Policies + Procedures — Governance + Compliance — Identity Theft Prevention

1.18 Identity Theft Prevention

I. Purpose

This policy ensures compliance with the federal regulations known as the Federal Trade Commission (FTC) Red Flag Rules which require the adoption of practices to detect, prevent and mitigate identify theft.

II. Scope

This policy applies to certain college financial activities described below. The college has implemented other guidelines and policies regarding privacy and information security. This policy does not replace or supersede any of those policies, but is intended to address issues specific to identify theft and to complement existing policies.

III. General

The terms as defined below and utilized in this policy are intended to have the meaning inherent in the Red Flag legislation. These definitions have been modified to be relevant to the specific activities of the college which are vulnerable to identify theft.

Red Flag means a pattern, practice or specific activity that indicates the possible existence of identity theft.

Identity theft means a fraud committed or attempted using the identifying information of another person without authority.

Covered account means any college controlled account that involves multiple payments or transactions, such as a loan or deferred payment account, or an account or record that the college maintains where confidential and private or identifying information is collected or stored. Such accounts may cover faculty, staff, students or donors.

In the event the college engages a service provider to perform an activity in connection with one or more Covered Accounts, the college will require that the service provider review and comply with this program including reporting any Red Flags to the college.

The President of the college will designate a college staff member who will serve as the Program Administrator and is responsible for developing, implementing and updating the Program. The Program Administrator will be responsible for: ensuring appropriate training of staff, reviewing reports regarding the detection of Red Flags, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the program. Annually, the Program Administrator will provide a report to the Audit Committee of the Board of Trustees addressing effectiveness of the policies and procedures in addressing the risk of identity theft in connection with the opening and maintenance of covered accounts, service provider agreements, significant incidents involving identity theft and management’s response, and recommendations for changes to the program.

College staff responsible for implementing the program shall be trained in the detection of Red Flags and the steps to be taken when a Red Flag is detected. Staff members are expected to notify the Program Administrator once they become aware of an incident of potential identify theft or the failure of the college to comply with this program.

IV. Procedures

The procedures associated with this policy shall include detailed but reasonable steps to do all of the following:

Identify the Covered Accounts of the college and assess risk of identity theft based on:
1. types of Covered Accounts
2. methods used to open and access Covered Accounts
3. prior history of Identity Theft at the college.
Identify specific Red Flags including:
1. notification and warnings from credit reporting agencies
2. alerts from others
3. suspicious documents, identifying information or account activity.
Detect Red Flags in appropriate areas including:
1. student enrollment
2. existing Covered Accounts notably Student Accounts and Financial Aid
3. Foundation and Human Resources
4. Credit report requests.
Take one or more of the following steps when a Red Flag is triggered:
1. Deny access to the Covered Account until other information is available to eliminate the Red Flag
2. Contact the account holder
3. Change any passwords, security codes or other security devices that permit access to a covered account
4. Notify law enforcement
5. Determine no response is warranted under the particular circumstances
6. Identify and ensure compliance of service providers for Covered Accounts.