The Learning College Manual
Identity Theft Prevention Program / Red Flags Rule
In response to the growing threat of identity theft and the North Carolina Identity Theft Protection Act (NCITPA) Isothermal Community College adopted a Social Security Number and Personal Identifying Information policy in May 2008.
In 2003, the United States Congress passed the Fair and Accurate Credit Transactions Act (FACTA). Public Law 108-159. This amendment to the Fair Credit Reporting Act dictated that the Federal Trade Commission (FTC) promulgate rules to address identity theft. The rules promulgated by the FTC (Red Flag rules) requires any financial institution and creditor that holds any type of consumer account or other account for which a potential risk of identity theft exists to create and implement a written Identity Theft Prevention Program in order to tackle identity theft associated with new and existing accounts. This Identity Theft Prevention Program is appropriate to the size and complexity of the college and the nature and scope of the college’s activities.
The college adopts this Identity Theft Prevention Program to enact reasonable policies and procedures to protect students, employees, and other persons with which the college is affiliated from damages associated with the compromise of sensitive personal information.
- Creditor – Any organization, including community colleges, which regularly:
- extends, renews, or continues credit;
- arranges for someone else to extend, renew, or continue credit; or
- is the assignee of a creditor involved in the decision to extend, renew, or continue credit.
- Credit - Deferral of payment of a debt incurred for the purchase of goods services, including educational services.
- Covered account – An account with a creditor used by individuals, families, or households which involves multiple payments to that creditor. Examples include emergency loan accounts, scholarships which could involve repayment if the terms of the scholarship are not met, and deferred payment accounts approved by a colleges’ trustees.
- Financial institution – Typically a bank, credit union, or other entity that holds for an individual an account from which the owner can make payments, and transfers.
- Identifying information – Information which alone, or in combination with other information, can be used to identify a specific individual. Identifying information includes, identification card number, employer or taxpayer identification number, biometric data, unique electronic identification numbers, address or routing code, or certain electronic account identifiers associated with telephonic communications.
- Identity theft – A fraud attempted or committed using identifying information of another person without proper authority.
- Red Flag – A pattern, practice, or specific activity which indicates the possibility of identify theft.
- Sensitive information – Personal information belonging to any student, employee, or other person with whom the college is affiliated.
- Service provider – Person providing a service directly to the financial institution or creditor.
Activities in which the college is often involved that require compliance with the Red Flag Rules and/or
protection of identifying information include, but not limited to:
- Utilization of deferred payment plans as authorized by 23 N.C.A.C. 02D.0201;
- Provision of emergency loans to students;
- Issuance of any scholarship which requires the recipient to sign a promissory note;\
- Maintaining an account for students from which the student can authorize payments for goods and services like tuition, fees, books and supplies using FA Link;
- Using debit/credit card accounts;
- Persons attempting to access academic or financial information;
Identification of Relevant Red Flags/Identity Threats
The College must identify which red flags/identity threats that are relevant to the institution considering the size of the college and the complexity of duties and activities. The red flags/identity threats categories and related examples are based on the types of accounts the college offers and maintains, the methods used to create accounts, methods of accessing information, and previous experiences the college has had with identity theft. Additionally, the college will incorporate the red flags/identity threats deemed relevant from incidents the college has experienced or other local colleges have experienced, methods of identity theft that the college has identified that reflect changes in identity theft risks, and guidance from senior administrators.
Red Flag/Identity Threats Category
|Examples of Red Flags/Identity Threats|
|Alerts, notifications, or other warnings received from the Attorney General’s Office, consumer reporting agencies, service providers such as fraud detection services, or other entities used to collect data||
A consumer reporting agency issues a fraud or active duty alert.
|A consumer reporting agency provides a notice of address discrepancy.|
A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as:
|The presentation of suspicious documents||
Documents provided for identification appear to have been altered or forged.
The photograph/physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification.
Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification.
Other information on the identification is not consistent with readily accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check.
|An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.|
|The unusual use of, or other suspicious activity related to, a covered account||
Any student account is used in a manner commonly associated with known patterns of fraud. For example: The customer fails to make the first payment or makes an initial payment but no subsequent payments.
A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example:
|A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors.|
Mail sent to the student, sponsor, employee, WNCW member, vendor or other persons with which the college is affiliated is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer's covered account.
The college is notified that the customer is not receiving paper account statements.
The college is notified of unauthorized charges or transactions in connection with a customer's covered account.
A customer initiates multiple address changes over a short period of time.
A customer is attempting to access information about a deceased student.
The college is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.
|Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the college||
A student, borrower, law enforcement personnel or service provider notifies the college of unusual activity related to a covered account. This includes discrepancies in the social security number to a student’s name (provided typically by the NC Department of Revenue from debt set-off); address is not a valid address (provided typically by the NC Attorney General’s Office), having a discrepancy of data between college and responsible party.
|A student or customer does not know personal information that they should know, i.e. social security number, date of birth, student identification number.|
|Requests for access to information||A person attempts to access student information without proper identification.|
|Students returning to school after a
long period of time
|A student wishes to register for courses and/or apply for financial aid when that student’s account has been inactive for a prolonged period of time without going through readmission process.|
|Access to Information||Open access to information due to multiple locations, multiple records, multiple account managers, and multiple off-campus instructors or other representatives who collect demographic information.|
|Contracts with multiple agencies to help in collection of accounts such as collection agencies and government agencies that assist with collections are provided with sensitive data.|
|Breach of security with computer system and/or E-mail system.|
|Breach of security with computer system and/or E-mail system.|
|Registration Process||Registering the incorrect student when multiple students are on the college database with the same name.|
|Use of inactive account by someone other than the student to obtain financial aid and/or student benefits.|
|Payment Process||Phone-in payments may have the risk of compromising banking information.|
|Credit card information stored with the daily deposits,|
|Accepting students’ and other customers’ checks that have financial and demographic information on them.|
Detecting Red Flag/Identity Threats
- The College collects, uses and/or discloses identifying information as permitted by the applicable laws and institutional policies and only in furtherance of legitimate college business.
- Procedures should be in place to verify a person’s identity when processing any activity to their account, including but not limited to registration activity, financial aid processing, bookstore transactions, and account payments/inquiries.
- Receipt of notifications from service providers of red flag criteria (i.e., discrepancies in social security number to name, address differences, etc.) should be disseminated to proper personnel.
- Receipt of notification of suspicious activity by student, law enforcement, or borrower should be disseminated to proper personnel.
- Receipt of notification from the Department of Education, through various agencies, to the Financial Aid Office, is verified and reconciled with the information provided by the student.
- Security officer and/or equipment coordinator reporting that laptops and/or computer equipment with sensitive data have been lost or stolen need to be addressed by proper personnel.
- The College should audit changes to sensitive information (i.e., record name changes, social security number changes, etc.).
- The College should perform routine diagnostics on firewalls and the security of electronic data portals
- Security scans should be done at regular intervals to detect any possible breaches.
- The College must caution employees to be aware of their surroundings when talking with students or discussing a student with another College employee.
Preventing and Mitigating Identity Theft
- Student Accounts (Admissions and Financial Aid)
- Documentation will be required to verify student identity prior to processing the student for admission and/or processing of financial aid. Any discrepancies of information should be addressed by College personnel through a verification process assuring the prospective student is indeed who they claim to be.
- Employee Accounts
- Documentation will be required to verify employee identity prior to processing for employment and/or payment. Any discrepancies of information should be addressed by College personnel through a verification process assuring the prospective employee is indeed who they claim to be.
- Forms, Document, and Records
- Any form that requires a personal identifier must label input fields appropriately and avoid the use of social security numbers. Forms which require that SSNs be used under applicable state and federal laws are exempt.
- Identifying information may not be displayed on materials or documents that are widely seen by others, including but not limited to identification cards, badges, time cards, employee rosters, student rosters, bulletin board postings, grade postings, web sites, and other materials.
- Documents that include identifying information must be stored in a secure place. When possible, records containing identifying information, including back-ups, should be protected during storage by encrypting the numbers in electronic records or storing records in other media forms in locked cabinets.
- When possible, printed reports and other documents should not list identifying information; if identifying information need to be included in printed documents, such documents should be accessible only to employees that require the information for the performance of their duties.
- Printed documents that contain identifying information must be disposed of by burning, pulverizing or an approved shredding instrument when the documents are no longer needed or upon the expiration of their retention based on the applicable NCCCS Records, Retention and Disposition Schedule.
- The storage of identifying information on local computers, laptops, portable devices or home/personal computers and/or electronic devices is prohibited unless specifically approved by the Dean/Director.
- Unless encrypted, identifying information may not be sent electronically (by e-mail or otherwise).
- Identifying information may not be printed on any materials that are to be mailed to an individual; the only exception is when state or federal laws require that the social security numbers be included on the document to be mailed.
- Electronically stored information (files and records) that contain identifying information must be permanently deleted when they are no longer needed or upon the expiration of their retention based on the applicable NCCCS Record Retention and Disposition Schedule.
- Third Party
- Employees may not intentionally communicate or otherwise make available to the general public a person’s identifying information. Identifying information are strictly confidential. Students identifying information may not be disclosed except as permitted by FERPA. Express written permission from the student is required for disclosure of this information to a third party.
- Disclosures of identifying information to College vendors, contractors or other external entities must be in accordance with college policy and/or state and federal laws.
- In case of a court order, warrant, or subpoena for identifying information, the employee should immediately contact the Vice President of Administrative Services.
- Third party agencies should make available to the College a listing of their policies and procedures for handling of accounts and the protection of sensitive data and promptly notify the College of any possible breaches. This includes, but not limited, to agencies contracted by the College for handling of student reports/information, agencies contracted by the College for collection of accounts, the College’s credit card merchant provider(s) and agencies who handle employee information for the College and/or employee’s benefit. The College should also evaluate periodically methods of transferring sensitive data to third parties.
- Verifications of returning students and/or employees
- If a student/employee is returning to class and/or the College workforce, processes should be in place to verify their identity prior to registering and/or processing payments to the returning person.
- Verification of those with covered accounts
- The College should ask for identification when processing any activity to a covered account (student, employee) including but not limited to registration activity, financial aid processing, bookstore transactions, and account payment/inquiries.
- FERPA (Family Educational Rights and Privacy Act)
- College personnel will be trained regarding FERPA compliancy and the dissemination of sensitive data.
- Payment Card Data Security Standard Compliance
- The College should remain PCI Compliant.
- Training of Staff
- The Dean/Director is responsible for training employees under his/her supervision regarding the collection, use, disclosure, security and disposal of identifying information.
- All employees with access to sensitive data should be trained and/or informed of risks and liabilities associated with data loss and/or theft and the responsibility that lie with each employee to keep sensitive data secure.
- Dean/Director Responsibilities
- The Dean/Director is responsible for overseeing compliance within their department related to the collection, use, disclosure, security and disposal of identifying information.
- The Dean/Director will conduct a semi-annual review in March and September to identify relevant patterns, practices, and specific forms of activity that signal possible red flags/identity theft. Reviews with the actions taken should be forwarded to the Vice President of Administrative Services.
- The Dean/Director is responsible for ensuring the collection, use, storage and/or disposal of identifying information in accordance with the state and federal laws.
- The Dean/Director must limit access to records containing identifying information to employees that require the use of identifying information for the performance of their duties.
Responding to Detection of Red Flags/Identity Threats
- Ask for validation and/or supplemental documentation/identification when a student’s identity is in question.
- Verify original student documents when a discrepancy is reported regarding social security number discrepancies to name and other issues regarding aged accounts.
- Check credit card receipts when possible fraudulent charges are reported from a customer’s bank statement.
- Deny access to information or disable an account pending further investigation and resolution of suspicious activity.
- Follow up on reported thefts which possibly involve the compromise of sensitive data.
- Notify victims and proper authorities of possible identity theft.
- Use all available media to disseminate information concerning an improper disclosure of sensitive information. The records of current students, former students, and employees should be considered when dissemination of the information concerns a breach.
- It is the responsibility of any employee who believes that identifying information has been compromised to notify the Vice President of Administrative Services immediately. Following notification the Vice President of Administrative Services will begin the notification process as required by law.
- Any inappropriate collection, use, disclosure and/or handling of indentifying information by an employee my result in disciplinary action.
Update of Identity Theft Program
The College will evaluate and update as necessary the Identity Theft Prevention Program on an annual basis or as deemed appropriate by senior administration or other factors such as current issues, advances in technology, or other related policies.
- Program Oversight
- The College designates the Vice President of Administrative Services to be responsible for the oversight, development, implementation, and administration of the Identity Theft Prevention Program.
- Staff Training
- The College will ensure adequate staff training considering the needs of our faculty and staff, multiple records, and various locations through professional development, staff meetings, or other methods as established by Deans/Directors.
- Oversight of Service Providers
- The College will consistently review the operating procedures of any service provider that will work with sensitive information from student and/or employees.
Adopted: May 29, 2008
Amended: May 1, 2009
Policy No: 306-02-10BP