Red Flags/Identity Theft Prevention Policy: 200.3 Purpose Employees and students depend on Morehouse College ( Morehouse ) to properly protect their personal non-public information, which is gathered and stored in internal records. Regulatory agencies are charged with the responsibility to ensure that information security controls and procedures of educational institutions are in compliance with the intent of regulations designed to protect the identity of employees and students. Therefore, it is important for employees to understand the basic security requirements and provide ongoing assistance in the prevention, detection, and mitigation of identity theft to Morehouse s students, parents of students, employees and applicants. Applicability This policy applies to all Faculty and Staff members. Source The College policy. Definitions Identity Theft: A fraud committed or attempted using the identifying information of another person without authority. Red Flag: A pattern, practice, or specific activity that indicates the possible existence of identity theft. Covered Account: All student loans and/or other accounts that are administered by Morehouse under which multiple payments are made on behalf of a student or parent of a student. Applicant and employee background and credit checks are also considered to be covered accounts. Identifying Information: Any name or number that may be used alone, or in conjunction with other information, to identify a specific person, including name,address, telephone number, social security number, date of birth, government- issued driver s license or identification number, alien registration number, government passport number, employer or taxpayer identification 1
number, student identification number, computer internet Protocol address, computer access code or secured password. Program Coordinator: The individual designated with primary responsibility for oversight of the identity theft prevention program. Data Breach of Security: The unauthorized acquisition of data that compromises the security, confidentiality or integrity of personal information of students, parents or guardians of students, or employees at Morehouse. Compromise of Systems: An apparent exploit of a vulnerability in system software, hardware or a procedural weakness that may provide unauthorized access to the system environment. Personal Information: Includes, but is not limited to individual names, social security numbers, credit or debit card numbers, personal/student identification numbers, driver s license numbers, passport numbers, dates of birth, health records when the disclosure of the information in question would reasonably be considered to be harmful or an invasion of privacy. Policy I. REQUIREMENTS OF THE RED FLAGS IDENTITY THEFT RULE: A. Under the Red Flags Rule, Morehouse is required to develop and implement an Identity Theft Prevention Program tailored to its size, complexity, and nature of its operation. The Program must contain reasonable policies and procedures to: 1. Identify relevant red flags for new and existing covered accounts and incorporate those Red Flags into the Program. 2. Detect Red Flags that have been incorporated into the Program. 3. Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft. 4. Ensure the Program is updated periodically to reflect changes in risk to individuals or to the safety and soundness of protecting the individuals from identity theft. II. IDENTIFICATION OF RELEVANT RED FLAGS: A. In order to identify relevant Red Flags, Morehouse considers the types of accounts that it offers and maintains, methods it provides to 2
open accounts, methods it provides to access its accounts, and its previous experiences with Identity Theft. Morehouse identifies the following relevant Red Flags in each of the listed categories: 1. Notifications and Warnings from Credit Reporting Agencies 1. Report of fraud accompanying a credit report. 2. Notice or report from a credit agency of a credit freeze on an applicant or employee. 3. Notice or report from a credit agency of an active duty alert for an applicant. 4. Receipt of a notice of address discrepancy in response to a credit report request. 5. Indication from a credit report of activity that is inconsistent with an applicant s usual pattern or activity. 2. Suspicious Documents 1. Identification document or card that appears to be forged, altered, or gives the appearance of having been destroyed and reassembled. 2. Identification document or card on which a person s photograph or physical description is not consistent with the person presenting the document. 3. Identification document or other identifying document is inconsistent with existing identifying information. 4. Applications that appear to have been forged or altered. 5. Identifying information is inconsistent with previous information provided 6. Identifying Photo or physical description on identification document or card is inconsistent with the appearance of the individual presenting the identification. 7. Other documents with information are inconsistent with existing identifying information. 3. Suspicious Personal Identifying Information: 1. Identifying information presented that is inconsistent with other information provided (example: inconsistent birth dates). 2. Identifying information presented is inconsistent with other sources of information (an address that does not match an existing address). 3
3. Identifying information presented that is the same as information shown on other applications that were found to be fraudulent. 4. Identifying information presented that is consistent with fraudulent activity (such as an invalid phone number or fictitious billing address). 5. Social security number presented that is the same as one given by another person. 6. Social security number presented is identified as being used by more than one individual. 7. An address or phone number presented that is the same as that of another student, applicant or employee. 8. An individual fails to provide complete personal identifying information on an application when reminded to do so. 9. A person s identifying information is not consistent with the information that is on file for that person. 4. Suspicious Covered Account Activity or Unusual Use of Account 1. Change of address for an account followed by a request to change the person s name. 2. Payments stop on an otherwise consistently up-to-date account. 3. Account used in a way that is not consistent with prior use. 4. Mail sent to the individual is repeatedly returned as undeliverable. 5. Notice to Morehouse that a person is not receiving mail sent to them by the college. 6. Notice to Morehouse that an account has unauthorized activity. 7. Breach in Morehouse s computer system security. 8. Unauthorized access to or use of student account and/or employee information. 9. Notice to Morehouse from an individual, identity theft victim, law enforcement official, or other person that they have opened or are maintaining a fraudulent account for a person engaged in identity theft. 10. Morehouse s computer system is compromised. 4
III. DETECTING RED FLAGS: A. Enrollment: 1. To detect any of the Red Flags identified above associated with the enrollment of an individual, Morehouse personnel will take the following steps to contain and verify the identity of the person opening the account: 1. Require certain identifying information such as name, date of birth, academic records, home address, or other identification. 2. Verify the person s identity at time of issuance of identification card (review of driver s license or other government issued photo identification). B. Existing Accounts 1. To detect any of the Red Flags identified above for an existing covered account, Morehouse personnel will take the following steps to monitor transactions on an account: 1. Verify the identification of the individual if they request information (in person, via telephone, via facsimile, via email). 2. Verify the validity of requests to change billing addresses by mail or email and provide the individual a reasonable means of promptly responding incorrect billing address changes. 3. Verify changes in banking information given for billing, payment and direct deposit purposes. C. Credit Report Requests 1. To detect any of the Red Flags identified above for an employment position for which a credit or background check report is sought, Human Resources will take the following steps to identify address discrepancies: 1. Require written verification from an applicant or employee that the address provided by them is accurate at the time the request for the credit report or background check is made to the reporting agency. 2. In the event that notice of an address discrepancy is received, verify that the credit report pertains to the applicant or employee for whom the requested report was made, and report to the credit agency an address for 5
the applicant or employee that Morehouse has reasonably confirmed is correct. IV. PREVENTING AND MITIGATING IDENTITY THEF: A. In the event that Morehouse personnel detect any identified Red Flags, personnel will take one or more of the following steps, depending on the degree of risk posed by the Red Flag: 1. Prevent and Mitigate 1. Continue to monitor a covered account for evidence of identity theft. 2. Obtain additional verification from the student, parent of student, applicant or employee. 3. Determine from the student or parent of a student the reasons payments have stopped on an account or that mail has been returned. 4. Obtain additional verification from a student or parent of a student of a reported address change. 5. Obtain information from the student or applicant why the social security number provided has multiple users, is associated with different names, or associated with known fraud activity. 6. Contact the individual for which a credit report was run. 7. Change any passwords or other security devices that permit access to covered accounts. 8. Do not open a new covered account. 9. Provide a new identification or account number. 10. Notify the Program Administrator for determination of the appropriate step(s) to take. 11. Notify law enforcement. 12. File or assist in filing a Suspicious Activities Report. 13. Determine that no response is warranted under the particular circumstances. 14. Complete due diligence documentation which details the steps that were taken. B. Protect Identifying Information 1. In order to further prevent the likelihood of identity theft occurring with respect to covered accounts, Morehouse will take the following steps with respect to its internal operating procedures to protect identifying information: 6
1. Ensure that its Web site is secure or provide clear notice that the Web site is not secure. 2. Maintain all information on students and employees in a secure fashion in accordance with industry best practices. 3. Subject to state record retention requirements, ensure complete and secure destruction of personal paper documents and computer files of information on students and employees containing account and personal information when there is no longer a legal or business purpose for the retention of the information and in conformity with all applicable records retention policies. 4. Ensure that office computers with access to covered account information are password protected. 5. Avoid the use of social security numbers. 6. Ensure that computer virus protection is up to date. 7. Require and keep only the kinds of individual information that is necessary for college purposes. 8. Restrict access to personal information on or about students and employees to only those persons needed to maintain systems, maintain data, meet legal requirements, or perform valid business functions. 9. Ensure that file cabinets, desk drawers, overhead cabinets, and any other storage space containing documents with sensitive information is locked when not in use. 10. Ensure that storage rooms containing documents with sensitive information and record retention areas are locked at the end of each workday or when unsupervised. 11. Clear desks and workstations, work areas, common shared work areas, printers and fax machines of all documents containing sensitive information when not in use. 12. Erase, remove, or shred whiteboards and writing tablets or dry- erasing boards, etc., in common shared work areas when not in use. 13. Use a cross-cut approved shredding device before discarding documents which contain sensitive information. 14. Ensure that all sensitive information transmitted or electronically stored is encrypted. 7
15. Encrypt and protect, by password, all sensitive information sent externally and send to approved recipients only. When sensitive information is sent via e- mail, include this statement. This message may contain confidential and/or proprietary information and is intended for the person to whom it was originally addressed. Any use by others is strictly prohibited. V. Morehouse or its employees SHALL NOT: Publicly post or display, or intentionally communicate or otherwise make available to the general public any personal information of and about students or employees. Require an individual to send personal information over the computer network unless it meets a valid business purpose and a secure network transmission is used. Transfer data containing personal information to another business unit, private entity or public entity, over the network unless it meets a valid business purpose and a secure network transmission is used. Mail personal information on a post card or any other mailer not requiring an envelope. Mailed personal information must not be printed on the envelope or visible within unopened envelopes. Require an individual to use his or her social security number to access an internet website or other network resource, unless a password or unique personal identification or other authentication device is also required to access the site or resource. Display a social security number as entered to access an internet website or other network resource. Print an individual s social security number on any materials that are mailed to the individual unless by law, or as a part of an application or enrollment process or to establish, amend, or terminate an account, contract, or policy, or to confirm accuracy of the social security number. Print an individual s social security number on any card required by the individual to access products or services provided by the college. 8
VI. PERIODIC UPDATES TO THE PLAN: A. The Program Administrator will periodically review and update the Program to reflect changes in risks to individuals and its soundness, and to determine whether all aspects of the Program are up-to-date and applicable in the current business environment. Periodic reviews will include an assessment of accounts covered by the Program. As part of the review, Red Flags may be revised, replaced or eliminated. Actions to take in the event that fraudulent activity is discovered may also require revision to reduce damage to the college, its students and employees. VII. STAFF TRAINING AND REPORTS: A. Morehouse staff responsible for implementing the Program will be trained in the detection of and responses to Red Flags. In addition, such training will be conducted on an annual basis in all elements of this policy, in the detection of Red Flags, including the responsive steps to be taken when a Red Flag is detected. To ensure maximum effectiveness, employees will continue to receive additional training as changes to the Program are made. Employees are expected to notify the Program Administrator once they become aware of an incident of identity theft or of the college s failure to comply with this Program. At least annually or as otherwise requested, the Program administrator will report to Senior Management and the Audit Committee of the Board of Trustees on compliance with this Program. The report should address such issues as effectiveness of the policies and procedures in addressing the risk of identity theft in connection with the opening and maintenance of covered accounts, service provider arrangements, and significant incidents involving identity theft, management responses, and recommendations for changes to the Program. VIII. OVERSIGHT OF SERVICE PROVIDER AGREEMENTS: A. Morehouse will take steps to ensure that all service providers perform their activities in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. The policies and procedures will be designed to detect, prevent, and mitigate the risk of identity theft whenever Morehouse engages a service provider to perform an activity in connection with one or more covered accounts. Morehouse will maintain on file certifications from all service providers and/or third party administrator that they are Red Flags compliant. 9
Require, by contract, that service providers have such policies and procedures in place. Require, by contract, that service providers review our program and report any Red Flags to the Program Administrator or employee who has primary oversight of the service provider relationship. Morehouse currently has Service Provider agreements with the following agencies: 1. Student Refund Management Higher One, Inc. 2. Tuition Payment Plans Sallie Mae Tuition Pay Plan Higher Education Services 3. Billing Agency for the Perkins Loan Campus Partners IX. RELATED DOCUMENTS: Federal Trade Commission s Red Flag Rule, 16 C.F.R. 681. Section 114 of the Fair and Accurate Credit Transactions Act, 15 U.S.C. 1681m (e). Revision History Last revision completed on 2/16/2011. 10