Sponsor:
|
Office of Administration |
Contact:
|
Vice President for Administration or Assistant Vice President for Administration |
Category:
|
Information Security and Technology |
Number:
|
1000.006 |
Effective Date:
|
09/01/2009 |
Implementation History:
|
|
Keywords:
|
Red Flag Rules |
Background Information:
|
|
Purpose
To develop and identify campus identity theft prevention programs.
Definitions
Account: A relationship established with an institution by a student, employee, or
other person to obtain educational, medical, or financial services.
Covered Account: An account that permits multiple transactions or poses a reasonably
foreseeable risk of being used to promote an identity theft.
Responsible Staff: Personnel, based on title, who regularly work with Covered Accounts
and are responsible for performing the day-to-day application of the Program to a
specific Covered Account by detecting and responding to Red Flags.
Red Flag: A pattern, practice, or specific activity that indicates the possible existence
of identity theft.
Response: Action taken by Responsible Staff member(s) upon the detection of any Red
Flag to prevent and mitigate identity theft.
Service Provider: A contractor to the University engaged to perform an activity in
connection with a Covered Account.
Identity Theft: A fraud committed or attempted using the identifying information of
another person without authority.
Statements
The Federal Trade Commission (FTC), under the authority granted by the Fair and Accurate
Credit Transaction Act of 2003 (FACTA), has issued a Red Flags Rule (16 CFR 681.2)
requiring that financial institutions and creditors develop Identity Theft Prevention
Programs aimed at recognizing and preventing activity related to identity theft. SUNY
campuses and health care facilities come within the definition of creditors and, therefore,
must develop Identity Theft Prevention Programs as necessary.
Each Identity Theft Prevention Program must include written policies and procedures
for: (1) identifying "covered accounts"; (2) identifying relevant patterns, practices,
and forms of activity within those accounts that are “red flags” signaling possible
identity theft; (3) detecting red flags; (4) responding appropriately to any red flags
that are detected in order to prevent and mitigate identity theft; and, (5) administering
the program in a manner that ensures proper staff training, implementation, oversight,
and updating.
Under FACTA, the FTC may impose civil penalties on institutions that fail to comply
with the Red Flags Rule.
This Identity Theft Prevention Program ("Program") was developed pursuant to a SUNY
policy adopted by the Board of Trustees on May 12, 2009 in order to comply with the
Federal Trade Commission's Red Flags Rule (16 CFR 681.2). The purpose of this Program
is to prevent frauds committed by the misuse of identifying information (i.e. identity
theft). The Program aims to accomplish this goal by identifying accounts maintained
by the University which may be susceptible to fraud (hereinafter "Covered Accounts"),
identifying possible indications of identity theft activity associated with those
accounts (hereinafter "Red Flags"), devising methods to detect such activity, and
responding appropriately when such activity is detected.
Program Administration and Oversight
The President has designated the Vice President for Administration as Program Administrator
to oversee administration of this Program. The Program Administrator may designate
additional staff of the University to undertake responsibility for training personnel,
monitoring service providers, and updating the Program, all under the supervision
of the Program Administrator.
The Program Administrator or designees shall identify and train responsible staff,
as necessary, to effectively implement and apply the Program. All University personnel
are expected to assist the Program Administrator in implementing and maintaining the
Program.
The Program Administrator or designees shall review service provider agreements and
monitor service providers, where applicable, to ensure that such providers have adequate
identity theft prevention programs in place. When the Program Administrator determines
that a service provider is not adequately guarding against threats of identity theft,
he/she shall have the authority to take necessary corrective action, including termination
of the service provider's relationship with the University.
Prior to the beginning of each academic year, the Program Administrator shall evaluate
the Program to determine whether it is functioning adequately. This evaluation shall
include: a case-by-case assessment of incidents of identity theft or attempted identity
theft that occurred during the previous academic year; interviews with Responsible
Staff; and a survey of all accounts maintained by the University to identify any additional
Covered Accounts. In response to this annual evaluation, the Program Administrator
shall recommend amendments to this Program for approval by the President.
The Program Administrator shall maintain records relevant to the Program, including:
the Written Program; documentation on training; documentation on instances of identity
theft and attempted identity theft; contracts with service providers that perform
activities related to Covered Accounts; and updates to the Written Program. From time
to time, the University Vice President for Administration, or other designated internal
control officer, may perform audits to determine if various segments of the University
are in compliance with the Program.
Covered Accounts; Responsible Staff; Red Flags; Responses:
Covered Account |
Student Accounts |
Responsible Staff |
Director of Student Accounts |
Red Flag 1: |
Suspicious ID presented by a student who is trying to access or alters account |
Response: |
Deny access to account until the student's identity has been established through acceptable
means. |
Red Flag 2: |
A change of address request occurs under suspicious circumstances. |
Response: |
Ask student to verify address and any suspicious usage activity. |
Red Flag 3: |
Suspicious or no ID presented by a student who is trying to pick up a student refund
check. |
Response: |
Do not release refund check until the student's identity has been established through
acceptable means. |
Red Flag 4: |
A student calls and asks what the credit card number is that will be refunded (if
they withdraw, for example). |
Response: |
Do not give credit card numbers out over the phone. |
Red Flag 5: |
Student calls and requests that a refund check be sent to an alternate address that
is not on file. |
Response: |
Develop a "secret question" for each student that assists in identifying a student. |
Red Flag 6: |
Requests from a third party by telephone for information about a student account. |
Response: |
Must have authorization on file (or be part of an agreement on a third party voucher). |
Covered Account |
Financial Aid Accounts |
Responsible Staff |
Financial Aid Advisors |
Red Flag 1: |
Department of Education selects student's FAFSA for verification . |
Response: |
Collect supplemental information from student and resolve any conflict between FAFSA
and supplemental information provided by student. |
Red Flag 2: |
Student submits multiple FAFSAs containing conflicting information. |
Response: |
Contact student to resolve conflict and verify information. |
Red Flag 3: |
Requests from a third party by telephone for information about a student account. |
Response: |
Must have authorization on file (or be part of an agreement on a third party voucher). |
Covered Account |
Email Accounts |
Responsible Staff |
Information Security Specialists |
Red Flag: |
Notification from student that email has been accessed without authorization. verification. |
Response: |
Freeze account; secure account; issue new account if necessary. |
Covered Account |
Datatel Account |
Responsible Staff |
Information Security Specialists |
Red Flag: |
Multiple failed login attempts. |
Response: |
Freeze account and/or reset password |
Covered Account |
Foundation Loans |
Responsible Staff |
Financial Aid Advisors |
Red Flag: |
Inaccurate information on request. |
Response: |
Deny loan request until verified with student |
Covered Account |
Accounts Recieveable |
Responsible Staff |
Director of Business Affairs |
Red Flag: |
Requests from a third party by telephone for information about a student account. |
Response: |
Must have authorization on file (or be part of an agreement on a third party voucher). |
Applicable Legislation and Regulations
Related References, Policies, Procedures, Forms and Appendices
Edit Pre Footer