Identity Theft Prevention Policy

Similar documents
RED FLAGS IDENTITY THEFT PREVENTION PROGRAM

Red Flag Policy and Identity Theft Prevention Program

Seattle University Identity Theft Prevention Program. Purpose. Definitions

STOCKTON UNIVERSITY PROCEDURE DEFINITIONS

Prevention of Identity Theft in Student Financial Transactions AP 5800

Red Flags/Identity Theft Prevention Policy: Purpose

( Utility Name ) Identity Theft Prevention Program

Identity Theft Prevention Program. Effective beginning August 1, 2009

[Utility Name] Identity Theft Prevention Program

IDENTITY THEFT PREVENTION Policy Statement

Red Flags Program. Purpose

City of New Haven Water, Sewer and Natural Gas Utilities Identity Theft Prevention Program

Ouachita Baptist University. Identity Theft Policy and Program

IDENTITY THEFT PREVENTION PROGRAM

Policy 24 Identity Theft Prevention Program IDENTITY THEFT PREVENTION PROGRAM OF WEBB CREEK UTILITY DISTRICT

Employee Security Awareness Training Program

University of North Texas System Administration Identity Theft Prevention Program

Identity Theft Policies and Procedures

Donor Credit Card Security Policy

Regulation P & GLBA Training

The Southern Baptist Theological Seminary IDENTITY THEFT RED FLAGS AND RESPONSE INSTRUCTIONS IDENTITY THEFT AND PREVENTION PROGRAM As of June 2010

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Table of Contents. PCI Information Security Policy

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Credit Card Data Compromise: Incident Response Plan

Element Finance Solutions Ltd Data Protection Policy

An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule

Access to University Data Policy

Information Security Incident Response Plan

A practical guide to IT security

Data protection policy

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Best Practices Guide to Electronic Banking

Data protection. 3 April 2018

Creative Funding Solutions Limited Data Protection Policy

Data Protection Policy

ANNUAL SECURITY AWARENESS TRAINING 2012

Information Security Incident Response Plan

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

UCOP Guidelines for Protection of Electronic Personal Information Data and for Security Breach Notification

HPE DATA PRIVACY AND SECURITY

SECURITY & PRIVACY DOCUMENTATION

Controls Electronic messaging Information involved in electronic messaging shall be appropriately protected.

Data Sharing Agreement. Between Integral Occupational Health Ltd and the Customer

Virginia Commonwealth University School of Medicine Information Security Standard

Data Centers and Mission Critical Facilities Access and Physical Security Procedures

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

Enviro Technology Services Ltd Data Protection Policy

Employee Security Awareness Training

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

SDBOR Technology Control Plan (TCP) Project Title:

Media Protection Program

3 rd Party Certification of Compliance with MA: 201 CMR 17.00

Seven Requirements for Successfully Implementing Information Security Policies and Standards

INFORMATION ASSET MANAGEMENT POLICY

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Baseline Information Security and Privacy Requirements for Suppliers

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

EXHIBIT A. - HIPAA Security Assessment Template -

Privacy Breach Policy

PCI Compliance. What is it? Who uses it? Why is it important?

SHS Annual Information Privacy and Security Training

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Information Technology General Control Review

PS Mailing Services Ltd Data Protection Policy May 2018

IAM Security & Privacy Policies Scott Bradner

Information Technology Standards

7.16 INFORMATION TECHNOLOGY SECURITY

Information Security Policy

Data Protection Policy

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Physical Safeguards Policy July 19, 2016

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

1) Are employees required to sign an Acceptable Use Policy (AUP)?

Nebraska State College System Cellular Services Procedures Effective Date June 15, 2012 Updated August 13, 2015

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

SECURITY PRACTICES OVERVIEW

University of Sunderland Business Assurance PCI Security Policy

The University of British Columbia Board of Governors

UTAH VALLEY UNIVERSITY Policies and Procedures

Virginia Commonwealth University School of Medicine Information Security Standard

UKIP needs to gather and use certain information about individuals.

Financial Conduct Authority. Financial Crime : A Guide for Firms

Physical and Environmental Security Standards

CYBER SECURITY POLICY REVISION: 12

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

Information Security Management Criteria for Our Business Partners

Mobile Working Policy

Toucan Telemarketing Ltd.

INFORMATION SECURITY AND SECURITY BREACH NOTIFICATION GUIDANCE Preventing, Preparing for, and Responding to Breaches of Information Security

Privacy and Security Liaison Program: Annual Compliance and Risk Assessment (Fiscal Year 2013/2014)

The Data Protection Act 1998 Clare Hall Data Protection Policy

HELPFUL TIPS: MOBILE DEVICE SECURITY

Subject: University Information Technology Resource Security Policy: OUTDATED

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

INFORMATION SECURITY AND RISK POLICY

Transcription:

Identity Theft Prevention Policy Purpose of the Policy To establish an Identity Theft Prevention Program (Program) designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or an existing covered account and to provide continued administration of the Program in compliance with the Fair and Accurate Credit Transactions Act of 2003. This Program enables Robert Morris University (RMU) to protect existing consumers, reduce risk from identity fraud, and minimize potential damage to RMU from fraudulent new accounts. The Program will help RMU: Scope of the Policy 1. Identity risks that signify potentially fraudulent activity within new or existing covered accounts 2. Detect risks when they occur in covered accounts 3. Respond to risks to determine if fraudulent activity has occurred and act if fraud has been attempted or committed. 4. Update the Program periodically, including reviewing the accounts that are covered and the identified risks that are part of the Program. This Program applies to employees, contractors, consultants, temporary workers, and service providers, including all personnel affiliated with third parties. Definitions Identity Theft means fraud committed or attempted using the identifying information of another person without authority. A covered account means: An account that a financial institution or creditor offers or maintains, primarily for personal, family or household purposes that involves or is designed to permit multiple payments or transactions. Any other account that the financial institution or creditor offers or maintains for which there is a reasonable foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft including financial, operational, compliance, reputation or litigation risks. A red flag means a pattern, practice or specific activity that indicates the possible existence of identity theft. Personally Identifiable information includes the following items whether stored in electronic or printed format: Consumers: A. Social Security Number B. Government-issued identification number C. Maiden Name D. Account Number

Credit Card information: A. Credit card number (in whole or in part) B. Credit card expiration date C. Cardholder name D. Cardholder address Identification of Relevant Red Flags The Program shall include relevant red flags from the following categories: Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, including: A. A fraud or active duty alert B. A notice of credit freeze from a consumer reporting agency in response to a request for a consumer s report C. A notice of address discrepancy from a consumer reporting agency. The presentation of suspicious documents, such as: A. Documents provided for identification that appear to have been altered or forged B. The photograph or physical description on the identification is not consistent with the appearance of the customer presenting the identification C. Other information on the identification is not consistent with information provided by the person D. Opening a new covered account or customer presenting the identification E. An application that appears to have been altered or forged, or give the appearance of having been destroyed and reassembled. The presentation of suspicious personal identifying information, including: A. Personal identifying information provided is inconsistent when compared against external information sources used by RMU. B. Personal identifiable information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by RMU. C. The Social Security number provided is the same as that submitted by other persons opening an account or other customer. D. The customer or the person opening the covered account fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete. The unusual use of or other suspicious activity related to, a covered account, such as: A. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer s covered account. B. RMU is notified that the customer is not receiving paper account statements C. RMU receives notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by RMU. D. RMU is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that has opened a fraudulent account for a person engaged in identity theft.

The program shall consider the following risk factors in identifying relevant red flags for covered accounts, as appropriate: A. The types of covered accounts offered or maintained B. The methods provided to open covered accounts C. The methods provided to access covered accounts D. It s previous experience with identity theft The program shall incorporate relevant red flags from sources such as: A. Incidents of identity theft previously experienced B. Methods of identity theft that reflect changes in risk C. Applicable supervisory guidance Detection of Red Flags The Program shall address the detection of red flags in connection with the opening of covered accounts and existing covered accounts by: A. Obtaining identifying information about, and verifying the identity of, a person opening a covered account; B. Authenticating customers, monitoring transactions, and verifying the validity of change of address requests in the case of existing covered accounts. Responding to Red Flags Once potentially fraudulent activity is detected, an employee must act quickly as a rapid appropriate response can protect customers and RMU from damages and loss. The employee must gather all related documentation and complete the RMU RED FLAG INCIDENT FORM in the staff section of the RMU website. The completed form should be forwarded to the redflags@rmu.edu email account. This account will be reviewed and evaluated by the Director of Information Security and the Director of Student Financial Services. Appropriate responses to the detection of red flags include: A. Monitor a covered account for evidence of identity theft; B. Contact the customer; C. Change any passwords, security codes or other security devices that permit access to a covered account or deny access to the covered account; D. Notify law enforcement; or E. Determine no response is warranted under the particular circumstances. Periodic Updates to the Program A. The Program will be evaluated at the end of each fiscal year to determine whether all aspects of the Program are up to date and applicable in the current business environment. A review and summary of all Incidents Form that have been received and the action taken will assist with the evaluation of the Program. B. Periodic reviews will include an assessment of which accounts are covered by the Program. C. As part of the review, red flags may be revised, replaced or eliminated. Defining new red flags may also be appropriate. D. Actions to take in the event that fraudulent activity is discovered may also require revision to reduce damage to RMU and its customers.

Oversight of the Program Oversight of the Program shall include: A. The Director of Information Security and the Director of Student Financial Services will be responsible for the program; B. An annual review of reports will be prepared to assist with program modifications C. The Vice President of Financial Operations will approve material changes to the Program as necessary to address changing risks of identity theft. Duties Regarding Address Discrepancies A. RMU may reasonably confirm that an address is accurate by any of the following means: i. Verification of the address with the consumer; ii. Review of RMU s records; iii. Verification of the address through third party sources; or iv. Other reasonable means. B. If an accurate address is confirmed, RMU shall furnish the consumer s address to the consumer reporting agency from which it received the notice of address discrepancy if: i. RMU establishes a continuing relationship with the consumer; and ii. RMU regularly and in the ordinary course of business, furnishes information to the consumer agency. Physical Security of Personal Identifying Information Is Protected A. All paper documents or files, as well as CDs, floppy disks, zip drives, flash drives, tapes, and backups containing personally identifiable information will be stored in a locked file cabinet. B. File cabinets containing personally identifiable information will be stored in an access controlled room. C. The employee designated in the department will control keys to the file cabinets and provide access to employees with a legitimate need. D. Files containing personally identifiable information are kept in locked file cabinets except when an employee is working on the file. E. Employees will not leave sensitive papers out on their desks when they are away from their workstations. F. At the end of the day, employees will put files away, log off their computers, and lock their file cabinets and office doors. G. Access to offsite storage facilities is limited to employees with a legitimate business need. H. Any electronic sensitive information shipped using outside carriers or contractors will be encrypted and an inventory of the information being shipped will be kept. I. Visitors who must enter areas where sensitive files are kept must be escorted by an employee of RMU. Security of Electronic Records A. General Network Security i. Personally identifiable information will not be stored on any computer with an Internet connection unless it is essential for conducting business. ii. Personally identifiable information that is sent to third parties over public networks must be encrypted.

iii. Personally identifiable information that is stored on the computer network or on disks or portable storage devices used by employees of RMU must be encrypted. iv. Personally identifiable information must be encrypted when stored in electronic format. v. Any personally identifiable information sent must be encrypted and password protected and sent only to approved recipients. vi Anti-virus and anti-spyware programs will be kept up to date B. Password Management i. Access to personally identifiable information will be controlled using strong passwords that adhere to IT Usage Policies. ii. Passwords will not be shared or posted near workstations. iii. Password-activated screen savers will be used to lock employee computers after a period of inactivity. iv. When installing new software, vendor-supplied default passwords will be immediately changed to a more secure strong password. C. Laptop Security i. The use of laptops is restricted to those employees who need them to perform their jobs. ii. If personally identifying information does not need to be stored on a laptop, it will be deleted with a wiping program that overwrites data on the laptop. iii. iv. Laptops are to be stored in a secure place. Laptop users will only have access to personally identifying information on an as needed basis. v. Laptops which contain personally identifying information will be encrypted and configured so that users cannot download any software or change the security settings without approval from the company s IT specialists. vi. Employees are never to leave a laptop visible in a car, at a hotel luggage stand, or packed in checked luggage unless directed to do so by airport security. vii. If a laptop must be left in a vehicle, it must be locked in the trunk. D. Firewalls i. A personal firewall must be used to protect computers while the computer is connected to a network or the Internet. Staff Training A. Staff training shall be conducted for all employees, officials and contractors for whom it is reasonably foreseeable that they may come into contact with accounts or personally identifiable information that may constitute a risk to RMU or its customers. B. The Director of Information Security is responsible for ensuring identity theft awareness for all employees and contractors. C. To ensure maximum effectiveness, employees may continue to receive additional training as changes to the Program are made.

Security Practices of Contractors and Service Providers The Program shall exercise appropriate and effective oversight of service provider arrangements. A. It is the responsibility of RMU to ensure that the activities of all service providers and contractors are conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. B. A service provider or contractor that maintains its own Identity Theft Prevention Program, consistent with the guidance of the red flag rules (16 C.F.R. Part 681) and validated by appropriate due diligence, may be considered to be meeting these requirements. C. Any specific requirements should be specifically addressed in appropriate contract arrangements. D. Contractors and service providers must notify RMU of any security incidents experienced, even if such incidents may not have led to any actual compromise of RMU s data. Disposal of Personal Identifying Information A. When documents containing personal identifying information are discarded, they will be placed inside a locked shred bin or immediately shredded. B. Locked shred bins are labeled Confidential paper shredding and recycling. C. When disposing of old computers and portable storage devices, a disc wiping utility program must be used. D. Any CD-rom, DVD-rom, floppy disk, or flash drive will be disposed of by shredding, punching holes in, or incineration. Identity Theft Policy Robert Morris University Effective May 2009

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback