Red Flags Rule - Identity Theft Prevention Program

Purpose

The purpose of this policy is to establish a Red Flags Rule Identity Theft Prevention Program designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or an existing covered account and to provide for continued administration of the Program. The Program shall include reasonable policies and procedures to:

• Identify relevant Red Flags for covered accounts the University offers or maintains and incorporate those Red Flags into its Program;
• Detect Red Flags that have been incorporated into the Program of the University;
• Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft;
• Ensure the Program is updated periodically to reflect changes in risks to students and borrowers and the safety and soundness of the University from identity theft and
• The Program shall, as appropriate, incorporate existing policies and procedures that control reasonably foreseeable risks.

Existing Policies and Practices

The University has policies to ensure compliance with the Gramm-Leach-Bliley Act (GLBA), the Family Educational Rights and Privacy Act (FERPA), system and application security, and internal control procedures, which provide an environment where identity theft opportunities are mitigated. Records are safeguarded to ensure the privacy and confidentiality of student and borrower records.

In addition, the University adheres to the following practices:

• All paper files are kept in locked offices and/or filing cabinets while not being used.
• Access to confidential information is limited to only those employees who need access to properly perform the duties for which they were hired.
• Employees with access to confidential information understand that this is confidential business information and is not to be discussed with anyone who does not “need to know.”

Definitions

• Identity theft means fraud committed or attempted using the identifying information of another person without authority.
• Account means a continuing relationship established by a person with the creditor to obtain a product or service for personal purposes. The account includes an extension of credit involving a deferred payment.
• Covered account means an account that a creditor offers or maintains primarily for personal purposes that involves or is designed to permit multiple payments or transactions.
• Red Flag means a pattern, practice, or specific activity that indicates the possible existence of identity theft.

Covered Accounts

• The University offers and establishes student payment plans

Identifying Relevant Red Flags

• The photograph or physical description on the identification is not consistent with the appearance of the student or borrower presenting the identification.
• The SSN provided is the same as that submitted by other students or borrowers.
• The address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of other students or borrowers.
• The person opening the covered account or the student or borrower fails to provide all required personal identifying information on an application or in response to notification that the application is complete.
• A covered account is used in a manner inconsistent with established patterns of activity on the account – nonpayment when there is no history of late or missed payments.
• The University is notified of unauthorized charges or transactions concerning a student or borrower’s covered account.
• The University is notified by a student or borrower, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.

Student Payment Plans

Students must call, e-mail, or come into the Director of Student Accounts Office to request their account be placed on a tuition payment plan.

Responding to Red Flags

The Program shall respond appropriately to detected red flags to prevent and mitigate identity theft. The appropriate responses to the relevant red flags are as follows:

• Contacting the student or borrower;
• Changing any passwords, security codes, or other security devices that permit access to a covered account;
• Reopening a covered account with a new account number;
• Closing an existing covered account;
• Not attempting to collect on a covered account;
• Notifying law enforcement and/or
• Determining that no response is warranted under the particular circumstances.

Updating the Program

The University will update the Program annually in December to reflect changes in risks to students or borrowers or to the safety and soundness of the University from identity theft based on factors such as:

• The experiences of the University with identity theft;
• Changes in methods of identity theft;
• Changes in methods to detect, prevent, and mitigate identity theft; and
• Changes in the types of accounts that the University offers or maintains.

Oversight of Service Provider Arrangements

The University shall take steps to ensure that the activity of a service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft whenever the University engages a service provider to perform an activity in connection with one or more covered accounts.