BASED ON POLICY NUMBER AND TITLE:
2-13-0 EP 5: ASSET PROTECTION
Purpose To develop a procedure and plan for compliance with “Red Flags Rule” regulations issued by the Federal Trade Commission (FTC), federal bank regulatory agencies, and the National Credit Union Administration (NCUA). The “Red Flags Rule” requires financial institutions and creditors with covered accounts to develop and implement a written identity theft prevention plan as part of the Fair and Accurate Credit Transactions Act (FACTA) of 2003. Plans must provide for the identification, detection, and response to red flags that may be indicative of identity theft activity. In addition, plans must include a periodic review process. Trident Technical College (TTC) has determined that the “Red Flags Rule” applies to the college’s operations.
- “Red Flags Rule” Definitions
- Identity Theft: The fraudulent use of personal identifying information.
- Personal Identifying Information: Sensitive personal information (i.e., names, social security numbers, driver’s license numbers, financial account numbers, credit or debit card numbers, security or access codes associated with credit or debit card numbers, mothers’ maiden names, dates of birth, or other account data) that identifies students, employees or customers.
- Financial Institution: A state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, any other person that, directly or indirectly, holds a transaction account belonging to a consumer, or other institutions that offer accounts where the consumer can make payments or transfers to third parties.
- Creditor: Businesses or organizations that regularly defer payment for goods or services; provide goods or services and bill customers later; or regularly grant loans, arrange for loans or the extension of credit, or makes credit decisions.
- Covered Account: Any account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk of identity theft to customers or to the safety and soundness of the financial institution or creditor. Examples of covered accounts include student loans, particularly with overage payments, deferment of tuition payments (TTC payment plan), or other accounts that involve multiple payments or transactions.
- Red Flag: Suspicious patterns or practices, or specific activities that indicate the possibility of identity theft.
- Customer or Contractor: For the purposes of this plan, a customer or a contractor is a person and not an entity, e.g., a continuing education instructor may be a contractor.
- Compliance Criteria Each division of the college, which has responsibility for covered accounts, will develop identity theft prevention plans specific to the day-to-day operational activities or processes for their division. Using the “Red Flags Rule” Identity Theft Prevention Plan Template, each division shall address identification, detection, and response to red flags as well as information on how their plans will be updated.
- Identification of Red Flags
- Risk Assessment
- Review the methods used to open and maintain covered accounts. Accounts opened online may differ from face-to-face contact.
- Evaluate the manner in which access is provided to accounts. Online access may require additional authentication or verification of identity.
- Review general business operations as to the relationship with covered accounts. For example:
- Does your staff have access to student records or a portion of records?
- Do you contract with third party entities that have access to sensitive information, such as student records?
- Categories of Common Red Flags
- Alerts, Notifications, and Warnings from a Credit Reporting Company
- A fraud alert on a credit report.
- A notice of credit freeze in response to a request for a credit report.
- A notice of address discrepancy provided by a credit reporting agency.
- A credit report having activity inconsistent with the student’s, employee’s, customers or contractor’s history.
- Alerts, Notifications, or Failed Processing by Credit or Debit Card Companies
- Electronic process refuses card.
- Credit or debit card is declined or over limit.
- Notification to seize credit or debit card.
- Suspicious Documents
- Identification that appears to have been altered or forged
- Inconsistent appearance between the student, employee, or customer presenting the identification and the photograph or physical description on the identification.
- Inconsistent information on the identification as compared to other documents or verbal statements presented by or on behalf of the student, employee, customer, or contractor.
- An application that appears to have been altered, forged, or torn up and reassembled.
- Suspicious Personal Identifying Information
- Addresses, telephone numbers, or other personal information that have been used on accounts known to be fraudulent
- Fake addresses, addresses used for mail drops, prison addresses, invalid telephone numbers, telephone numbers answered by answering services.
- Duplicate Datatel numbers of the same person.
- Suspicious Account Activity
- Mail sent to student, employee, customer, or contractor that is returned repeatedly as undeliverable although transactions continue to be conducted on the account.
- Information that the student, employee, customer, or contractor is not receiving mailed correspondences.
- Information concerning unauthorized charges to an account.
- Notice from Other Sources
- A student, employee, or customer reports that their identity has been compromised.
- Reports from law enforcement that a student, employee, or customer has been a victim of identity theft.
- Detection of Red Flags
- Determine the types of identity verification and authentication required for detecting red flags, e.g., government issued photograph IDs.
- Consider if additional verification or authentication methods are required for online, mail, or telephonic transactions.
- Decide if additional security measures are required for wireless system transactions.
- Monitor for breaches in the handling of personal identifying information, identity verification or identity authentication, e.g., confidential information that has not been destroyed or transported securely.
- Response to Red Flags
At a minimum, divisional plans should consider the following TTC guidelines as appropriate responses to red flags. Additional responses, specific to particular functions of the division or departments within the division, should also be included in the divisional plan.
- Monitor covered accounts for evidence of identity theft, fraud, etc.
- Report all suspected red flag activity to immediate supervisors for review and confirmation of a detected red flag.
- Determine if the red flag activity needs to be reported to Public Safety (criminal activity is suspected) or if no further response is warranted under the particular circumstances (criminal activity is not suspected and/ or the red flag can be explained). Catastrophic data breaches must be reported to the division’s Vice President, the Vice President for Information Technology, and Public Safety immediately.
- Delay or refuse to provide services to students, employees, and customers pending review and confirmation of a detected red flag.
- Notify students, employees, or customers when red flags have been confirmed.
- Change, or instruct the account owner to change, passwords, security codes, and other methods to access covered accounts.
- Close existing accounts to prevent further activity. Determine whether or not to open an account with a new Datatel ID number.
- Discontinue collections on accounts where red flags have been confirmed.
- Evaluations and Updates to Divisional Red Flag Plans
At a minimum, annually evaluate divisional plans and update for:
- Changes to the Red Flags Rule.
- Changes in SBTCE, TTC, divisional, or other applicable business processes.
- Changes in technology (access, storage, maintenance, etc. of covered accounts).
- Changes in identity theft risks (new patterns used by identity thieves)
- Employee Training for Prevention and Mitigation of Identity Theft
- 1. Incorporate TTC’s Procedure 6-17-1 Information Security Plan into employee training. The FTC recommends the following key principles for data security (Protecting Personal Information: A Guide for Business):
- Take stock: Know what personal information is stored in files and on computers.
- Scale down: Keep only the documents and information needed for business processes.
- Lock it: Protect the information stored in files and on computers (physical and electronic security).
- Pitch it: Properly dispose (shred) documents and files that are no longer needed.
- Plan ahead: Create a plan to respond to security incidents.
- 2. Minimum training requirements
- Train all existing employees upon initial implementation of the TTC Red Flags Plan and the TTC Information Security Plan.
- Train all new employees.
- Provide periodic refresher training at least annually or after significant changes to the plan.
- Administration of Plan
The vice presidents for each division will be responsible for their division’s plans, specifically to:
- Assign specific responsibilities for their plan’s implementation to person(s) within their division.
- Require that background and reference checks are performed before hiring new employees as identified in TTC Procedure 8-1-1 Employment Practices.
- Ensure compliance of all minimum training requirements (Section III E (2)).
- Require a procedure to delete access to sensitive information for employees who terminate from the college or transfer to another division, e.g., collect keys, remove access to computer applications, delete Sonitrol accounts, etc.
- Review staff reports on their division’s compliance with the Red Flag Rule.
- Approve important changes to their division’s plans.
- Monitor the activities of service providers to ensure they are in compliance with the Red Flags Rule.
- Report the effectiveness of divisional plans to Cabinet on an annual basis and include:
- Successes in identifying risks of identity theft
- Significant incidents of identity theft and responses
- Monitoring practices for service providers
- Recommendations for major changes to the plan