UPPS 05.04.10 - University Identity Theft Prevention Program
University Identity Theft Prevention Program
UPPS No. 05.04.10
Issue No. 1
Effective Date: 5/29/2018
Next Review Date: 2/01/2023 (E5Y)
Sr. Reviewer: Treasurer
This policy sets forth the Texas State University Identity Theft Prevention Program in compliance with the Red Flags Rule (16 C.F.R. 681), issued by the Federal Trade Commission (FTC) and pursuant to the Fair and Accurate Credit Transactions Act of 2003 (FACTA). The program establishes reasonable policies and procedures to detect, prevent, and mitigate identity theft in connection with a covered account.
President’s Cabinet members endorsed the program with the understanding that specific details of the program are considered confidential information and shared with employees according to their need to know.
Treasurer’s Office and Information Security staff will continue to monitor activities, identifying areas where supplemental policies need to be developed.
Covered Accounts – a consumer account designated to permit multiple payments or transactions, or any other account for which there is a reasonably foreseeable risk for identity theft.
Identity Theft – fraud committed or attempted using the personal identifying information of another person without authorization.
Personal Identifying Information – any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including but not limited to: name, address, telephone number, social security number, date of birth, government-issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number, student identification number, computer’s internet protocol address, or routing code.
Program Administrator – the individual designated with primary responsibility for oversight of the Identity Theft Prevention Program mandated by the FTC’s Red Flags Rule. As authorized by The Texas State University System, the president has designated the vice president for Finance and Support Services as the program administrator.
Red Flag – a pattern, practice, or specific activity that indicates the possible existence of identity theft.
Texas State is committed to protecting all personal identifying information and preventing identity theft, as required by the Red Flags Rule.
As required by the Red Flags Rule, the program includes the following policy specifics:
identifying relevant red flags for new and existing covered accounts;
detecting red flags that have been incorporated into the program; and
responding appropriately to detected red flags in order to prevent and mitigate identity theft.
The program will be reviewed periodically to reflect environmental, institutional, technological, and legal changes. The president’s approval shall be sufficient to update or make changes to the program.
The Treasurer’s Office will coordinate with all the identified stakeholder departments to complete and remit to the program administrator, on a quarterly basis, a Red Flag Incident Reporting Log. The log will identify all stakeholders, and if an incident was reported, identify dates, departments, issue and response, and if the issue was resolved or is still pending.
AUTHORITY AND RESPONSIBILITY
The vice president for Finance and Support Services is the university’s designated program administrator and will exercise appropriate and effective program oversight. The program administrator shall be empowered to manage and execute all aspects of the program, including the engagement of other institutional departments and personnel as necessary to detect, identify, mitigate, and prevent identity theft.
Periodically, the program administrator shall discuss assessments of the program with the president. The program administrator shall provide an annual report to the president to include incidents involving identity theft, management’s response, and recommended program changes if appropriate.
The program administrator is responsible for ensuring the completion of the following seven steps for compliance:
analyzing the size and complexity of the university covered accounts;
determining the existing policies that control foreseeable risks of identity theft;
developing a list of red flags (risk factors) for the covered accounts and how to detect them;
establishing the procedures that should be followed when a red flag is detected;
training university employees who work with covered accounts;
evaluating the program administration and discussing with the president recommendations to regularly update the program to reflect changes in risk; and
managing outside service providers.
Third-party vendors who process payments for or on behalf of the university must provide written documentation certifying their compliance with the FTC’s Red Flags Rule to the offices which contracted their services.
To assure the program’s effectiveness, specific details of the program’s identification, detection, mitigation, and prevention practices are considered confidential information and shared with employees according to their need to know.
In the event university personnel detect any identified red flags or related suspicious activity, such personnel shall research the issue and if the issue is not instantly remedied, report it immediately to the program administrator. The program administrator will conduct further investigation and initiate the appropriate response actions. If the issue is remedied, it will be reported on a quarterly report issued to the program administrator.
IDENTIFICATION OF RED FLAGS
To identify relevant red flags, the university considers the types of accounts that it offers and maintains, the methods it provides to open and access its covered accounts, and its previous experiences with identity theft. The following items will be considered red flags (risk factors):
notifications and warnings from credit reporting agencies;
the presentation of suspicious documents, such as inconsistent photo identification or personal identifying information;
the presentation of suspicious personal identifying information, including personal information inconsistent with other information on file;
suspicious covered account activity or unusual use of account; and
alerts from persons or entities outside of the university.
EMPLOYEE TRAINING PROCEDURES
Each employee who works with a covered account shall attend training as necessary. Staff who have taken fraud prevention training may not need to be re-trained on the program.
All new staff who work with a covered account must take the training within sixty business days of their position start date.
The Treasurer’s Office will offer program training in conjunction with the Information Security Office (ISO). The training will include review of the relevant policies and procedures on how to manage covered accounts, guidance on how to detect red flags, as well as procedures for responding to red flags.
PROCEDURES FOR DETECTING RED FLAGS
To detect red flags, university personnel will verify:
the identification of customers requesting information about themselves (in person, via telephone, via facsimile, via email);
the validity of requests to change account-related addresses; and
the accuracy of changes in bank account information that might impact billing and payment.
Notification of a red flag will be made to the program administrator immediately after its identification, if not instantly remedied. The program administrator will determine the appropriate response actions, if any, upon detection or report of red flags, in accordance with requirements of the FACT Act of 2003 and other applicable regulations. If the issue is remedied, the instance will be reported on the quarterly report submitted to the program administrator.
The program administrator shall notify the ISO if the red flag suggests the possibility of a breach in information security. Such actions will be made to mitigate identity theft, and may include but are not limited to:
monitoring a covered account for evidence of identity theft;
contacting the customer;
changing any passwords, security codes, or other security devices that permit access to a covered account;
notifying law enforcement; or
determining that no response is warranted under the particular circumstances.
The program administrator will supply a summarized log of all reported red flag detections along with the actions taken and if the issue has been resolved in an annual report for the president.
PROCEDURES FOR REGULAR PROGRAM REVIEW
The program will be periodically reviewed to reflect changes in identity theft risks, business practices and procedures, and the technological environment,
In reflecting upon possible changes, the program administrator will consider:
the university’s experiences with identity theft;
changes in identity theft methods;
changes in types of accounts the university maintains;
changes in the university’s business arrangements with other entities; and
any changes in legal requirements in the area of identity theft.
After considering these factors, the program administrator will determine whether changes to the program, including the listing of red flags, are warranted.
OUTSIDE SERVICE PROVIDER ARRANGEMENTS
- In the event the university engages a service provider to perform an activity in connection with one or more accounts, the service provider is required to provide written documentation certifying their compliance with the FTC Red Flags Rule to the offices which contracted their services.
REVIEWERS OF THIS UPPS
Reviewers of this UPPS include the following:
Position Date Treasurer February 1 E5Y Director, Student Business Services February 1 E5Y Chief Information Security Officer February 1 E5Y
This UPPS has been approved by the following individuals in their official capacities and represents Texas State policy and procedure from the date of this document until superseded.
Treasurer; senior reviewer of this UPPS
Vice President for Finance and Support Services