Red Flags/Identity Theft Prevention Policy: Purpose

Similar documents
STOCKTON UNIVERSITY PROCEDURE DEFINITIONS

Identity Theft Prevention Program. Effective beginning August 1, 2009

Prevention of Identity Theft in Student Financial Transactions AP 5800

Red Flags Program. Purpose

Seattle University Identity Theft Prevention Program. Purpose. Definitions

[Utility Name] Identity Theft Prevention Program

( Utility Name ) Identity Theft Prevention Program

Ouachita Baptist University. Identity Theft Policy and Program

Red Flag Policy and Identity Theft Prevention Program

City of New Haven Water, Sewer and Natural Gas Utilities Identity Theft Prevention Program

IDENTITY THEFT PREVENTION Policy Statement

Identity Theft Prevention Policy

University of North Texas System Administration Identity Theft Prevention Program

IDENTITY THEFT PREVENTION PROGRAM

Policy 24 Identity Theft Prevention Program IDENTITY THEFT PREVENTION PROGRAM OF WEBB CREEK UTILITY DISTRICT

Identity Theft Policies and Procedures

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

RED FLAGS IDENTITY THEFT PREVENTION PROGRAM

Employee Security Awareness Training Program

Regulation P & GLBA Training

Table of Contents. PCI Information Security Policy

The Southern Baptist Theological Seminary IDENTITY THEFT RED FLAGS AND RESPONSE INSTRUCTIONS IDENTITY THEFT AND PREVENTION PROGRAM As of June 2010

Privacy Breach Policy

Virginia Commonwealth University School of Medicine Information Security Standard

Privacy Policy I. COOKEVILLE COMMUNICATIONS PRIVACY POLICY II. GENERAL PRIVACY GUIDELINES

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Policy and Procedure: SDM Guidance for HIPAA Business Associates

UTAH VALLEY UNIVERSITY Policies and Procedures

Subject: University Information Technology Resource Security Policy: OUTDATED

IAM Security & Privacy Policies Scott Bradner

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

PayThankYou LLC Privacy Policy

HIPAA Security and Privacy Policies & Procedures

Information Security Policy

Donor Credit Card Security Policy

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

SANMINA CORPORATION PRIVACY POLICY. Effective date: May 25, 2018

UWTSD Group Data Protection Policy

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

EDENRED COMMUTER BENEFITS SOLUTIONS, LLC PRIVACY POLICY. Updated: April 2017

Information Technology General Control Review

SECURITY & PRIVACY DOCUMENTATION

A full list of SaltWire Network Inc. publications is available by visiting saltwire.com.

Emsi Privacy Shield Policy

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

Baseline Information Security and Privacy Requirements for Suppliers

Data Compromise Notice Procedure Summary and Guide

Government-issued identification numbers (e.g., tax identification numbers)

Conjure Network LLC Privacy Policy

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Summary Comparison of Current Data Security and Breach Notification Bills

FinFit will request and collect information in order to determine whether you qualify for FinFit Loans*.

Information Technology Standards

BCN Telecom, Inc. Customer Proprietary Network Information Certification Accompanying Statement

HPE DATA PRIVACY AND SECURITY

Privacy Policy. I. How your information is used. Registration and account information. March 3,

Shaw Privacy Policy. 1- Our commitment to you

Red Flag Regulations

HF Markets SA (Pty) Ltd Protection of Personal Information Policy

Beam Technologies Inc. Privacy Policy

Elders Estates Privacy Notice

Credit Card Data Compromise: Incident Response Plan

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

We offer background check and identity verification services to employers, businesses, and individuals. For example, we provide:

HIPAA Federal Security Rule H I P A A

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Checklist: Credit Union Information Security and Privacy Policies

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Standard for Security of Information Technology Resources

CERTIFIED MAIL LABELS TERMS OF USE and PRIVACY POLICY Agreement

The Apple Store, Coombe Lodge, Blagdon BS40 7RG,

Security and Privacy Breach Notification

Subject: Kier Group plc Data Protection Policy

Effective Date: November 26, A. Overview

Data Sharing Agreement. Between Integral Occupational Health Ltd and the Customer

Information Security Management Criteria for Our Business Partners

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

Integrating HIPAA into Your Managed Care Compliance Program

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Information Privacy Statement

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

Information Security Incident Response Plan

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

Oracle Data Cloud ( ODC ) Inbound Security Policies

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Cleveland State University General Policy for University Information and Technology Resources

II.C.4. Policy: Southeastern Technical College Computer Use

An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule

Freedom of Information and Protection of Privacy (FOIPOP)

Information Security Incident Response and Reporting

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Access to University Data Policy

Information Security Incident Response Plan

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

Data Processing Agreement for Oracle Cloud Services

I. INFORMATION WE COLLECT

Privacy Policy. Act shall mean the Information Technology Act, 2000 and Rules thereunder as amended from time to time.

YADTEL - Privacy Information INFORMATION WE COLLECT

Transcription:

Red Flags/Identity Theft Prevention Policy: 200.3 Purpose Employees and students depend on Morehouse College ( Morehouse ) to properly protect their personal non-public information, which is gathered and stored in internal records. Regulatory agencies are charged with the responsibility to ensure that information security controls and procedures of educational institutions are in compliance with the intent of regulations designed to protect the identity of employees and students. Therefore, it is important for employees to understand the basic security requirements and provide ongoing assistance in the prevention, detection, and mitigation of identity theft to Morehouse s students, parents of students, employees and applicants. Applicability This policy applies to all Faculty and Staff members. Source The College policy. Definitions Identity Theft: A fraud committed or attempted using the identifying information of another person without authority. Red Flag: A pattern, practice, or specific activity that indicates the possible existence of identity theft. Covered Account: All student loans and/or other accounts that are administered by Morehouse under which multiple payments are made on behalf of a student or parent of a student. Applicant and employee background and credit checks are also considered to be covered accounts. Identifying Information: Any name or number that may be used alone, or in conjunction with other information, to identify a specific person, including name,address, telephone number, social security number, date of birth, government- issued driver s license or identification number, alien registration number, government passport number, employer or taxpayer identification 1

number, student identification number, computer internet Protocol address, computer access code or secured password. Program Coordinator: The individual designated with primary responsibility for oversight of the identity theft prevention program. Data Breach of Security: The unauthorized acquisition of data that compromises the security, confidentiality or integrity of personal information of students, parents or guardians of students, or employees at Morehouse. Compromise of Systems: An apparent exploit of a vulnerability in system software, hardware or a procedural weakness that may provide unauthorized access to the system environment. Personal Information: Includes, but is not limited to individual names, social security numbers, credit or debit card numbers, personal/student identification numbers, driver s license numbers, passport numbers, dates of birth, health records when the disclosure of the information in question would reasonably be considered to be harmful or an invasion of privacy. Policy I. REQUIREMENTS OF THE RED FLAGS IDENTITY THEFT RULE: A. Under the Red Flags Rule, Morehouse is required to develop and implement an Identity Theft Prevention Program tailored to its size, complexity, and nature of its operation. The Program must contain reasonable policies and procedures to: 1. Identify relevant red flags for new and existing covered accounts and incorporate those Red Flags into the Program. 2. Detect Red Flags that have been incorporated into the Program. 3. Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft. 4. Ensure the Program is updated periodically to reflect changes in risk to individuals or to the safety and soundness of protecting the individuals from identity theft. II. IDENTIFICATION OF RELEVANT RED FLAGS: A. In order to identify relevant Red Flags, Morehouse considers the types of accounts that it offers and maintains, methods it provides to 2

open accounts, methods it provides to access its accounts, and its previous experiences with Identity Theft. Morehouse identifies the following relevant Red Flags in each of the listed categories: 1. Notifications and Warnings from Credit Reporting Agencies 1. Report of fraud accompanying a credit report. 2. Notice or report from a credit agency of a credit freeze on an applicant or employee. 3. Notice or report from a credit agency of an active duty alert for an applicant. 4. Receipt of a notice of address discrepancy in response to a credit report request. 5. Indication from a credit report of activity that is inconsistent with an applicant s usual pattern or activity. 2. Suspicious Documents 1. Identification document or card that appears to be forged, altered, or gives the appearance of having been destroyed and reassembled. 2. Identification document or card on which a person s photograph or physical description is not consistent with the person presenting the document. 3. Identification document or other identifying document is inconsistent with existing identifying information. 4. Applications that appear to have been forged or altered. 5. Identifying information is inconsistent with previous information provided 6. Identifying Photo or physical description on identification document or card is inconsistent with the appearance of the individual presenting the identification. 7. Other documents with information are inconsistent with existing identifying information. 3. Suspicious Personal Identifying Information: 1. Identifying information presented that is inconsistent with other information provided (example: inconsistent birth dates). 2. Identifying information presented is inconsistent with other sources of information (an address that does not match an existing address). 3

3. Identifying information presented that is the same as information shown on other applications that were found to be fraudulent. 4. Identifying information presented that is consistent with fraudulent activity (such as an invalid phone number or fictitious billing address). 5. Social security number presented that is the same as one given by another person. 6. Social security number presented is identified as being used by more than one individual. 7. An address or phone number presented that is the same as that of another student, applicant or employee. 8. An individual fails to provide complete personal identifying information on an application when reminded to do so. 9. A person s identifying information is not consistent with the information that is on file for that person. 4. Suspicious Covered Account Activity or Unusual Use of Account 1. Change of address for an account followed by a request to change the person s name. 2. Payments stop on an otherwise consistently up-to-date account. 3. Account used in a way that is not consistent with prior use. 4. Mail sent to the individual is repeatedly returned as undeliverable. 5. Notice to Morehouse that a person is not receiving mail sent to them by the college. 6. Notice to Morehouse that an account has unauthorized activity. 7. Breach in Morehouse s computer system security. 8. Unauthorized access to or use of student account and/or employee information. 9. Notice to Morehouse from an individual, identity theft victim, law enforcement official, or other person that they have opened or are maintaining a fraudulent account for a person engaged in identity theft. 10. Morehouse s computer system is compromised. 4

III. DETECTING RED FLAGS: A. Enrollment: 1. To detect any of the Red Flags identified above associated with the enrollment of an individual, Morehouse personnel will take the following steps to contain and verify the identity of the person opening the account: 1. Require certain identifying information such as name, date of birth, academic records, home address, or other identification. 2. Verify the person s identity at time of issuance of identification card (review of driver s license or other government issued photo identification). B. Existing Accounts 1. To detect any of the Red Flags identified above for an existing covered account, Morehouse personnel will take the following steps to monitor transactions on an account: 1. Verify the identification of the individual if they request information (in person, via telephone, via facsimile, via email). 2. Verify the validity of requests to change billing addresses by mail or email and provide the individual a reasonable means of promptly responding incorrect billing address changes. 3. Verify changes in banking information given for billing, payment and direct deposit purposes. C. Credit Report Requests 1. To detect any of the Red Flags identified above for an employment position for which a credit or background check report is sought, Human Resources will take the following steps to identify address discrepancies: 1. Require written verification from an applicant or employee that the address provided by them is accurate at the time the request for the credit report or background check is made to the reporting agency. 2. In the event that notice of an address discrepancy is received, verify that the credit report pertains to the applicant or employee for whom the requested report was made, and report to the credit agency an address for 5

the applicant or employee that Morehouse has reasonably confirmed is correct. IV. PREVENTING AND MITIGATING IDENTITY THEF: A. In the event that Morehouse personnel detect any identified Red Flags, personnel will take one or more of the following steps, depending on the degree of risk posed by the Red Flag: 1. Prevent and Mitigate 1. Continue to monitor a covered account for evidence of identity theft. 2. Obtain additional verification from the student, parent of student, applicant or employee. 3. Determine from the student or parent of a student the reasons payments have stopped on an account or that mail has been returned. 4. Obtain additional verification from a student or parent of a student of a reported address change. 5. Obtain information from the student or applicant why the social security number provided has multiple users, is associated with different names, or associated with known fraud activity. 6. Contact the individual for which a credit report was run. 7. Change any passwords or other security devices that permit access to covered accounts. 8. Do not open a new covered account. 9. Provide a new identification or account number. 10. Notify the Program Administrator for determination of the appropriate step(s) to take. 11. Notify law enforcement. 12. File or assist in filing a Suspicious Activities Report. 13. Determine that no response is warranted under the particular circumstances. 14. Complete due diligence documentation which details the steps that were taken. B. Protect Identifying Information 1. In order to further prevent the likelihood of identity theft occurring with respect to covered accounts, Morehouse will take the following steps with respect to its internal operating procedures to protect identifying information: 6

1. Ensure that its Web site is secure or provide clear notice that the Web site is not secure. 2. Maintain all information on students and employees in a secure fashion in accordance with industry best practices. 3. Subject to state record retention requirements, ensure complete and secure destruction of personal paper documents and computer files of information on students and employees containing account and personal information when there is no longer a legal or business purpose for the retention of the information and in conformity with all applicable records retention policies. 4. Ensure that office computers with access to covered account information are password protected. 5. Avoid the use of social security numbers. 6. Ensure that computer virus protection is up to date. 7. Require and keep only the kinds of individual information that is necessary for college purposes. 8. Restrict access to personal information on or about students and employees to only those persons needed to maintain systems, maintain data, meet legal requirements, or perform valid business functions. 9. Ensure that file cabinets, desk drawers, overhead cabinets, and any other storage space containing documents with sensitive information is locked when not in use. 10. Ensure that storage rooms containing documents with sensitive information and record retention areas are locked at the end of each workday or when unsupervised. 11. Clear desks and workstations, work areas, common shared work areas, printers and fax machines of all documents containing sensitive information when not in use. 12. Erase, remove, or shred whiteboards and writing tablets or dry- erasing boards, etc., in common shared work areas when not in use. 13. Use a cross-cut approved shredding device before discarding documents which contain sensitive information. 14. Ensure that all sensitive information transmitted or electronically stored is encrypted. 7

15. Encrypt and protect, by password, all sensitive information sent externally and send to approved recipients only. When sensitive information is sent via e- mail, include this statement. This message may contain confidential and/or proprietary information and is intended for the person to whom it was originally addressed. Any use by others is strictly prohibited. V. Morehouse or its employees SHALL NOT: Publicly post or display, or intentionally communicate or otherwise make available to the general public any personal information of and about students or employees. Require an individual to send personal information over the computer network unless it meets a valid business purpose and a secure network transmission is used. Transfer data containing personal information to another business unit, private entity or public entity, over the network unless it meets a valid business purpose and a secure network transmission is used. Mail personal information on a post card or any other mailer not requiring an envelope. Mailed personal information must not be printed on the envelope or visible within unopened envelopes. Require an individual to use his or her social security number to access an internet website or other network resource, unless a password or unique personal identification or other authentication device is also required to access the site or resource. Display a social security number as entered to access an internet website or other network resource. Print an individual s social security number on any materials that are mailed to the individual unless by law, or as a part of an application or enrollment process or to establish, amend, or terminate an account, contract, or policy, or to confirm accuracy of the social security number. Print an individual s social security number on any card required by the individual to access products or services provided by the college. 8

VI. PERIODIC UPDATES TO THE PLAN: A. The Program Administrator will periodically review and update the Program to reflect changes in risks to individuals and its soundness, and to determine whether all aspects of the Program are up-to-date and applicable in the current business environment. Periodic reviews will include an assessment of accounts covered by the Program. As part of the review, Red Flags may be revised, replaced or eliminated. Actions to take in the event that fraudulent activity is discovered may also require revision to reduce damage to the college, its students and employees. VII. STAFF TRAINING AND REPORTS: A. Morehouse staff responsible for implementing the Program will be trained in the detection of and responses to Red Flags. In addition, such training will be conducted on an annual basis in all elements of this policy, in the detection of Red Flags, including the responsive steps to be taken when a Red Flag is detected. To ensure maximum effectiveness, employees will continue to receive additional training as changes to the Program are made. Employees are expected to notify the Program Administrator once they become aware of an incident of identity theft or of the college s failure to comply with this Program. At least annually or as otherwise requested, the Program administrator will report to Senior Management and the Audit Committee of the Board of Trustees on compliance with this Program. The report should address such issues as effectiveness of the policies and procedures in addressing the risk of identity theft in connection with the opening and maintenance of covered accounts, service provider arrangements, and significant incidents involving identity theft, management responses, and recommendations for changes to the Program. VIII. OVERSIGHT OF SERVICE PROVIDER AGREEMENTS: A. Morehouse will take steps to ensure that all service providers perform their activities in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. The policies and procedures will be designed to detect, prevent, and mitigate the risk of identity theft whenever Morehouse engages a service provider to perform an activity in connection with one or more covered accounts. Morehouse will maintain on file certifications from all service providers and/or third party administrator that they are Red Flags compliant. 9

Require, by contract, that service providers have such policies and procedures in place. Require, by contract, that service providers review our program and report any Red Flags to the Program Administrator or employee who has primary oversight of the service provider relationship. Morehouse currently has Service Provider agreements with the following agencies: 1. Student Refund Management Higher One, Inc. 2. Tuition Payment Plans Sallie Mae Tuition Pay Plan Higher Education Services 3. Billing Agency for the Perkins Loan Campus Partners IX. RELATED DOCUMENTS: Federal Trade Commission s Red Flag Rule, 16 C.F.R. 681. Section 114 of the Fair and Accurate Credit Transactions Act, 15 U.S.C. 1681m (e). Revision History Last revision completed on 2/16/2011. 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback