WALLA WALLA COMMUNITY COLLEGE

advertisement
WALLA WALLA COMMUNITY COLLEGE
RED FLAG POLICY TO PREVENT IDENTITY THEFT
Purpose
To implement and maintain an identity theft program in accordance with the Federal Trade
Commission (FTC) and Fair and Accurate Credit Transactions Act of 2003 (FACTA).
Objectives
The primary objectives are to identify, detect, and respond appropriately to Red Flags in order to
prevent and mitigate identity theft.
Definitions
A covered account involves multiple payments or transactions, as well as any other account the
College offers or maintains for which there is a foreseeable identity theft risk, most often in payroll,
human resources, accounting, admissions, or financial aid functions.
Identity theft means fraud committed or attempted using the identifying information of another
person without authority.
The information security committee is responsible for overseeing policy implementation and
consists of a representative from each area covering information technology, records, and risk
management.
A red flag is a pattern, practice, or specific activity indicating the possible existence of identity theft.
Procedures
1. Identifying Red Flags: Each department should identify relevant red flags and conduct a risk
assessment. Possible sources used for identifying red flags include:
 Credit reporting agency warnings of fraud, credit freezes, or inconsistent credit activity.
 Suspicious documents, such as forged, altered, or inauthentic identification cards.
 Suspicious personal identifying information, including forged, altered, incomplete, inconsistent,
or inauthentic data, presented on applications, drivers’ licenses, social security number, phone
number, address, or student records.
 Suspicious account activity or unusual use of account, including:
– Change of address followed by a request to change the account holder's name
– Payments stop on an otherwise consistently up-to-date account
– Account used in a way inconsistent with prior use
– Mail sent to the account holder is repeatedly returned as undeliverable
– Notice to the College that a student is not receiving mail sent by the College
– Notice to the College that an account has unauthorized activity
– Breach in the College’s computer system security
– Unauthorized access to or use of student or staff account information
 Notice to the College from a customer, a victim of identity theft, a law enforcement authority or
other person of a person engaged in identity theft.
2. Detecting Red Flags: Possible sources for detecting red flags include:
 Verify the identity of people making transactions by requiring identifying information such as
name, date of birth, residential or business address, principal place of business for an entity,
driver's license or student identification card.
 Independently contact the student or staff member.
 Verify changes requested and their reasonableness.
3. Preventing and Mitigating Identity Theft: Upon detection and degree of risk, staff should take one
or more of the following steps to prevent and mitigate identity theft and notify the identity theft
committee in writing of the suspicious activity.
 Monitor a covered account for evidence of identity theft.
 Contact the student or staff member with the covered account.
 Change passwords or other security codes and devices that permit access to a covered
account.
 Not open a new covered account.
 Close an existing covered account.
 Reopen a covered account with a new number.
 Not attempt to collect payment on a covered account.
 Notify the Program Administrator for determination of the appropriate step(s) to take.
 Notify law enforcement.
 Determine that no response is warranted under the particular circumstances.
4. Protect Student or Staff Identifying Information: In order to further prevent the likelihood of
identity theft, the College shall take the following steps to protect customer identifying information:
 Secure the College website but provide clear notice that the website is not secure.
 Undertake complete and secure destruction of paper documents and computer files containing
student or staff information.
 Make office computers password protected and provide that computer screens lock after a set
period of time.
 Keep offices clear of papers containing customer identifying information.
 Request only the last 4 digits of social security numbers (if any).
 Maintain computer virus protection up to date.
 Require and keep only the kinds of customer information that are necessary for College
purposes.
5. Program Updates: In order to further prevent the likelihood of identity theft, the program
administrator will work with the identity theft committee to review this policy periodically to make
improvements in identity theft detection and prevention.
6. Service Provider Arrangements: Service providers engaged by the College are required to
perform their activities in accordance with reasonable policies and procedures designed to detect,
prevent, and mitigate the risk of identity theft.
The full rules may be found at http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf.
Download