Identity Theft Nine million Americans have their identities stolen each year. 9,000,000 Thieves drain their accounts, damage their credit and even endanger their medical treatment. Red Flags Rule Enforced by the Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration. Requires organizations to implement a written Identity Theft Prevention Program Designed to detect warning signs – or “red flags” – of identity theft in their day-to-day operations Take steps to prevent the crime, and mitigate the damage it inflicts Be better equipped to spot suspicious patterns when they arise and take steps to prevent a red flag from escalating into identity theft. Who Must Comply with the Red Flags Rule STC Must Comply – Covered Accounts Student Installment Accounts Student Emergency Loans Student JagCard All functions connected to our students are subject to the Red Flags Rule – Registration Employment Payments Financial Aid Scholarships and Awards Etc. Red Flags Rule Overview 1. Identify relevant red flags. 2. Detect red flags. 3. Prevent and mitigate identity theft and respond accordingly 4. Update the program. Program Sections Section 1: Program Background and Section 2: Section 3: Section 4: Section 5: Section 6: Section 7: Section 8: Section 9: Purpose Definitions Scope Guidelines Identify Relevant Red Flags Detect Red Flags Prevent, Mitigate and Appropriately Respond to Identity Theft Periodic Updates to Plan Program Administration Section 1 Program Background and Purpose 1. October 13, 2008 - Board of Trustees approved Board Policy # 5470, Identity Theft Policy, and approved the initial guidelines. Section 1 Program Background and Purpose 1. The initial guidelines have since been updated to ensure they are closely aligned to the FTC’s requirements and the College’s operations. 2. Each department is responsible to developing procedures within their operation and ensuring their implementation and compliance. 3. These guidelines have some best practice to follow. Section 1 Program Background and Purpose Guidelines: Define sensitive information Describe security measures In compliance with laws Risk to: Employees Students Contractors/Vendors Section 2 Definitions Identity Theft: Fraud committed or attempted using the identifying information of another person without authority. Red Flag: A pattern, practice, or specific activity that indicates the possible existence of identity theft. Identifying Information: Any name or number that may be used, alone or in conjunction with other information, to identify a specific person. Section 2 Identifying Information Name Address Telephone number Computer’s internet address Routing code Social Security Number Government Passport number Employer or Taxpayer Identification Number Section 3 Scope Guidelines and Protection Program applies to: Students Employees Contractors Consultants Temporary workers Other workers at the college, including all personnel affiliated with third parties. Section 4 Guidelines Sensitive information should be secured whether stored in electronic or printer format: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Faxed information Hardcopy documents Files Desk drawers Desks/workstations Un-discarded documents Computer documents Whiteboard information Dry-erase boards Writing tables information Emails USB (Flash) drives Section 5 Identify Relevant Red Flags Risk factors Sources of red flags Categories of red flags Section 5 Identify Relevant Red Flags 1) Alerts, notifications or other warnings received from customer reporting agencies Address discrepancy Usual pattern of activity Number of recently established credit relationships Material change in use of credit Accounts closed for cause or abuse of account privileges Section 5 Identify Relevant Red Flags 2) Suspicious documents Altered or forged Photograph or physical description on ID is not consistent with appearance of individual Other information is not consistent Section 5 Identify Relevant Red Flags 3) Suspicious personal identifying information Information not consistent with external gathered information SSN listed on the SS Administration Death Master File Lack of correlation between SSN range and date of birth Information provided already on fraudulent application previously submitted Address is fictitious (a prison) Phone number is invalid SSN, address, phone number, provided is the same as that previously submitted by someone else Information is not consistent with that on file with the College Unable to answer security questions (beyond what is found in a person’s wallet) Section 6 Detect Red Flags Each organizational unit will develop and implement specific methods and protocols to meet the requirement of this Program. Require current government-issued ID cards, such as driver’s license or passport Compare data Ask challenge questions (don’t use information available in wallet) Authenticate students Monitor transactions Verifying the validity of change of address requests Use passwords Use PIN numbers Encrypted data Section 7 Prevent, Mitigate and Appropriately Respond to Identity Theft Contact the student Monitor an account for evidence Change passwords Not opening a new account until further information is received Notifying law enforcement Write a description of the fraudulent activity and report it Cancel the transaction if fraudulent Determine the extent of liability Notify the actual customer that the fraud has been attempted Section 8 Periodic Updates to Plan Re-evaluate program at periodic intervals Assessment of accounts covered in the program Revise red flags for updates, deletions, replacements Revise actions to be taken in the event that fraudulent activity is discovered Section 9 Program Administration Involvement of management Warrants the highest level of attention Written program and operation are responsibility of President or designee President or designee must approve material changes Staff is responsible for implementation and is responsible for at least annually reporting on compliance by the College with the Program Section 9 Program Administration Staff training Service providers Also responsible for maintaining a identity theft prevention program Questions? Sources: Federal Trade Commission – Protecting America’s Consumers Fighting Fraud with the Red Flags Rule – A How-To Guide for Businesses