Office of the Vice President for
Administration and Finance
GENERAL INDEX: A-27
SUBJECT: IDENTITY THEFT PROGRAM
In accordance with SAM 01.C.14, Identity Theft, this document establishes guidelines for an Identity Theft Prevention Program designed to detect, prevent and mitigate identity theft in connection with certain “covered accounts” and to provide for continued administration of the Program in compliance with the Federal Trade Commission’s (FTC) Red Flags Rule, which implements Sections 114 and 315 of the Fair and Accurate Credit Transaction Act.
The University has established this Program taking into consideration its size, complexity and the nature of its operation. The Program contains reasonable policies and procedures to:
a. Identify relevant red flags for new and existing covered accounts and incorporate those red flags into the Program;
b. Detect red flags that have been incorporated into the Program;
c. Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
d. Ensure the Program is updated periodically to reflect changes in risks to customers with covered accounts or to the safety and soundness of the covered accounts from identity theft.
General program oversight, including developing, implementing and updating the Program, will be the responsibility of a Program Administrative Group comprised of the Campus Compliance Officer (Program Administrator), Bursar, Information Security Officer, HR Director or others the Program Administrator designates.
A. Identity Theft – a fraud committed or attempted using the identifying information of another person without authority
B. Red Flag – a pattern, practice, or specific activity that indicates the possible existence of identity theft. Examples of Red Flags include: alerts, notifications or warnings from a consumer reporting agency, suspicious documents, suspicious personal identifying information, unusual use of or suspicious activity related to the covered account or notice from customers, victims of identity theft, law enforcement authorities or other persons regarding possible identify theft in connection with covered accounts held by the institution.
C. Covered Account – (1) an account that the University offers or maintains primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions (Attachment A) or (2) any other account for which there is a reasonably foreseeable risk to customers of identity theft.
D. Program – for purpose of this policy, the Identity Theft Prevention Program
E. Program Administrative Group – Those campus individuals designated with primary responsibility for oversight of the Program.
F. Identifying Information – any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including name, address, telephone number, social security number, date of birth, government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number, student identification number, computer’s Internet Protocol address, or routing code.
1. Fulfilling Requirements for Red Flags Rule - Departmental Responsibilities
Departmental administrators overseeing covered accounts or other operations where there is a reasonable likelihood that identity theft could occur shall develop reasonable procedures tailored to the size, complexity and nature of their operations that are designed to detect, prevent and mitigate identity theft:
A. Identifying relevant red flags and incorporating those red flags into the department’s written program;
B. Using reasonable vigilance to detect red flags that have been identified as relevant within the department;
C. Responding promptly and appropriately to red flags detected to prevent and mitigate identity theft;
D. Insuring that departmental staff involved are familiar with this policy and departmental procedures and fully understand their individual role in the prevention of identity theft;
E. Insure that departmental staff have taken annual training made available by the University on the prevention, detection and mitigation of identity theft;
F. Reviewing and updating departmental procedures at least annually to insure changes in departmental business operations or changes in risks of identity theft are being addressed and provide annual updates to the Campus Compliance Officer.
G. Coordinate with Business Services, to insure that service providers working with covered accounts are contractually required to have reasonable policies and procedures in place designed to comply with Red Flag rules.
2. Identification of Red Flags
Identification of Red Flags relevant to University operations includes consideration of:
- Types of covered accounts offered and maintained
- Methods provided to open a covered account
- Methods provided to access covered accounts
- Previous experiences with identity theft or attempted identify theft
The following types of red flags have been identified:
A. Notifications and Warnings from Credit Reporting Agencies
a. Report of fraud accompanying a credit report;
b. Notice or report from a credit agency of a credit freeze on an applicant
c. Notice or report from a credit agency of an active duty alert for an applicant;
d. Receipt of a notice of address discrepancy in response to a credit report request; and
e. Indication from a credit report of activity that is inconsistent with an applicant’s usual pattern or activity.
B. Suspicious Documents
a. Identification document or card that appears to be forged, altered or not authentic;
b. Photograph or physical description on the identification is not consistent with the appearance of the person presenting the document;
c. Presentation of other documents where information is not consistent with existing covered account information on file; and
d. Application appears to have been altered or forged.
C. Suspicious Personal Identifying Information
a. Identifying information presented that is inconsistent with other information the person provides (example: lack of correlation between the social security number and date of birth);
b. Identifying information presented that is inconsistent when compared against external information sources (for instance, an address on a credit report not matching an address provided by the person);
c. Identifying information presented that is the same as information shown on other documents that have been found to be fraudulent;
d. Identifying information presented that is consistent with fraudulent activity such as an invalid phone number or fictitious billing address;
e. Social security number or other identification number presented that is the same as one given by another person;
f. An address or phone number presented that is the same as that of another person, is to a mail drop or prison or is a phone number associated with a pager or answering service;
g. A person fails to provide complete personal identifying information on a document when reminded to do so; and
h. A person is unable to correctly answer identity challenge questions.
D. Suspicious Covered Account Activity or Unusual Use of Account
a. Change of address for a covered account followed shortly by a request to change the person’s name or email address or a request to replace an identification card;
b. Account used in a way that is not consistent with prior use;
c. Mail sent to the student is repeatedly returned as undeliverable although transactions continue to be conducted in connection with the covered account;
d. Notice to the University that a student is not receiving mail sent by the University; and
e. Notice to the University that an account has unauthorized activity.
E. Alerts from Others
a. Notice to the University from a student, identity theft victim, law enforcement or other person that the University has opened or is maintaining a fraudulent covered account for a person engaged in identity theft.
3. Detecting Red Flags
A. New Covered Accounts
In order to detect any of the Red Flags identified in Section 2 associated with the opening of a new covered account, department personnel responsible for opening and managing a covered account or issuing official university identification badges will verify the identity of the person opening the account or obtaining the identification badge by requiring certain identifying information such as name, telephone number, date of birth, home address, social security number (student id for students), driver’s license or other government-issued photo, and other identification depending on the operational unit’s needs.
B. Existing Accounts
In order to detect any of the red flags identified in Section 2 for an existing covered account, University personnel will take the following steps to monitor transactions on an account:
a. Verify the identification of a person if they request information whether in person, via telephone, facsimile, or email;
b. Verify the validity of requests to change billing addresses by mail or email and provide the person a reasonable means of promptly reporting incorrect billing address changes; and
c. Verify changes in banking information given for billing and payment purposes.
C. Consumer Credit Report Requests
In order to detect any of the red flags identified in Section 2 for an employment or volunteer position for which a credit or background report is sought, University personnel will take the following steps to assist in identifying address discrepancies:
a. Require written verification from any applicant that the address provided by the applicant is accurate at the time the request for the credit report or background check is made; and
b. In the event that notice of an address discrepancy is received, verify that the credit report or background check pertains to the applicant for whom the requested report was made and report to the consumer reporting agency, if applicable, an address for the applicant that the University has reasonably confirmed is accurate.
4. Preventing and Mitigating Identity Theft
In the event University personnel detect any identified red flags, such personnel shall take one or more of the following steps, appropriate to the degree of risk posed by the red flag:
A. Prevent and Mitigate
1. Notify your immediate supervisor (in all circumstances)
2. Continue to monitor a covered account for evidence of identity theft;
3. Contact the customer or applicant (for which a credit report or background check was run);
4. Change any passwords or other security devices that permit access to covered accounts;
5. Not open a new covered account;
6. Close an account or provide the customer with a new account number;
7. Notify a member of the Program Administrative Group for assistance in determining appropriate step(s) to take:
i. University Bursar (red flag – student)
ii. Director of Human Resources – (red flag – employee)
iii. IT Information Security Officer – (red flag – related to computer breach or misuse of computer access)
iv. Campus Compliance Officer (red flag detection – any of above)
8. Notify appropriate law enforcement agency;
9. File or assist in filing a suspicious activities report;
10. Not attempt or cease to collect, sell, or assign a covered account; or
11. Determine that no response is warranted under the particular circumstances
B. Protect Student Identifying Information
1. In order to further prevent the likelihood of identity theft occurring with respect to covered accounts, the University will take the following steps with respect to its internal operating procedures to protect customer identifying information:
2. Ensure that its website is secure or provide clear notice that the website is not secure;
3. Ensure complete and secure destruction of paper documents and computer files containing customer account information when a decision has been made to no longer maintain such information;
4. Ensure that office computers with access to covered account information are password protected;
5. Avoid use of social security numbers;
6. Ensure computer virus protection is up to date; and
7. Require and keep only the kinds of customer account information that are necessary for University purposes.
5. Program Administration
Responsibility for developing, implementing and updating the Program lies with the Program Administrative Group comprised of the Campus Compliance Officer (Program Administrator), Bursar, Information Security Officer and HR Director.
Administrative Group duties include:
- Ensuring availability of appropriate training of employees
- Reviewing staff reports regarding the detection of Red Flags and the adequacy of steps taken for preventing and mitigating identity theft
- Advising departments about which steps of prevention and mitigation should be taken in particular circumstances
- Conducting an annual review of the Program.
B. Annual Program Review Required
This Program will be reviewed and updated annually. Reviews will determine if policy and procedures are current and consider:
- previous history of identity theft occurrences since program last updated
- changes in identity theft methods
- changes in identify theft detection and prevention methods
- changes in types of covered accounts the University maintains
- changes in the University’s business arrangements with other entities
- changes in federal regulations governing Red Flag Rules
After considering these factors, the Program Administrative group will determine changes to the Program that should be implemented. The Program Administrator will then coordinate any policy or procedural updates.
C. Employee Training and Reports
Training - Information regarding the prevention, detection and mitigation of identity theft will be included in the annual Fraud Awareness and Prevention training which must be completed by all employees. The University may require additional role-based training for certain employees.
Reports - The Campus Compliance Officer will provide an annual report to the UH Compliance Officer summarizing significant incidents involving identity theft and management’s response, effectiveness of policies and procedures and recommendations for changes to the Program.
D. Service Provider Arrangements
In the event a department engages a service provider to perform an activity in connection with one or more covered accounts, the department will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft:
1. New Service Providers
a. Require, by contract, that service providers have such policies and procedures in place to perform its activities in compliance with Sections 114 and 315, as applicable, of the Fair and Accurate Credit Transaction Act of 2003; and
2. Existing Service Providers
a. The department will require written confirmation from the service provider that policies and procedures are in place to detect, prevent and mitigate the risk of identity theft in accordance Federal Trade Commission requirements, Sections 114 and 315, as applicable of the Fair and Accurate Credit Transaction Act of 2003.
Signature Obtained 11/26/2012
Philip Castille, Ph.D. Date
Next review date: November 2015
Origination: Compliance Officer, Institutional Compliance Office
University of Houston-Victoria Schedule of Covered Accounts
As of May 1, 2009
As part of the 2009 Red Flag Program review, the University has determined it has four types of covered accounts, three of which are accounts administered by the University and one administered by a third part service provider.
Current covered accounts include:
- Institutional Student Short Term Loan Program
- TPEG Student Loan Program
- Installment Plan payment program
- Third Party Contract with Windham Collections for collection of default student accounts