3-950A AIMS COMMUNITY COLLEGE PROCEDURE IDENTITY THEFT PREVENTION - RED FLAG PROCEDURE HISTORY In response to the growing threat of identity theft, the United States Congress passed the Fair and Accurate Credit Transactions Act of 2003 (FACTA). Public Law 108-159. This amendment to the Fair Credit Reporting Act charged the Federal Trade Commission with promulgating rules regarding identity theft. On November 7, 2007, the Federal Trade Commission promulgated the final rules, known as Red Flag rules, which had an effective date of November 1, 2008. 16 CFR 681. These rules, implementing sections 114 and 315 of FACTA, require the enactment of certain policies and procedures by the revised effective date of May 1st 2009. The rules apply to financial institutions and creditors with covered accounts. A covered account is an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as Aims Community College student accounts. Every affected college must develop and implement a written Identity Theft Prevention Program that is designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The program must be appropriate to the size and complexity of the college and the nature and scope of its activities. The program must incorporate the definition and charges the college with monitoring any such account for which there is a reasonably foreseeable risk of identity theft. BACKGROUND Aims Community College ( the College ) developed this Identity Theft Prevention Program ( Program ) pursuant to the Federal Trade Commission s ( FTC ) Red Flag Rule, which implements Section 114 of the Fair and Accurate Credit Transaction Act of 2003. This Program was developed with oversight and approval of the Aims Junior College District Board of Trustees. After consideration of the size and complexity of the College s operations and account systems, and the nature and scope of the College s activities, the Program was deemed appropriate for the College. DEFINITIONS Identity Theft is a fraud committed or attempted using the identifying information of another person without authority. Red Flag is a pattern, practice, or specific activity that indicates the possible existence of Identity Theft.
Covered Account includes all student accounts or loans that are administered by the College. Covered Accounts also include any account that involves or is designed to permit multiple payments or transactions. Program Administration is the individual designated with primary responsibility for oversight of the program. See Section VI below. Sensitive Identifying Information - is any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including: name, address, email address, telephone number, social security number, date of birth, government issued driver s license or identification number, alien registration number, government passport number, employer or taxpayer identification number, student identification number, student bank routing and account number, central computer account name and password. (See Schedule A for addition Sensitive Identifying Information ) RED FLAG PROGRAM REQUIREMENTS Under the Red Flags Rule, the College is required to establish an Identity Theft Prevention Program tailored to its size, complexity and the nature of its operation. Each program must contain reasonable policies and procedures to: 1. Identify relevant Red Flags for new and existing covered accounts and incorporate those Red Flags into the Program; 2. Detect Red Flags that have been incorporated into the Program; 3. Respond appropriately to any Red Flags that are detected to prevent and mitigate Identity Theft; and 4. Ensure the Program is updated periodically to reflect changes in risks to Covered accounts / individuals or to the safety and soundness of the individual from Identity Theft. IDENTIFICATION OF RED FLAGS In order to identify relevant Red Flags, the College considered the types of accounts that it offers and maintains, methods it provides to open its accounts, methods it provides to access its accounts, and its previous experience with Identity Theft. A. The Program identifies the following Red Flags: 1. To ensure protection to its users, the College will treat any changes in the Sensitive Identifying Information on central IT systems of record to be treated as a Red Flag;
2. Documents provided for identification appear to have been altered or forged; 3. The photograph or physical description on the identification is not consistent with the appearance of the student presenting the identification; 4. A request made from a non-college issued or on file email account; 5. A request to mail something to an address not listed on file, and; 6. Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts. B. The Program considers the following risk factors in identifying relevant Red Flags for covered accounts: 1. The methods provided to open covered accounts acceptance to the College and enrollment in classes typically requires the following information: a) Common application with personally identifying information b) Academic transcripts c) Official test scores, ex. ACT, SAT d) Immunization history e) Background Checks/Drug Screening (required for some programs) 2. The method provided to access covered accounts: a) Disbursements obtained in person require picture identification. b) Disbursements obtained by mail can only be mailed to an address on file. 3. The College s previous history of identity theft. 4. Any unusual or suspicious activity related to a Covered Account. DETECTING RED FLAGS A. Student Enrollment In order to detect any of the Red Flags identified above associated with the enrollment of a student, College personnel will take the following steps to obtain and verify the identity of the person opening the account: 1. Require certain identifying information such as name, date of birth, academic records, home address or other identification; and 2. Verify the student s identity at time of issuance of student identification card (review of driver s license or other government issued photo identification).
B. Existing Accounts In order to detect any of the Red Flags identified above for an existing Covered Account, College personnel will take the following steps to monitor transactions on an account: 1. Verify the identification of students if they request information (in person, via telephone, via facsimile, via email); 2. Verify the validity of requests to change billing addresses by mail or email and provide the student a reasonable means of promptly reporting incorrect billing address changes; and 3. Verify changes in banking information given for billing and payment purposes. C. Consumer Credit and Background Reports In order to detect any of the Red Flags identified for an employment or volunteer position for which a credit or background report is sought, College personnel will take the following steps to assist in identifying address discrepancies: 1. Require written verification from any applicant that the address provided by the applicant is accurate at the time the request for the credit report is made to the consumer reporting agency; and 2. In the event that notices of an address discrepancy is received, verify that the credit report pertains to the applicant for whom the requested report was made and report to the consumer reporting agency an address for the applicant that the College has reasonably confirmed is accurate. PREVENTING AND MITIGATING IDENTY THEFT In the event College personnel detect any identified Red Flags, such personnel shall take one or more of the following steps, depending on the degree of risk posed by the Red Flag: 1. Continue to monitor a Covered Account for evidence of Identity Theft; or 2. Deny access to the Covered Account until other information is available to eliminate the Red Flag; 3. Contact the student or applicant (using on file information); 4. Change any password or other security devices that permit access to Covered Accounts;
5. Not open a new Covered Account; 6. Notify the Program Administrator for determination of the appropriate step(s) to take; 7. Notify law enforcement; 8. File or assist in filing a Suspicious Activity Report; or 9. Determine that no response is warranted under the particular circumstances. If a potentially fraudulent activity is detected, an employee must gather all related documentation and write a description of the situation, and present this information to the Program Administrator or a member of the Identity Theft Committee to assess what additional steps that will be needed. PROTECTING STUDENT IDENTIFYING INFORMATION In order to further prevent the likelihood of Identity Theft occurring with respect to Covered Accounts, the College will take the following steps with respect to its internal operating procedures to protect student identifying information: 1. Ensure that its website is secure or provide clear notice that the website is not secure; 2. Ensure complete and secure destruction of paper documents and computer files containing student account information when a decision has been made to no longer maintain such information; 3. Ensure that office computers with access to Covered Account information are password protected; 4. Avoid use of social security numbers, except when necessary, and only by authorized individuals; 5. Ensure computer virus protection is up to date; and 6. Require and keep only the kinds of student information that are necessary for College purposes. 7. File cabinets, desk drawers, overhead cabinets, and any other storage space containing documents with sensitive information will be locked when unsupervised and / or secured behind a closed locked door at the end of the work day. 8. When documents containing sensitive information are discarded they will be placed inside a locked shred bin or immediately shredded.
9. Any additional common sense steps deemed necessary by each department to protect against Identity Theft (example privacy computer screens, etc) 10. The College shall inquire that the activity of service providers to Covered Accounts is conducted with reasonable policies and procedures designed to detect, prevent and mitigate the risk of Identity Theft. 11. Employees must refrain from removing from campus, documents or material which contain identifying information specific to an individual student or employee. If it becomes a business necessity to remove such information from campus, the device holding the information, must be encrypted. Employees are discouraged to remove paper files from campus. PROGRAM ADMINISTRATION A. Oversight Responsibility for developing, implementing and updating this Program lies with an Identity Theft Committee ( Committee ) for the College. The Committee is headed by the Program Administrator who may be the College President or his or her appointee. Additional members of the committee will be appointed as necessary from departments within the College who deal with Covered Accounts or Sensitive Identifying Information within their departments. The Program Administrator will be responsible for ensuring appropriate training of College staff on the Program, for reviewing any staff reports regarding the detection of Red Flags and the steps for preventing and mitigating Identity Theft, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the Program. PROGRAM UPDATES The Committee will periodically review and update this Program to reflect changes in risks to students and the soundness of the College from Identity Theft
SCHEDULE A LIST OF SENSITIVE INFORMATION (STORED OR ELECTRONIC) Credit Card Information: 1. Credit card number 2. Credit card expiration date 3. Cardholder name 4. Cardholder address Tax Identification number: 1. Social Security number 2. Business identification number 3. Employer identification number Payroll information: 1. Paychecks 2. Pay stubs Medical Information for any employee or customer: 1. Doctor names and claims 2. Insurance claims 3. Prescription information 4. Any related personal medical information Other personal information belonging to any employee, student, contractor or customer: 1. Date of birth 2. Address 3. Phone numbers 4. Maiden name 5. Names 6. Customer number APPROVED: Dr. Marsi Liddell Aims Community College President Date: April 13, 2009 Revised: May 17, 2010