015/09/01

Implementation History:

Keywords:

Red Flag Rules

Background Information:

Purpose

To develop and identify campus identity theft prevention programs.

Definitions

Account: A relationship established with an institution by a student, employee, or other person to obtain educational, medical, or financial services.

Covered Account: An account that permits multiple transactions or poses a reasonably foreseeable risk of being used to promote an identity theft.

Responsible Staff: Personnel, based on title, who regularly work with Covered Accounts and are responsible for performing the day-to-day application of the Program to a specific Covered Account by detecting and responding to Red Flags.

Red Flag: A pattern, practice, or specific activity that indicates the possible existence of identity theft.

Response: Action taken by Responsible Staff member(s) upon the detection of any Red Flag to prevent and mitigate identity theft.

Service Provider: A contractor to the College engaged to perform an activity in connection with a Covered Account.

Identity Theft: A fraud committed or attempted using the identifying information of another person without authority.

Statements

The Federal Trade Commission (FTC), under the authority granted by the Fair and Accurate Credit Transaction Act of 2003 (FACTA), has issued a Red Flags Rule (16 CFR 681.2) requiring that financial institutions and creditors develop Identity Theft Prevention Programs aimed at recognizing and preventing activity related to identity theft. SUNY campuses and health care facilities come within the definition of creditors and, therefore, must develop Identity Theft Prevention Programs as necessary.

Each Identity Theft Prevention Program must include written policies and procedures for: (1) identifying "covered accounts"; (2) identifying relevant patterns, practices, and forms of activity within those accounts that are “red flags” signaling possible identity theft; (3) detecting red flags; (4) responding appropriately to any red flags that are detected in order to prevent and mitigate identity theft; and, (5) administering the program in a manner that ensures proper staff training, implementation, oversight, and updating.

Under FACTA, the FTC may impose civil penalties on institutions that fail to comply with the Red Flags Rule.

This Identity Theft Prevention Program ("Program") was developed pursuant to a SUNY policy adopted by the Board of Trustees on May 12, 2009 in order to comply with the Federal Trade Commission's Red Flags Rule (16 CFR 681.2). The purpose of this Program is to prevent frauds committed by the misuse of identifying information (i.e. identity theft). The Program aims to accomplish this goal by identifying accounts maintained by the College which may be susceptible to fraud (hereinafter "Covered Accounts"), identifying possible indications of identity theft activity associated with those accounts (hereinafter "Red Flags"), devising methods to detect such activity, and responding appropriately when such activity is detected.

Program Administration and Oversight

The President has designated the Vice President for Administration as Program Administrator to oversee administration of this Program. The Program Administrator may designate additional staff of the College to undertake responsibility for training personnel, monitoring service providers, and updating the Program, all under the supervision of the Program Administrator.

The Program Administrator or designees shall identify and train responsible staff, as necessary, to effectively implement and apply the Program. All College personnel are expected to assist the Program Administrator in implementing and maintaining the Program.

The Program Administrator or designees shall review service provider agreements and monitor service providers, where applicable, to ensure that such providers have adequate identity theft prevention programs in place. When the Program Administrator determines that a service provider is not adequately guarding against threats of identity theft, he/she shall have the authority to take necessary corrective action, including termination of the service provider's relationship with the College.

Prior to the beginning of each academic year, the Program Administrator shall evaluate the Program to determine whether it is functioning adequately. This evaluation shall include: a case-by-case assessment of incidents of identity theft or attempted identity theft that occurred during the previous academic year; interviews with Responsible Staff; and a survey of all accounts maintained by the College to identify any additional Covered Accounts. In response to this annual evaluation, the Program Administrator shall recommend amendments to this Program for approval by the President.

The Program Administrator shall maintain records relevant to the Program, including: the Written Program; documentation on training; documentation on instances of identity theft and attempted identity theft; contracts with service providers that perform activities related to Covered Accounts; and updates to the Written Program. From time to time, the College Vice President for Administration, or other designated internal control officer, may perform audits to determine if various segments of the College are in compliance with the Program.

Covered Accounts; Responsible Staff; Red Flags; Responses:

Covered Account: Student Accounts
Responsible Staff: Director of Student Accounts
Red Flag 1: Suspicious ID presented by a student who is trying to access or alters account
Response: Deny access to account until the student's identity has been established through acceptable means.
Red Flag 2: A change of address request occurs under suspicious circumstances.
Response: Ask student to verify address and any suspicious usage activity.
Red Flag 3: Suspicious or no ID presented by a student who is trying to pick up a student refund check.
Response: Do not release refund check until the student's identity has been established through acceptable means.
Red Flag 4:   A student calls and asks what the credit card number is that will be refunded (if they withdraw, for example).
Response:  Do not give credit card numbers out over the phone.
Red Flag 5: Student calls and requests that a refund check be sent to an alternate address that is not on file.
Response: Develop a "secret question" for each student that assists in identifying a student. 
Red Flag 6: Requests from a third party by telephone for information about a student account.
Response: Must have authorization on file (or be part of an agreement on a third party voucher).

 

Covered Account: Financial Aid Accounts
Responsible Staff: Financial Aid Advisors
Red Flag 1: Department of Education selects student's FAFSA for verification .
Response:  Collect supplemental information from student and resolve any conflict between FAFSA and supplemental information provided by student.
Red Flag 2: Student submits multiple FAFSAs containing conflicting information. 
Response:  Contact student to resolve conflict and verify information.
Red Flag 3:  Requests from a third party by telephone for information about a student account.
Response:  Must have authorization on file (or be part of an agreement on a third party voucher).

  

Covered Account: Email Accounts
Responsible Staff: Information Security Specialists
Red Flag: Notification from student that email has been accessed without authorization. verification .
Response:  Freeze account; secure account; issue new account if necessary.

 

Covered Account: Datatel Account
Responsible Staff: Information Security Specialists
Red Flag: Multiple failed login attempts.
Response:  Freeze account and/or reset password

 

Covered Account: Foundation Loans
Responsible Staff: Financial Aid Advisors
Red Flag: Inaccurate information on request.
Response: Deny loan request until verified with student

 

Covered Account: Accounts Receiveable
Responsible Staff: Director of Business Affairds
Red Flag: Requests from a third party by telephone for information about a student account.
Response: Must have authorization on file (or be part of an agreement on a third party voucher).







 



Applicable Legislation and Regulations

Related References, Policies, Procedures, Forms and Appendices