Identity Theft Prevention Policy Purpose of the Policy To establish an Identity Theft Prevention Program (Program) designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or an existing covered account and to provide continued administration of the Program in compliance with the Fair and Accurate Credit Transactions Act of 2003. This Program enables Robert Morris University (RMU) to protect existing consumers, reduce risk from identity fraud, and minimize potential damage to RMU from fraudulent new accounts. The Program will help RMU: Scope of the Policy 1. Identity risks that signify potentially fraudulent activity within new or existing covered accounts 2. Detect risks when they occur in covered accounts 3. Respond to risks to determine if fraudulent activity has occurred and act if fraud has been attempted or committed. 4. Update the Program periodically, including reviewing the accounts that are covered and the identified risks that are part of the Program. This Program applies to employees, contractors, consultants, temporary workers, and service providers, including all personnel affiliated with third parties. Definitions Identity Theft means fraud committed or attempted using the identifying information of another person without authority. A covered account means: An account that a financial institution or creditor offers or maintains, primarily for personal, family or household purposes that involves or is designed to permit multiple payments or transactions. Any other account that the financial institution or creditor offers or maintains for which there is a reasonable foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft including financial, operational, compliance, reputation or litigation risks. A red flag means a pattern, practice or specific activity that indicates the possible existence of identity theft. Personally Identifiable information includes the following items whether stored in electronic or printed format: Consumers: A. Social Security Number B. Government-issued identification number C. Maiden Name D. Account Number
Credit Card information: A. Credit card number (in whole or in part) B. Credit card expiration date C. Cardholder name D. Cardholder address Identification of Relevant Red Flags The Program shall include relevant red flags from the following categories: Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, including: A. A fraud or active duty alert B. A notice of credit freeze from a consumer reporting agency in response to a request for a consumer s report C. A notice of address discrepancy from a consumer reporting agency. The presentation of suspicious documents, such as: A. Documents provided for identification that appear to have been altered or forged B. The photograph or physical description on the identification is not consistent with the appearance of the customer presenting the identification C. Other information on the identification is not consistent with information provided by the person D. Opening a new covered account or customer presenting the identification E. An application that appears to have been altered or forged, or give the appearance of having been destroyed and reassembled. The presentation of suspicious personal identifying information, including: A. Personal identifying information provided is inconsistent when compared against external information sources used by RMU. B. Personal identifiable information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by RMU. C. The Social Security number provided is the same as that submitted by other persons opening an account or other customer. D. The customer or the person opening the covered account fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete. The unusual use of or other suspicious activity related to, a covered account, such as: A. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer s covered account. B. RMU is notified that the customer is not receiving paper account statements C. RMU receives notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by RMU. D. RMU is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that has opened a fraudulent account for a person engaged in identity theft.
The program shall consider the following risk factors in identifying relevant red flags for covered accounts, as appropriate: A. The types of covered accounts offered or maintained B. The methods provided to open covered accounts C. The methods provided to access covered accounts D. It s previous experience with identity theft The program shall incorporate relevant red flags from sources such as: A. Incidents of identity theft previously experienced B. Methods of identity theft that reflect changes in risk C. Applicable supervisory guidance Detection of Red Flags The Program shall address the detection of red flags in connection with the opening of covered accounts and existing covered accounts by: A. Obtaining identifying information about, and verifying the identity of, a person opening a covered account; B. Authenticating customers, monitoring transactions, and verifying the validity of change of address requests in the case of existing covered accounts. Responding to Red Flags Once potentially fraudulent activity is detected, an employee must act quickly as a rapid appropriate response can protect customers and RMU from damages and loss. The employee must gather all related documentation and complete the RMU RED FLAG INCIDENT FORM in the staff section of the RMU website. The completed form should be forwarded to the redflags@rmu.edu email account. This account will be reviewed and evaluated by the Director of Information Security and the Director of Student Financial Services. Appropriate responses to the detection of red flags include: A. Monitor a covered account for evidence of identity theft; B. Contact the customer; C. Change any passwords, security codes or other security devices that permit access to a covered account or deny access to the covered account; D. Notify law enforcement; or E. Determine no response is warranted under the particular circumstances. Periodic Updates to the Program A. The Program will be evaluated at the end of each fiscal year to determine whether all aspects of the Program are up to date and applicable in the current business environment. A review and summary of all Incidents Form that have been received and the action taken will assist with the evaluation of the Program. B. Periodic reviews will include an assessment of which accounts are covered by the Program. C. As part of the review, red flags may be revised, replaced or eliminated. Defining new red flags may also be appropriate. D. Actions to take in the event that fraudulent activity is discovered may also require revision to reduce damage to RMU and its customers.
Oversight of the Program Oversight of the Program shall include: A. The Director of Information Security and the Director of Student Financial Services will be responsible for the program; B. An annual review of reports will be prepared to assist with program modifications C. The Vice President of Financial Operations will approve material changes to the Program as necessary to address changing risks of identity theft. Duties Regarding Address Discrepancies A. RMU may reasonably confirm that an address is accurate by any of the following means: i. Verification of the address with the consumer; ii. Review of RMU s records; iii. Verification of the address through third party sources; or iv. Other reasonable means. B. If an accurate address is confirmed, RMU shall furnish the consumer s address to the consumer reporting agency from which it received the notice of address discrepancy if: i. RMU establishes a continuing relationship with the consumer; and ii. RMU regularly and in the ordinary course of business, furnishes information to the consumer agency. Physical Security of Personal Identifying Information Is Protected A. All paper documents or files, as well as CDs, floppy disks, zip drives, flash drives, tapes, and backups containing personally identifiable information will be stored in a locked file cabinet. B. File cabinets containing personally identifiable information will be stored in an access controlled room. C. The employee designated in the department will control keys to the file cabinets and provide access to employees with a legitimate need. D. Files containing personally identifiable information are kept in locked file cabinets except when an employee is working on the file. E. Employees will not leave sensitive papers out on their desks when they are away from their workstations. F. At the end of the day, employees will put files away, log off their computers, and lock their file cabinets and office doors. G. Access to offsite storage facilities is limited to employees with a legitimate business need. H. Any electronic sensitive information shipped using outside carriers or contractors will be encrypted and an inventory of the information being shipped will be kept. I. Visitors who must enter areas where sensitive files are kept must be escorted by an employee of RMU. Security of Electronic Records A. General Network Security i. Personally identifiable information will not be stored on any computer with an Internet connection unless it is essential for conducting business. ii. Personally identifiable information that is sent to third parties over public networks must be encrypted.
iii. Personally identifiable information that is stored on the computer network or on disks or portable storage devices used by employees of RMU must be encrypted. iv. Personally identifiable information must be encrypted when stored in electronic format. v. Any personally identifiable information sent must be encrypted and password protected and sent only to approved recipients. vi Anti-virus and anti-spyware programs will be kept up to date B. Password Management i. Access to personally identifiable information will be controlled using strong passwords that adhere to IT Usage Policies. ii. Passwords will not be shared or posted near workstations. iii. Password-activated screen savers will be used to lock employee computers after a period of inactivity. iv. When installing new software, vendor-supplied default passwords will be immediately changed to a more secure strong password. C. Laptop Security i. The use of laptops is restricted to those employees who need them to perform their jobs. ii. If personally identifying information does not need to be stored on a laptop, it will be deleted with a wiping program that overwrites data on the laptop. iii. iv. Laptops are to be stored in a secure place. Laptop users will only have access to personally identifying information on an as needed basis. v. Laptops which contain personally identifying information will be encrypted and configured so that users cannot download any software or change the security settings without approval from the company s IT specialists. vi. Employees are never to leave a laptop visible in a car, at a hotel luggage stand, or packed in checked luggage unless directed to do so by airport security. vii. If a laptop must be left in a vehicle, it must be locked in the trunk. D. Firewalls i. A personal firewall must be used to protect computers while the computer is connected to a network or the Internet. Staff Training A. Staff training shall be conducted for all employees, officials and contractors for whom it is reasonably foreseeable that they may come into contact with accounts or personally identifiable information that may constitute a risk to RMU or its customers. B. The Director of Information Security is responsible for ensuring identity theft awareness for all employees and contractors. C. To ensure maximum effectiveness, employees may continue to receive additional training as changes to the Program are made.
Security Practices of Contractors and Service Providers The Program shall exercise appropriate and effective oversight of service provider arrangements. A. It is the responsibility of RMU to ensure that the activities of all service providers and contractors are conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. B. A service provider or contractor that maintains its own Identity Theft Prevention Program, consistent with the guidance of the red flag rules (16 C.F.R. Part 681) and validated by appropriate due diligence, may be considered to be meeting these requirements. C. Any specific requirements should be specifically addressed in appropriate contract arrangements. D. Contractors and service providers must notify RMU of any security incidents experienced, even if such incidents may not have led to any actual compromise of RMU s data. Disposal of Personal Identifying Information A. When documents containing personal identifying information are discarded, they will be placed inside a locked shred bin or immediately shredded. B. Locked shred bins are labeled Confidential paper shredding and recycling. C. When disposing of old computers and portable storage devices, a disc wiping utility program must be used. D. Any CD-rom, DVD-rom, floppy disk, or flash drive will be disposed of by shredding, punching holes in, or incineration. Identity Theft Policy Robert Morris University Effective May 2009