Identity Theft Prevention Policy

Identity Theft Prevention Policy

Abstract:
UAB's Identity Theft Prevention Policy facilitates the University’s Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection with the opening of certain accounts and the maintenance of certain existing accounts.
Effective Date:
4/1/2011
Contacts:
Associate Vice President for Financial Affairs
Administrative Category:
Applies To:
Faculty, Staff
Keyword(s):
None Assigned
Material Original Source:
Policy Reference Manual

University of Alabama at Birmingham

IDENTITY THEFT PREVENTION POLICY
(Red Flags)

April 1, 2011


I. Introduction

The University of Alabama at Birmingham (UAB), also referred to herein as "University," has developed this Identity Theft Prevention Policy to facilitate the University’s Identity Theft Prevention Program ("Program") pursuant to the Federal Trade Commission's (“FTC”) Red Flags Regulation (16 CFR § 681.2), which implements Section 114 of the Fair and Accurate Credit Transactions (FACT) Act of 2003 and the final rules implementing section 315 of the FACT Act.  The regulations require each financial institution or creditor to develop and implement a written Identity Theft Prevention Program (Program) to detect, prevent, and mitigate identity theft in connection with the opening of certain accounts and the maintenance of certain existing accounts.  For the purpose of these regulations, UAB is considered a creditor and has developed this policy with consideration of the size and complexity of the University's operations, its account systems and the nature and scope of the University's activities.

II. Scope and Applicability of Policy

Managing and protecting data are responsibilities shared by all members of the University community.  This policy complements existing “Red Flags” policies of the UAB Health System (UABHS), and other existing University policies related to data security, data protection, and information disclosure.  Such policies include, but are not limited to, the UAB Data Protection and Security Policy and the UAB Information Disclosure and Confidentiality Policy. These and other related policies combine to promote UAB’s effort to comply with the Health Insurance and Portability and Accountability Act (HIPAA), the Family Educational Rights and Privacy Act (FERPA), Graham Leach Bliley Act (GLBA), Payment Card Industry (PCI) standards, and the Federal Information Security Management Act (FISMA).

This policy applies to Primary Covered Accounts in Appendix (A) and does not apply to accounts covered under the UABHS “Red Flags” policy.

  1. Excepting those individuals covered by the existing UABHS “Red Flags” policy, all other individuals, (faculty, staff, students, and visitors), schools, departments, affiliates and/or other similar entities within the University community, including employees of contracted or outsourced non-UAB entities who have access to covered account Personal Identifying Information (PII) are subject to this policy. 
  2. All customer PII not covered by the UABHS “Red Flags” policy is covered under this policy including, but not limited to, PII data contained in centralized institutional systems, department/unit systems, systems created or operated by third party vendors under the direction of UAB, and PII data stored or maintained in any other capacity or medium where there is a reasonable foreseeable risk of identity theft. 

III. Definitions and Program

A.  Definitions Used in this Program

  1. Identity Theft is a fraud committed or attempted using the identifying information of another person without authority.  
  2. Red Flag is a pattern, practice, or specific activity that indicates the possible existence of identity theft.  
  3. An Account is a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes.  Account includes: (i) An extension of credit, such as the purchase of property or services involving a deferred payment; and (ii) A deposit account.  
  4. A Covered Account is (i) any account the University offers or maintains primarily for personal family or household purposes, that allows multiple payments or transactions, including one or more deferred payments; and (ii) any other account the University identifies as having a reasonable foreseeable risk to customers or the safety and soundness of the University from identity theft.  A list of covered accounts under this policy can be found in Appendix A. 
  5. Program Administrator is the individual designated with primary responsibility for oversight of the Identity Theft Policy. See Section VII below. 
  6. An Identity Theft Prevention Officer is someone designated by a department with covered accounts to serve as a liaison to the Program Administrator and is responsible for ensuring that the requirements of the Identity Theft Prevention Policy are incorporated in departmental procedures.  This person also may be responsible for ensuring the implementation of other University policies that safeguard and protect data from unauthorized access, use, and disclosure.  
  7. Personal Identifying Information (PII) is any name or number that may be used, alone or in conjunction with any other information, to identify a specific person.  Below are examples of data fields that are considered PII: 

    1. Taxpayer Identification Number (SSN, ITIN or EIN)
    2. System Generated Identification Number (student number or patient number, etc.)
    3. Government Passport Number
    4. Government Issued Driver’s License or Identification Number
    5. Name
    6. Date of Birth
    7. Address
    8. Telephone Number(s)
    9. Personal Identification Number (PIN)
    10. E-mail Address
    11. Blazer ID
    12. Password
    13. Computer Internet Protocol Address
    14. Routing Code

B.  Fulfilling Requirements of the Red Flags Regulations

Under the red flags regulations, the University is required to establish an “Identity Theft Prevention Program” tailored to its size, complexity and the nature of its operation. Each University department with covered accounts that maintains, disseminates or disposes of covered account PII data shall designate an individual who will serve as the department’s Identity Theft Prevention Officer.

The Identity Theft Prevention Program must contain reasonable policies and procedures to:

  1. Identify relevant red flags for new and existing covered accounts and incorporate those red flags into the Program;  
  2. Detect red flags that have been incorporated into the Program;  
  3. Prevent identity theft by responding appropriately to any red flags that are detected;  
  4. Mitigate identity theft once it has occurred; and  
  5. Update the program periodically to reflect changes in risks to the customer and the University from identity theft. 

IV. Identification of Red Flags

In order to identify relevant red flags, the University departments should consider the types of accounts that it offers and maintains, methods it provides to open its accounts, methods it provides to access its accounts, and its previous experiences with identity theft. The University has identified the following red flags in each of the categories listed in this section. Additional red flags may be identified by each department and included in the department’s procedures to prevent, detect, and mitigate identity theft.

A.  Notifications and Warnings from a Credit Reporting Agency

  1. A report of fraud accompanying a credit report;  
  2. A notice or report from a credit agency of a credit freeze on an applicant;  
  3. A notice or report from a credit agency of an active duty alert for an applicant;   
  4. Receipt of a notice of address discrepancy in response to a credit report request; and 
  5. Indication from a credit report of activity that is inconsistent with an applicant’s usual pattern of activity. 

    1. A recent significant increase in the number of inquiries.
    2. An unusual number of recently established credit relationships.
    3. A material change in the use of credit, especially with respect to recently established credit relationships.
    4. An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor.

B. Suspicious Documents

  1. An identification document or card that appears to be forged, altered or inauthentic;  
  2. An identification document or card on which a person’s photograph or physical description is not consistent with the person presenting the document;  
  3. Any other document with information that is not consistent with existing PII maintained by the department or presented by the person opening an account or engaging in an account transaction; and 
  4. An application for service that appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.   

C. Suspicious Personal Identifying Information (PII)

  1. PII presented that is inconsistent with other information on record that the person has provided (example: inconsistent date of birth, SSN, address or telephone numbers, etc.); 
  2. Identifying information presented that is the same as information shown on other applications that were found to be fraudulent;  
  3. Identifying information presented that is consistent with fraudulent activity (such as an invalid phone number or fictitious billing address);  
  4. A Social Security Number presented that is the same as one given by another person;  
  5. An address or phone number presented that is the same as that of another person not reasonably expected to be a part of the same household; and  
  6. Failure to provide complete PII in person, on the phone, or on an application when reminded to do so.

D.  Suspicious Covered Account Activity or Unusual Use of Account

  1. Change of address for an account is followed by a request to change the person’s name;  
  2. Payments stop on an otherwise consistently up-to-date account;  
  3. Account is used in a way that is not consistent with prior use;  
  4. Mail sent to the person is repeatedly returned as undeliverable;  
  5. Notice is received by the University that a person is not receiving mail sent by the University;  
  6. Notice is received by the University that an account has unauthorized activity;  
  7. A breach is detected in the University's computer system security; and  
  8. Unauthorized access to or use of a person’s account information is detected.

E.  Alerts from Others

  1. Notice to the University received from an identity theft victim, law enforcement or other individual that the University has opened or is maintaining a fraudulent account for a person engaged in identity theft.  
  2. Notice to the University from any organization that an account may be fraudulent. 

V. Detecting Red Flags

A.  New Covered Accounts

In order to detect any of the red flags associated with the establishment of a new covered account, University personnel shall take the following steps to obtain and verify the identity of the person opening the account:

  1. Require certain identifying information such as name, date of birth, academic records, home address, or other identification or combination thereof.  The identifying information may vary by department contingent upon the nature of the services provided and the data maintained in departmental records.  
  2. Verify the person’s identity at the time of issuance of an identification card (review of driver’s license, passport, or other government-issued photo identification).  
  3. Examine documents presented for identification purposes for evidence of falsification or tampering.  
  4. Validate that the person has met all other University or departmental requirements associated with the opening of a new account. 

B.  Existing Accounts

In order to detect any of the red flags identified above for an existing account, University personnel shall take the following steps to monitor transactions on an account:

  1. Verify the person’s identity at the time of re-issuance of an identification card (review of driver’s license, passport, or other government-issued photo identification etc.).  
  2. Verify the identification of a person who is requesting information in person or by telephone, facsimile, email, or other media.  
  3. Verify the validity of requests to change PII by mail, email, or other media and provide the person a reasonable means of promptly reporting incorrect data changes.  
  4. Notify the individual by e-mail, U. S. mail, telephone, any other means agreed upon by the individual, or by any combination of these methods when PII changes occur and provide the person a reasonable means to promptly report incorrect data changes. 
  5. Review periodically the list of data fields included in Section III of this policy under the definition of PII and update the list when new data fields are identified that may become relevant to the prevention, detection, and mitigation of identity theft. 

C.  Consumer (“Credit”) Report Requests

In order to detect any of the red flags identified above when a credit or background report is sought, University personnel will take the following steps to assist in identifying address discrepancies:

  1. At the time a request for a credit report is made to the consumer reporting agency, require written verification from the person that the address provided by the person is accurate.  
  2. In the event that notice of an address discrepancy is received, verify that the credit report pertains to the person for whom the requested report was made.  
  3. Report to the consumer reporting agency an address for the person that the University has reasonably confirmed is accurate. 

VI. Preventing and Mitigating Identity Theft

In the event University personnel detect any identified red flags, such personnel shall notify their supervisor or the individual designated as the department’s Identity Theft Prevention Officer.  Depending on the department’s assessment of the degree of risk posed by the red flag, one or more of the following steps should be taken.

A.  Prevent and Mitigate

  1. Delay opening an account until a reasonable belief has been formed that the person for whom a business relationship is being established has been properly identified;  
  2. Continue to monitor a covered account for evidence of identity theft;  
  3. Contact the person for whom a red flag was detected;  
  4. Place the account on hold to prevent unauthorized access or use; 
  5. Change any passwords or other security devices that permit access to covered accounts; 
  6. Provide the person with a new identification number or account number; 
  7. Notify the Program Administrator for determination of the appropriate step(s) to take; 
  8. Notify UAB Police Department, Criminal Investigation Division; 
  9. Make corrections to the account to remove unauthorized activity, but maintain documentation to support an investigation; 
  10. File or assist in filing a Suspicious Activities Report (“SAR”); or  
  11. Determine that no response is warranted under the particular circumstances. 

B.  Protect Covered Account Personal Identifying Information (PII)

In order to further prevent the likelihood of identity theft occurring with respect to covered account PII, the department’s Identity Theft Prevention Officer shall take the following steps with respect to its internal operating procedures.  These steps may require coordination with UAB Information Technology, Health System Information Services, or any other division responsible for the department’s technical support.

  1. Secure all websites containing the ability to access covered account PII;  
  2. Ensure that office computers with access to covered account PII are password protected; 
  3. Avoid use of Social Security Numbers when possible; 
  4. Ensure computer virus protection is up to date; 
  5. Require and keep only the kinds of information that are necessary for University purposes; 
  6. Properly store and secure all paper documents, files, CDs, floppy disks, zip drives, flash drives, tapes, and backups containing covered account PII in locked cabinets that are not accessible by any unauthorized individual; 
  7. Store file cabinets containing covered account PII in a locked room that is not accessible by any unauthorized individual; 
  8. Designate an employee within the department who will be responsible for controlling keys to the file cabinet and room, authorizing copies of the keys, and ensuring distribution of those keys only to employees with legitimate authorized need; 
  9. Ensure that sensitive papers are not left on employees’ desks when they are away from their workstations and that employees work with data in such a way as not to cause an unauthorized disclosure of information; 
  10. Include tracking and delivery confirmation when the University is legally required to provide PII to a third-party; and 
  11. Ensure complete and secure destruction of paper documents, computer files, and other data storage mechanisms containing covered account PII when a decision has been made to no longer maintain such information. 

VII. Program Administration

A.  Oversight

The President of the University, or her or his designee, shall appoint a Program Administrator responsible for the identity theft prevention program.  The Program Administrator shall work with the identity theft prevention officers designated by the departments to develop, implement, and monitor the effectiveness of this program and policy.  Also, the Program Administrator shall communicate policy changes and updates to the Program.

B.  Staff Training and Compliance Reports

  1. The individual designated as the identity theft prevention officer for a department shall coordinate with the Program Administrator to provide staff training that is necessary to detect, prevent, and mitigate identity theft. 
  2. Periodically, as requested by the Program Administrator, the department’s identity theft prevention officer shall submit a report to the Program Administrator on compliance with this Program. The annual report should include all known identity theft incidents that have occurred during the year.  Also, the annual report should address the effectiveness of this policy and related procedures against the risk of identity theft.  Any recommendations for changes to the Program should be included as well. 

C.  Service Provider Arrangements

In the event the University engages a service provider to perform an activity in connection with one or more covered accounts, the University, through its contract review process, shall take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.

  1. Require in any contract that service providers have identity theft policies and procedures in place; and  
  2. Require in any contract that service providers report any red flags or identity theft incidents associated with University accounts/records to the University employee with primary oversight of the service provider relationship. 

D.  Non-disclosure of Specific Practices

For the effectiveness of the University’s Identity Theft Prevention Program, knowledge about specific red flag identification, detection, mitigation, and prevention practices should be limited to the Program Administrator, Identity Theft Prevention Officers, and departmental employees who are responsible for the implementation of this policy.  Any documents that may be reviewed or produced in order to develop or implement this Program that list or describe such specific practices and the information those documents contain are considered confidential and should not be shared with other employees or the public.  Also, all documents reviewed or produced as a result of identity theft, or in the investigation of potential identity theft, are considered confidential.

E.  Program Updates

Changes in Federal regulations may require immediate changes to this policy.  Also, the Program Administrator shall periodically review and update this policy and program to reflect changes in risks to customers and the University from identity theft.  In doing so, the Program Administrator will consider the University's experiences with identity theft incidents, changes in identity theft methods related to the prevention, detection and mitigation of identity theft, and changes in the University's business arrangements with other entities. After considering these factors and others as deemed necessary, the Program Administrator will be responsible for recommending policy changes to the appropriate University administrators.

VIII. Implementation of Policy

The Vice President for Financial Affairs and Administration through the Associate Vice President for Financial Affairs is responsible for procedures to implement this policy.

Appendix A

Identity Theft Prevention Policy
UAB List of Covered Accounts
As of March 1, 2011

The definition of a “covered account” is promulgated by the following regulatory agencies: Federal Trade Commission (FTC) 16 CFR 681.2; Department of the Treasury Office of the Comptroller of the Currency (OCC) 12 CFR 41.9; Federal Reserve System (FRS) 12 CFR 222.9; Federal Deposit Insurance Corporation (FDIC) 12 CFR 334.9; Department of the Treasury Office of Thrift Supervision (OTS) 12 CFR 571.9; National Credit Union Administration (NCUA) 12 CFR 717.9.

A “covered account” means: (i) an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account: and (ii) any other account that the financial institution or creditor offers or maintains for which there is a reasonable foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.

The University will evaluate its accounts and customer relationships to update this list periodically as required by the regulations.

Covered Accounts Identified as of March 1, 2011:

  1. Banner Student Records - Undergraduate Admissions, Graduate Admissions, Registrar’s Office, Financial Aid, Housing Office, Student Accounting, and all other departments with access to student records in Banner 
  2. Student Loan Accounts - Office of Student Accounting Services 
  3. Campus Card – UAB Campus Card Office 
  4. Blazer Bucks Accounts (BlackBoard) - UAB Campus Card Office 
  5. Advancement Accounts (Banner: Alumni and other Contributors) - Office of Development, Alumni, and External Relations 
  6. Retiree Payment Accounts - Benefits Office - Human Resources Management 
  7. Leave Without Pay Benefits Accounts - Benefits Office - Human Resources Management 
  8. Patient Accounts - Dental Clinics - School of Dentistry 
  9. Patient Accounts - Optometry Clinic – School of Optometry