ADMIN 200 - Red Flag Identity Theft Prevention
Number: ADMIN 200
Effective: July 1, 2024
Department: Finance and Business

Purpose

The Code of Federal Regulations, Title 16, Chapter I, Subchapter F (The Fair Credit Reporting Act), Part 681.1, entitled “Duties regarding the detection, prevention, and mitigation of identity theft,” and otherwise known as the Federal Trade Commission’s “Red Flags Rules,” were adopted due to the increased threat of identity theft. The Red Flag Rules require each financial institution and creditor that offers or maintains one or more covered accounts, as defined in 16 CFR 681.1, to develop and provide for the continued administration of a program to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The ĢƵ (CWI) is a creditor as defined by 16 CFR 681.1(b)(5) which opens and maintains covered accounts for its customers and is subject to the Red Flag Rules.

Scope

This policy applies to all staff, faculty, students, and all personnel affiliated with third parties providing services to the college relating to covered accounts and/or sensitive information within the custody or control of the college.

Definition

Covered Account – is a consumer account that involves multiple payments or transactions in arrears such as a loan that is billed or payable monthly. This includes accounts where payments are deferred and made by a borrower periodically over time such as with a tuition or fee installment payment plan.

Creditor – is a person or entity that regularly extends, renews, or continues credit and any person or entity that regularly arranges for the extension, renewal, or continuation of credit. Examples of activities that would indicate CWI as a creditor include offering individuals a plan for payment of tuition or fees throughout the semester, rather than requiring full payment at the beginning of the semester.

Personal Information – specific information that represents a legal or personal identity or that could result in public impersonation of identity or identity theft if such information were stolen or compromised. This would also consist of using information in combination with one or more data elements when either the name or elements are not encrypted or redacted. Sensitive personal information includes but may not be limited to the following:

  • Legal name (first, last, middle)
  • Full date of birth
  • Social Security Number
  • Driver’s License Number
  • Student ID
  • Financial account number
  • Password
  • Home address
  • Gender
  • Race
  • Medical information
  • Payroll information

Red Flag – a pattern, practice or specific activity that indicates the existence of identity theft or possible attempted fraud via identity theft on covered accounts.

Security Incident – a collection of related activities or events which provide evidence that personal information could have been acquired by an unauthorized person.

Security Program Manager – VP of Finance and Administration will serve as the Security Program Manger to administer oversight of the Red Flag Policy.

Policy 

In accordance with the provisions outlined in the Federal Trade Commission’s Red Flag Rule, which implements Section 114 of the Fair and Accurate Transactions Act (FACTA) of 2003, the ĢƵ shall implement a policy for Identity Theft Prevention. CWI is committed to detecting, preventing, and mitigating identify theft in connection with the opening of a covered account or an existing covered account.

Guidelines

Sensitive Information to be Protected

  1. Personal Information upon enrollment, hire or contract
    • Social Security Number
    • Date of Birth
    • Address
    • Maiden Name
  2. Payroll Information
    • Paychecks
    • Paystubs
    • Account Information
    • Documents or electronic files containing payroll information
  3. Medical Information for employee or student
    • Doctor names and claims
    • Insurance claims
    • Any personal medical information
  4. Credit Card Information
    • Credit card number (in part or whole)
    • Credit card expiration date
    • Cardholder name
    • Cardholder address

Risk Assessment

  1. CWI will consider the following risk factors in identifying red flags for covered accounts, if appropriate: The types of covered accounts offered or maintained.
    1. The types of covered accounts offered or maintained.
    2. The methods provided to open covered accounts.
    3. The methods provided to access covered accounts.
    4. CWI’s experience with identity theft.
  2. CWI, on a periodic basis, will incorporate relevant red flags from sources such as:
    1. Incidents of identity theft that have been experienced or that have been experienced by other colleges and universities.
    2. Methods of identity theft known by us or other creditors that reflect changes in identity theft risks; and,
    3. Applicable supervisory guidance.
  3. CWI identifies red flags in the following categories:
    1. Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services.
    2. The presentation of suspicious documents.
    3. The presentation of suspicious personal identifying information, such as a suspicious address change.
    4. The unusual use of, or other suspicious activity related to a covered account; and,
    5. Notices from customers, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts.
  4. The following instances are examples of red flags recognized by the college:
    1. Notifications or warnings from a consumer reporting agency.
      1. A fraud or active-duty alert is included with a consumer report.
      2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report.
      3. A consumer reporting agency provides a notice of address discrepancy that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address(es) in the agency’s file for the consumer.
      4.  A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as:
        1. A recent and significant increase in the volume of inquiries.
        2. An unusual number of recently established credit relations.
        3. A material change in the use of credit, especially with respect to recently established credit relationships; or,
        4. An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor.
    2. Suspicious Documents.
      1. Documents provided for identification appear to have been altered or forged.
      2. The photo or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification.
      3. Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification; and,
      4. Other information if the identification is not consistent with readily accessible information that is on file with the college.
    3. Suspicious personal identifying information.
      1. Personal identifying information provided is inconsistent when compared against external information sources, such as:
        1. The address does not match any address in the consumer report; or,
        2. The Social Security Number has not been issued or is listed on the Social Security Administration’s Death Master File.
      2. Personal identifying information is not consistent with other personal identifying information provided by the customer, such as a lack of correlation between the Social Security Number range and date of birth.
      3. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources utilized by the college, such as:
        1. The address on an application is the same address provided on a fraudulent application.
        2. The telephone number on an application is the same as the phone number provided on a fraudulent application.
      4. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal third-party sources used by the college, such as:
        1. The address on an application is fictitious, a PO box, or a prison; or,
        2. The telephone number is invalid or is associated with a pager or answering device.
      5. The Social Security Number provided is the same as that submitted by other persons.
      6. The address or phone number provided is the same as that submitted by others.
      7. The person who has a covered account fails to provide all required identifying information.
      8. Personal identifying information provided is not consistent with personal identifying information that is on file at the college.
    4. Unusual use of, or suspicious activity related to the covered account.
      1. A new covered account is used in a manner commonly associated with known patterns of fraud, such as the customer failing to make first payment of the payment plan and no subsequent payments.
      2. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer’s account.
      3. The college is notified that the customer is not receiving paper account statements.
      4. The college is notified of unauthorized charges or transactions in connection with a customer’s covered account.
      5. The college is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that the college may have an open account for a person engaged in identity theft.

Protective Actions to be Taken

  1. File cabinets, desk drawers, storage cabinets and any other space containing documents with sensitive information will be locked or otherwise secured when not in use at the end of each workday or when unattended.
  2. Writing tablets, note pads, post-its, etc. in common shared work areas will be erased, removed, or shredded when not in use.
  3. Passwords for the college database will not be shared.
  4. Keys will not be given to persons other than to those for whom the key request is made.
  5. Sensitive information to be discarded will be placed in a locked shred bin or immediately shredded using a mechanical crosscut shredding machine.
  6. A photo ID will be required any time a request is made in person to change information to a covered account.
  7. A photo ID will be required for picking up any check of any origin, such as payroll, refund, etc., from the Business Office or the Payroll Office.

Detection of Red Flags

CWI shall address the detection of red flags in connection with the opening of covered accounts by:

  1. Obtaining identifying information about and verifying the identity of newly hired employees, newly enrolled students, etc. Identifying information may include name, date of birth, residential or business address, principal place of business for an entity, Social Security Number, driver’s license or  identification issued by the federal government or by a State agency.
  2. Monitoring transactions through photo ID verification.
  3. Requiring transactions through photo ID verification.
  4. Rejecting any application for a service or transaction that appears to have been altered or forged.
  5. Verifying identity via a consumer reporting agency which will independently contact the newly hired employee, newly enrolled student as appropriate for admission to selected programs, etc.

CWI shall address the detection of red flags in connection with existing covered accounts by:

  1. Verifying identity if an employee, student or contractor requests information (in person, via telephone, via facsimile, via email).
  2. Verifying the validity of requests to change mailing addresses.
  3. Not sharing identity information with anyone, including the employee, student or contractor. Requiring them to give the information and verify with the information on the account.
  4. Verifying changes in banking or credit card information given for billing and payment purposes.

Response to Red Flags

CWI shall respond quickly to prevent identity theft. In all cases red flags are to be reported to the VP of Finance and Administration (hereinafter, the Security Program Administrator). Response to red flags may include, but not be limited to:

  1. Contacting owner of account in question by one of the following:
    1. Electronic method (e.g. email, text message, etc.)
    2. Written letter via the USPS
    3. Phone number on record
  2. Terminating the transaction
  3. Changing any passwords, security codes, or other security devices that permits access to a covered account
  4. Reopening a covered account with a new account number
  5. Not opening a new covered account
  6. Closing an existing covered account
  7. Notifying and cooperating with appropriate law enforcement
  8. Continuing to monitor an account for evidence of identity theft.
  9. Determining that no response is warranted under the circumstances.

Security Incident Reporting

An employee who believes that a security incident has occurred shall immediately notify their appropriate supervisor and the Security Program Manager. After normal business hours, notification shall be made to the CWI IT Department Helpdesk by calling (208)562-3444 or emailing support@cwi.edu.

Service Providers Oversight

The college remains responsible for compliance with the red flag rules even in instances where services are outsourced to a third party. The written agreement between CWI and the third-party service provider shall require the third party to have reasonable policies and procedures designed to detect relevant red flags that may arise in the performance of their service activities. The written agreement must also indicate whether the service provider is responsible for notifying CWI of the detection of a red flag or if the service provider is responsible for implementing appropriate steps to prevent or mitigate identity theft.

Program Oversight

The Security Program Manager is responsible for overall program management and administration. The Security Program Manager shall ensure appropriate identity theft training is in place for selected college employees.

The Security Committee shall annually review this policy and recommend revisions when necessary to address changes in risks to students, faculty and staff based upon factors such as:

  1. Experiences with identity theft.
  2. Changes in methods of identity theft.
  3. Changes in methods to detect and prevent identity theft.
  4. Changes in the types of accounts that the college offers or maintains.
  5. Changes in organizational structure.

Referenced