Purpose

This policy is intended to meet the requirements of the FTC “Red Flag Rule.” The Clayton State University (CSU) System of Higher Education and its institutions have adopted this policy, except where separately approved institution specific policies have been approved. This policy, and any other approved institution specific policies, shall contribute to the CSU Procedures and Guidelines. CSU may also develop additional procedures with the approval of the institution president.

Identity theft is a fraud committed or attempted using the identifying information of another person without authority. It is the policy of CSU to undertake reasonable measures to detect, prevent, and mitigate identity theft in connection with the opening of a “covered account” or any existing “covered account,” and to establish a system for reporting a security incident.

Authority

In 2003, the U.S. Congress enacted the Fair and Accurate Credit Transaction Act of 2003 (FACT Act) which required the Federal Trade Commission (FTC) to issue regulations requiring “creditors” to adopt policies and procedures to prevent identify theft.

In 2007, the Federal Trade Commission (FTC) issued a regulation known as the Red Flag Rule. The rule requires “financial institutions” and “creditors” holding “covered accounts” to develop and implement a written identity theft prevention program designed to identify, detect and respond to “Red Flags.” That regulation is scheduled to be enforceable on August 1, 2009.

Definitions

Pursuant to the Red Flag regulations at 16 C.F.R. § 681.2, the following definitions apply to this policy:

Covered Account – A covered account is a consumer account designed to permit multiple payments or transactions. These are accounts where payments are deferred and made by a borrower periodically over time such as a tuition or fee installment payment plan. Examples:

  • Any University account maintained primarily for a student or related to a loan administered by the University, which involves multiple payments or transactions.
  • Any University account for which there is a reasonably foreseeable risk from identify theft to customers

Creditor – A creditor is a person or entity that regularly extends, renews, or continues credit and any person or entity that regularly arranges for the extension, renewal, or continuation of credit. Examples of activities that indicate a college or university is a “creditor” are:

  • Participation in the Federal Perkins Loan program;
  • Participation as a school lender in the Federal Family Education Loan Program;
  • Offering institutional loans to students, faculty or staff;
  • Offering a plan for payment of tuition or fees throughout the semester, rather than requiring full payment at the beginning of the semester.

Identifying Information – Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including: name, address, telephone number, social security number, date of birth, government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number, student identification number, computer’s Internet Protocol address, routing code or financial account number such as credit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

Red Flag – A red flag is a pattern, practice or specific activity that indicates the possible existence of identity theft.

Security Incident – A collection of related activities or events which provide evidence that personal information could have been acquired by an unauthorized person.

Identity theft — is a “fraud committed or attempted using the identifying information of another person without authority.”

Responsible University Official –The Designated Policy Administrator shall exercise appropriate and effective oversight of the policy and shall report regularly to the President on the status of the policy.

Identification of Red Flags

1. The following are relevant Red Flags, in each of the listed categories for which employees should be aware and diligent in monitoring:

  1. Notifications and warnings from credit reporting agencies:
    1. Report of fraud accompanying a credit report;
    2. Notice or report from a credit agency of a credit freeze on a customer or applicant;
    3. Notice or report from a credit agency of an active duty alert for an applicant; and
    4. Indication from a credit report of activity that is inconsistent with a customer’s usual pattern or activity.
  2. Suspicious documents:
    1. Identification document that appears to be forged, altered, or inauthentic;
    2. Identification document on which a person’s photograph or physical description is inconsistent with the person presenting the document;
    3. Other document with information that is inconsistent with existing customer information (such as if a person’s signature on a check appears forged); or
    4. Application for service that appears to have been altered or forged.
  3. Suspicious personal identifying information:
    1. Identifying information presented that is inconsistent with other information the customer provides (example: inconsistent birth dates);
    2. Identifying information presented that is inconsistent with other sources of information (for instance, an address not matching an address on a credit report);
    3. Identifying information presented that is the same as information shown on other applications that were found to be fraudulent;
    4. Identifying information presented that is consistent with fraudulent activity (such as an invalid phone number or fictitious billing address);
    5. Social security number presented that is the same as one given by another customer;
    6. An address or phone number presented that is the same as that of another person;
    7. A person fails to provide complete, personal identifying information on an application when reminded to do so (however, by law social security numbers may not be required in all instances); and
    8. A person’s identifying information is inconsistent with the information that is on file for the customer.
  4. Suspicious account activity or unusual use of account:
    1. Change of address for an account followed by a request to change the account holder’s name;
    2. Payments stop on an otherwise consistently up-to-date account;
    3. Account used in a way that is inconsistent with prior use (example: very high activity);
    4. Mail sent to the account holder is repeatedly returned as undeliverable;
    5. Notice to the University that a customer is not receiving mail sent by the University;
    6. Notice to the University that an account has unauthorized activity;
    7. Breach in the university’s computer system security; and
    8. Unauthorized access to or use of customer account information.
  5. Alerts from others
    1. Notice to the University from a customer, identity theft victim, law enforcement, or other person who has opened or is maintaining a fraudulent account for a person engaged in identity theft.

Detection of Red Flag:

Employees shall undertake reasonable diligence to identify Red Flags in connection with the opening of covered accounts as well as existing covered accounts through such methods as:

  • Obtaining and verifying identity;
  • Authenticating customers; and
  • Monitoring transactions.

A data security incident that results in unauthorized access to a students’ account record or a notice that a customer has provided information related to a covered account to someone fraudulently claiming to represent the University or to a fraudulent web site may heighten the risk of identity theft and should be considered Red Flags.

Detecting Red Flags:

New accounts

University personnel will take the following steps to obtain and verify the identity of the person opening an account:

      1. Require personal identifying information such as name, date of birth, residential or business address, driver’s license, or other identification;
      2. Verify customer’s identity (for instance, review a driver’s license or other identification card); or
      3. Independently contact the customer.
Existing accounts

University personnel will take the following steps to monitor transactions with an account:

    1. Verify the identification of customers if they request information (in person, via telephone, via facsimile, via email);
    2. Verify the validity of requests to change billing addresses; and
    3. Verify changes in banking information given for billing and payment purposes.

Responding to Red Flags and Mitigating Identity Theft

In the event university personnel detect identified Red Flags, such personnel shall take all appropriate

steps to respond and to mitigate identity theft depending on the nature and degree of risk posed by the

Red Flag, including but not limited to the following examples:

  • Continue to monitor an account for evidence of identity theft;
  • Contact the customer;
  • Change any passwords or other security devices that permit access to accounts;
  • Not open a new account;
  • Close an existing account;
  • Reopen an account with a new number;
  • Notify law enforcement; or
  • Determine that no response is warranted under the particular circumstances.

Unless otherwise directed by the college or university, the detection of a Red Flag by an employee shall be reported to Information Security Officer for the institution. Based on the type of Red Flag, the appropriate administrator and the Information Security Officer will determine the appropriate response.

Security Incident reporting:

An employee who believes that a security incident has occurred shall immediately notify their appropriate administrator and, unless otherwise directed by the institution, the Information Security Officer.

After normal business hours, notification shall be made to the institution police or other responsible after hours’ administrator. Upon review of the incident, the responsible administrator shall determine what steps may be required to mitigate any issues that arise in the review. In addition, referral to law enforcement may be required.

Training and Program Review:

All employees who process any information related to a covered account shall receive training following appointment on the procedures outlined in this document. Refresher training may be provided annually.

Periodically the policy, procedure and training shall be reviewed to assess the need for changes or improvements.

  • University employees responsible for implementing the program shall be trained in the detection of Red Flags, and the responsive steps to be taken when a Red Flag is detected.
  • Appropriate staff shall provide reports to the program administrator on incidents of identity theft, the effectiveness of the program, and the University’s compliance with the program.

Policy Workflow

In recognition that some university activities are subject to the provisions of the Fair and Accurate Credit Transactions Act (FACT Act) and its “Red Flag” rules as promulgated by the U.S. Federal Trade Commission, the University outlines the following program. This program complements existing policies, which can be found in various sections of the university’s Information Technology Policy Handbook.

Program Administration and Maintenance

The Policy Administrator is responsible for:

    1. Developing, implementing, and updating Clayton State University (CSU) policy;
    2. Ensuring appropriate training of college staff on the policy;
    3. Reviewing staff reports regarding the detection of Red Flags;
    4. Reviewing steps for identifying, preventing, and mitigating identity theft;
    5. Determining appropriate prevention and mitigation steps to be taken in specific circumstances;
    6. Reviewing, evaluating, and promulgating periodic changes to the Policy based on:
        1. Changes in identity theft risks, detection, mitigation, and prevention methods
        2. Technological advances
        3. College’s experiences with identity theft
        4. Changes in types of accounts the college maintains
        5. Changes in the college’s business arrangements with other entities
        6. Changes in legal requirements related to identity theft.

Service Provider Arrangements

In the event the University engages a service provider to perform an activity in connection with one or more

covered accounts, the University will take the following steps to ensure the service provider performs its activity

in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of

Identity theft:

  • Require, by contract, that service providers have such policies and procedures in place; and
  • Require, by contract, that any service providers review the university’s program and report any Red Flags to the program administrator.