Identity Theft Ten million Americans have their identities stolen each year. 10,000,000 Thieves drain their accounts, damage their credit and even endanger their medical treatment. Red Flags Rule Enforced by the Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration. Requires organizations to implement a written Identity Theft Prevention Program Designed to detect warning signs – or “red flags” – of identity theft in their day-to-day operations Take steps to prevent the crime, and mitigate the damage it inflicts Be better equipped to spot suspicious patterns when they arise and take steps to prevent a red flag from escalating into identity theft. Who Must Comply with the Red Flags Rule STC Must Comply – Covered Accounts Student Installment Accounts Student Emergency Loans Student Higher One Jag-Card All functions connected to our students are subject to the Red Flags Rule – Registration Employment Payments Financial Aid Scholarships and Awards Etc. Red Flags Rule - Overview 1. Identify relevant red flags. 2. Detect red flags. 3. Prevent and mitigate identity theft and respond accordingly 4. Update the program. Program Sections Section 1: Program Background and Purpose Section 2: Definitions Sections 3: Scope Section 4: Guidelines Section 5: Identify Relevant Red Flags Section 6: Detect Red Flags Section 7: Prevent, Mitigate and Appropriately Respond to Identity Theft Section 8: Periodic Updates to Plan Section 9: Program Administration Section 1 Program Background and Purpose 1. October 12, 2008 - Board of Trustees approved Board Policy # 5470, Identity Theft Policy, and approved the initial guidelines. Section 1 Program Background and Purpose 1. The initial guidelines have since been updated to ensure they are closely aligned to the FTC’s requirements and the College’s operations. 2. Each department is responsible to developing procedures within their operation and ensuring their implementation and compliance. 3. These guidelines have some best practice to follow. Section 1 Program Background and Purpose Guidelines: Define sensitive information Describe security measures In compliance with laws Risk to: Employees Students Contractors/Vendors Section 2 Definitions Identity Theft: Fraud committed or attempted using the identifying information of another person without authority. Red Flag: A pattern, practice, or specific activity that indicates the possible existence of identity theft. Identifying Information: Any name or number that may be used, alone or in conjunction with other information, to identify a specific person. Section 2 Identifying Information Section 3: Scope Students, Employees, Contractors - at the College Section 4: Guidelines 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. Faxed information Payroll information Hardcopy documents Files Addresses Codes Un-discarded documents Computer documents Whiteboard information Social security numbers Writing tables information Medical information Credit card information Section 4: Guidelines Section 5: Identify Relevant Red Flags Covered accounts Risk factors Sources of red flags Categories of red flags Alerts, notifications or other warnings received from customer reporting agencies Address discrepancy Usual pattern of activity Number of recently established credit relationships Material change in use of credit Accounts closed for cause or abuse of account privileges Section 5: Identify Relevant Red Flags Suspicious documents Altered or forged Photograph or physical description on ID is not consistent with appearance of individual Other information is not consistent Section 5: Identify Relevant Red Flags Suspicious personal identifying information Information not consistent with external gathered information SSN listed on the SS Administration Death Master File Lack of correlation between SSN range and date of birth Section 5: Identify Relevant Red Flags Suspicious personal identifying information Information provided already on fraudulent application previously submitted Address is fictitious (a prison) Phone number is invalid SSN, address, phone number, provided is the same as that previously submitted by someone else Information is not consistent with that on file with the College Unable to answer security questions (beyond what is found in a person’s wallet) Section 5: Identify Relevant Red Flags How will you do this? Section 6 Detect Red Flags Each organizational unit will develop and implement specific methods and protocols to meet the requirement of this Program. Require current government-issued ID cards, such as driver’s license or passport Compare data Ask challenge questions (don’t use information available in wallet) Authenticate students Monitor transactions Verifying the validity of change of address requests Use passwords Use PIN numbers Section 6: Detect Red Flags How will you do this? PROCEDURES Section 7 Prevent, Mitigate and Appropriately Respond to Identity Theft Contact the student Monitor an account for evidence Change passwords Not opening a new account until further information is received Notifying law enforcement Section 7 Prevent, Mitigate and Appropriately Respond to Identity Theft Write a description of the fraudulent activity and report it Cancel the transaction if fraudulent Determine the extent of liability Notify the actual customer that the fraud has been attempted Section 7: Prevent, Mitigate and Appropriately Respond to Identity Theft How will you do this? Section 8 Periodic Updates to Plan Re-evaluate program at periodic intervals PROCEDURES Assessment of accounts covered in the program Revise red flags for updates, deletions, replacements Section 8 Periodic Updates to Plan Revise actions to be taken in the event that fraudulent activity is discovered Section 9 Program Administration Involvement of management Warrants the highest level of attention Written program and operation are responsibility of President or designee President or designee must approve material changes Staff is responsible for implementation and is responsible for at least annually reporting on compliance by the College with the Program Section 9 Program Administration Staff training HR is responsible for training annually Service providers Also responsible for maintaining a identity theft prevention program Questions? Sources: Federal Trade Commission – Protecting America’s Consumers Fighting Fraud with the Red Flags Rule – A How-To Guide for Businesses