Training Objective - Montana Tech of the University of Montana

advertisement
Identity Theft
Prevention Program
Red Flags Rules
Fighting Fraud at
Montana Tech
Training Objective:
Ensure staff understand their responsibility to
protect sensitive information, and know the steps
to prevent, detect and respond to identity theft.
This training is required as part of the Montana
Tech Identity Theft Prevention Program.
2
Agenda
• Background
Why me? What information are we talking about?
• Preventing Identity Theft
How do I secure sensitive information to make sure this doesn’t happen?
• Detecting Identity Theft
What is a Red Flag, and how do I know one when I see one?
• Responding to Identity Theft
I found a Red Flag… now what do I do?
• For more information…
Where can I learn more?
Montana Tech - Identity Theft
Prevention Program
3
Background
Failure to protect sensitive data can lead to identity theft or
other harm to consumers —
and also can harm Montana Tech, not just financially but also
in loss of public trust.
• The amount of data captured and stored by businesses
doubles every 12-18 months. Information Week
$221 billion a year is lost by businesses worldwide due to
identity theft. The Aberdeen Group
As many as 10 million Americans a year are victims of
identity theft. Identity Theft Resource Center, The
Aftermath Study
Montana Tech - Identity Theft
Prevention Program
4
Background
• The Gramm-Leach-Bliley Act’s Safeguards Rule requires financial
institutions to provide reasonable safeguards for customer data.
Under the Act, “financial institution” includes any entity that allows
deferred payment for services (for example, attending class before
tuition and fees are paid in full).
– In other words…
• This includes all affiliated campuses of The University of
Montana, their contractors and sub-contractors.
Montana Tech - Identity Theft
Prevention Program
Background
Existing laws require us to:
– “Implement measures that are reasonable and appropriate
under the circumstances to protect sensitive consumer
information,” and
– Notify affected customers if there's a data breach.
Examples of protected sensitive information include social security
number, account information and information derived from credit
reports.
Fair and Accurate Credit Transaction Act (FACT)
Federal Educational Right to Privacy Act (FERPA)
Federal Trade Commission Act
Health Insurance Portability and Accountability Act (HIPAA)
Drivers Privacy Protection Act (DPPA)
FTC Disposal Rule
Montana Tech - Identity Theft Prevention Program
State Laws
Gramm-Leach-Bliley Act
Fair Credit Reporting Act
6
What is Personally Identifiable Information?
Information that can be used alone, or in conjunction with
other information, to identify a specific person. Some
examples:
•
•
•
•
•
•
•
Name
Address
Social security number
Birth date
Drivers license number
Other identification number (799)
Passport number
Montana Tech - Identity Theft
Prevention Program
7
Are you keeping information secure?
Safeguarding sensitive information on your computers and
in your files is YOUR RESPONSIBILITY, and is critical
in preventing identity theft.
A sound information security plan is built on five principles:
•
•
•
•
•
Take stock – know what you have
Scale down – keep only what you need
Lock it – protect the information in your care
Pitch it – properly dispose of what you don’t need
Plan ahead – know how to respond to incidents
Montana Tech - Identity Theft
Prevention Program
8
Take Stock
• Check files and computers for what information you have and where it
is stored.
– Don’t forget portable devices and offsite locations, including
employees’ home computers. For example, an employee emails to
a personal account, or copies to USB storage, sensitive information
for use while working from home.
• Trace the flow of information from data entry, receipt/filing to disposal.
At every stage, determine who has access – and who should have
access.
Montana Tech - Identity Theft
Prevention Program
9
Scale Down
• Collect only what you need, and keep it only for the time
you need it.
• Be cautious of what you store on devices connected to the
internet!
• For receipts you give to customers, eliminate sensitive or
personally identifying information (for example, 799
number or credit card number).
• Do not collect social security numbers out of habit or
convenience. Only collect them when needed (for
example, payroll reporting to IRS).
Montana Tech - Identity Theft
Prevention Program
10
Lock It
• Lock offices, desks, store rooms and file drawers, and
train employees to keep them that way.
• Limit access to databases, computer files and storage
areas with sensitive files to only those people required
to use that information as part of their job duties.
• Don’t store sensitive information on a workstation or
mobile device.
• Secure data that is shipped or stored offsite.
Montana Tech - Identity Theft
Prevention Program
11
Pitch It
• Shred paper records you don’t need. Make sure you’ve met
any applicable retention requirements! State Records Retention
Schedules
• Use disk wiping utility programs on computers and portable
storage devices before disposing of them. MUS Board of
Regents Policy 1308 (Disposal of Computer Storage Devices)
Montana Tech - Identity Theft
Prevention Program
12
Plan Ahead
• Put together a “What if?” plan to detect and respond to
a security incident.
• Designate a senior staff member to coordinate your
response.
• Investigate right away and know how to preserve
evidence, such as computer logs and files, and original
documents.
• Take steps to close off vulnerabilities, for example
disconnect compromised computers from the Internet.
• Inform the Identity Theft Program Administrator for
your campus and Public Safety or law enforcement.
Montana Tech - Identity Theft
Prevention Program
13
Training and Oversight
• Train your employees!
• Oversee contractors and service providers
• Use good hiring practices (check references, and consider
background checks in security-sensitive positions)
• Build information security training into orientation.
Montana Tech - Identity Theft Prevention Program
14
What is a Red Flag?
“A pattern, practice, or specific activity that indicates the
possible existence of Identity Theft”
In other words…
– A Red Flag helps us detect Identity Theft.
– A Red Flag is a warning that something may be wrong.
– It can be something one says, does, or gives you that makes you
suspect he or she is not who they claim to be.
– It can be something that happens on an account that is unusual or
suspicious.
Montana Tech - Identity Theft
Prevention Program
15
Five Categories of Red Flags
An alert, notification or warning from a consumer
reporting agency
Suspicious documents
Suspicious personally identifying information
Unusual use of, or suspicious activity related to, a
covered account
Notification by a victim of identity theft, a law
enforcement authority, or other person, that the
account is being used for identity theft
Montana Tech - Identity Theft
Prevention Program
16
What are covered accounts?
• Any account that the University offers or maintains that
is designed to permit multiple payments or
transactions.
• Other types of accounts if there is a reasonably
foreseeable risk of fraud or identity theft risk to
customers or The University.
Student Accounts
Payroll Accounts
Student Loans & Financial Aid
Campus ID Cards! (Digger Card)
Montana Tech - Identity Theft
Prevention Program
17
Hmm
…
Suspicious Documents
• Documents that appear to be altered or forged.
• A photo ID that does not reasonably resemble the
person presenting it.
• Information on an ID that does not agree with other
information being provided, for example different
names or birth dates, or signatures that are not
reasonably alike.
• Information that does not agree with data already on
file.
Montana Tech - Identity Theft
Prevention Program
18
Suspicious Personally
Identifying Information
• PII provided:
- Is not consistent when compared with external sources
- Is not consistent with other PII provided by the customer
- Is associated with known fraudulent activity
- Is a type commonly associated with fraudulent activity
- Is not consistent with other PII on file with the University
• The social security number provided is the same as that submitted by
someone else
• The address or telephone number provided is the same as an unusually
large number of other people
• The person attempting to open a new account fails to provide all
required PII on request
Montana Tech - Identity Theft
Prevention Program
19
Examples of Unusual Use
or Suspicious Activity
• Shortly following the notice of a change of address, the University receives
a request for a new card or additional authorized users of an account
• The covered account is used in a manner that is not consistent with
established patterns of activity
• Mail is repeatedly returned as undeliverable though transactions continue
to be conducted on the account
• An account that has been inactive for a relatively long period of time is
used
• The University is notified that the account holder is no longer receiving
paper account statements
• The University is notified of unauthorized changes or transactions in
connection with a covered account.
Montana Tech - Identity Theft
Prevention Program
20
University Experience
and Guidance
Follow your department’s procedures for verifying the identity of your
customer. Offices and departments should also incorporate identity theft
experience of the University, office or school into their procedures, such as:
•Actual past incidents of identity theft
•Additional methods the University has identified that reflect changes in
identity theft risks
•Updates to the Identity Theft Prevention Program
Ask your Identity Theft Prevention Program Administrator for help in making
sure your procedures are sufficient.
Montana Tech - Identity Theft
Prevention Program
21
When should I look
for Red Flags?
Student Enrollment Offices (new accounts)
–
–
Require certain identifying information such as name,
date of birth, academic records, home address or other
identification.
Verify the student’s identity when you issue the student
ID card (with drivers license or other government-issued
photo identification)
Ask your supervisor for information on the specific
documents that are (and are not!) acceptable to verify
identity.
Montana Tech - Identity Theft Prevention Program
22
When should I look
for Red Flags?
For Existing Accounts
–
–
–
Verify the identification of students if they request any
information about their records or account , regardless
of whether the request is in person, by phone, by fax or
by email.
Verify the validity of any request to change billing
address, and provide the student a reasonable means of
promptly reporting incorrect billing address changes.
Verify any request to change banking information given
for billing and payment purposes.
Montana Tech - Identity Theft Prevention Program
23
What do I do if I suspect identity
theft?
1.
2.
3.
4.
Notify your supervisor.
Investigate to the extent needed to determine if identity theft is
likely or a data breach has occurred.
Assess whether a response is needed and take immediate action if
necessary.
Notify your Identity Theft Prevention Program Administrator and
Public Safety or local law enforcement (if applicable), and plan
your response.
Montana Tech - Identity Theft Prevention Program
24
Actions to Consider (depending on circumstances):
• Cancel the suspected fraudulent transaction if possible
• Contact the person who “owns” the account (for
example, the student)
• Change any passwords or security codes/devices that
permit access to the account
• Monitor activity on the account
• Place a hold on the account
Montana Tech - Identity Theft
Prevention Program
25
Actions to Consider (depending on circumstances):
• Close the account
• Reopen the account with a new account number
• Refuse to open a new account
• Refuse payments on an account
• Other actions based on advice from
- Identity Theft Prevention Program Administrator for your
campus
- Public Safety or local law enforcement
- IT Security Officer
- Internal Audit
Montana Tech - Identity Theft
Prevention Program
26
For More Information
• Policies and Procedures
– MUS Board of Regents Policy 960.1 (Identity Theft Prevention Program)
– MUS Board of Regents Policy 1300.1
(Information Security)
– Montana Tech Policy
– Montana Tech Identity Theft Prevention Program
• Other Resources for Businesses (to help us protect our customers)
– Federal Trade Commission
Fighting Fraud with the Red Flags Rule: A How-To Guide for Business
Fighting Back Against Identity Theft
Information Compromise and the Risk of Identity Theft: Guidance for your Business
– US Department of the Treasury, President’s Task Force on Identity Theft, Combating Identity
Theft: A Strategic Plan
– Department of Defense, Personally Identifiable Information Training
Montana Tech - Identity Theft
Prevention Program
27
For More Information (cont.)
• Other Resources for Consumers (to help you protect yourself!)
–
–
–
–
Federal Trade Commission, Avoid Identity Theft video
Federal Trade Commission, Take Charge: Fighting Back Against Identity Theft
OnGuard OnLine, ID Theft Face Off online game/quiz
National Consumers League
Montana Tech - Identity Theft
Prevention Program
28
Questions/Comments?
• Identity Theft Prevention Program Administrator
Marlene McMillan (Montana Tech), 496-4252
Mark Pullium (UM, 406-243-5757
• IT Security Officer
Mike Kukay (Montana Tech), 496-4673
Montana Tech - Identity Theft
Prevention Program
29
Quiz
1. The University is not a “financial institution” as defined by the Federal Identity theft Laws?
a) True
b) False
2. Which of the following are considered personally identifiable information?
a) name
b) social security number
c) Passport number
d) Bank account numbers
e) Address
f) All of the above
3. It’s OK to keep social security numbers of former employee’s as long as they are on my computer and we
don’t use them regularly?
a) True
b) False
4. When my office computer is replaced, my department should make sure all files are removed and a special
utility program is used to erase the hard drive?
a) True
b) False
Quiz
5. Which of the following is not a Red Flag?
a) A notification for a credit bureau
b) A photo ID that looks nothing like the person presenting it
c) A name on a birth certificate that is spelled differently than the name on the person’s driver’s license.
d) A phone call from someone claiming their identity was stolen
e) None of the above
6. I can provide information on a student’s account without verifying identity only if the student requests the
information in person?
a) True
b) False
7. If I think I found a Red Flag, the first thing I should do is?
a) Call the police
b) Close the account
c) Tell my supervisor
d) Add one to the tally on the department’s official Red Flag tote board
8. Identity theft prevention is my responsibility?
a) True
b) False
Download