University of Alabama at Birmingham
IDENTITY THEFT PREVENTION POLICY
April 1, 2011
The University of Alabama at Birmingham (UAB), also referred to herein as "University," has developed this Identity Theft Prevention Policy to facilitate the University’s Identity Theft Prevention Program ("Program") pursuant to the Federal Trade Commission's (“FTC”) Red Flags Regulation (16 CFR § 681.2), which implements Section 114 of the Fair and Accurate Credit Transactions (FACT) Act of 2003 and the final rules implementing section 315 of the FACT Act. The regulations require each financial institution or creditor to develop and implement a written Identity Theft Prevention Program (Program) to detect, prevent, and mitigate identity theft in connection with the opening of certain accounts and the maintenance of certain existing accounts. For the purpose of these regulations, UAB is considered a creditor and has developed this policy with consideration of the size and complexity of the University's operations, its account systems and the nature and scope of the University's activities.
II. Scope and Applicability of Policy
Managing and protecting data are responsibilities shared by all members of the University community. This policy complements existing “Red Flags” policies of the UAB Health System (UABHS), and other existing University policies related to data security, data protection, and information disclosure. Such policies include, but are not limited to, the UAB Data Protection and Security Policy and the UAB Information Disclosure and Confidentiality Policy. These and other related policies combine to promote UAB’s effort to comply with the Health Insurance and Portability and Accountability Act (HIPAA), the Family Educational Rights and Privacy Act (FERPA), Graham Leach Bliley Act (GLBA), Payment Card Industry (PCI) standards, and the Federal Information Security Management Act (FISMA).
This policy applies to Primary Covered Accounts in Appendix (A) and does not apply to accounts covered under the UABHS “Red Flags” policy.
III. Definitions and Program
A. Definitions Used in this Program
B. Fulfilling Requirements of the Red Flags Regulations
Under the red flags regulations, the University is required to establish an “Identity Theft Prevention Program” tailored to its size, complexity and the nature of its operation. Each University department with covered accounts that maintains, disseminates or disposes of covered account PII data shall designate an individual who will serve as the department’s Identity Theft Prevention Officer.
The Identity Theft Prevention Program must contain reasonable policies and procedures to:
IV. Identification of Red Flags
In order to identify relevant red flags, the University departments should consider the types of accounts that it offers and maintains, methods it provides to open its accounts, methods it provides to access its accounts, and its previous experiences with identity theft. The University has identified the following red flags in each of the categories listed in this section. Additional red flags may be identified by each department and included in the department’s procedures to prevent, detect, and mitigate identity theft.
A. Notifications and Warnings from a Credit Reporting Agency
B. Suspicious Documents
C. Suspicious Personal Identifying Information (PII)
D. Suspicious Covered Account Activity or Unusual Use of Account
E. Alerts from Others
V. Detecting Red Flags
A. New Covered Accounts
In order to detect any of the red flags associated with the establishment of a new covered account, University personnel shall take the following steps to obtain and verify the identity of the person opening the account:
B. Existing Accounts
In order to detect any of the red flags identified above for an existing account, University personnel shall take the following steps to monitor transactions on an account:
C. Consumer (“Credit”) Report Requests
In order to detect any of the red flags identified above when a credit or background report is sought, University personnel will take the following steps to assist in identifying address discrepancies:
VI. Preventing and Mitigating Identity Theft
In the event University personnel detect any identified red flags, such personnel shall notify their supervisor or the individual designated as the department’s Identity Theft Prevention Officer. Depending on the department’s assessment of the degree of risk posed by the red flag, one or more of the following steps should be taken.
A. Prevent and Mitigate
B. Protect Covered Account Personal Identifying Information (PII)
In order to further prevent the likelihood of identity theft occurring with respect to covered account PII, the department’s Identity Theft Prevention Officer shall take the following steps with respect to its internal operating procedures. These steps may require coordination with UAB Information Technology, Health System Information Services, or any other division responsible for the department’s technical support.
VII. Program Administration
The President of the University, or her or his designee, shall appoint a Program Administrator responsible for the identity theft prevention program. The Program Administrator shall work with the identity theft prevention officers designated by the departments to develop, implement, and monitor the effectiveness of this program and policy. Also, the Program Administrator shall communicate policy changes and updates to the Program.
B. Staff Training and Compliance Reports
C. Service Provider Arrangements
In the event the University engages a service provider to perform an activity in connection with one or more covered accounts, the University, through its contract review process, shall take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.
D. Non-disclosure of Specific Practices
For the effectiveness of the University’s Identity Theft Prevention Program, knowledge about specific red flag identification, detection, mitigation, and prevention practices should be limited to the Program Administrator, Identity Theft Prevention Officers, and departmental employees who are responsible for the implementation of this policy. Any documents that may be reviewed or produced in order to develop or implement this Program that list or describe such specific practices and the information those documents contain are considered confidential and should not be shared with other employees or the public. Also, all documents reviewed or produced as a result of identity theft, or in the investigation of potential identity theft, are considered confidential.
E. Program Updates
Changes in Federal regulations may require immediate changes to this policy. Also, the Program Administrator shall periodically review and update this policy and program to reflect changes in risks to customers and the University from identity theft. In doing so, the Program Administrator will consider the University's experiences with identity theft incidents, changes in identity theft methods related to the prevention, detection and mitigation of identity theft, and changes in the University's business arrangements with other entities. After considering these factors and others as deemed necessary, the Program Administrator will be responsible for recommending policy changes to the appropriate University administrators.
VIII. Implementation of Policy
The Vice President for Financial Affairs and Administration through the Associate Vice President for Financial Affairs is responsible for procedures to implement this policy.
Identity Theft Prevention Policy
UAB List of Covered Accounts
As of March 1, 2011
The definition of a “covered account” is promulgated by the following regulatory agencies: Federal Trade Commission (FTC) 16 CFR 681.2; Department of the Treasury Office of the Comptroller of the Currency (OCC) 12 CFR 41.9; Federal Reserve System (FRS) 12 CFR 222.9; Federal Deposit Insurance Corporation (FDIC) 12 CFR 334.9; Department of the Treasury Office of Thrift Supervision (OTS) 12 CFR 571.9; National Credit Union Administration (NCUA) 12 CFR 717.9.
A “covered account” means: (i) an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account: and (ii) any other account that the financial institution or creditor offers or maintains for which there is a reasonable foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.
The University will evaluate its accounts and customer relationships to update this list periodically as required by the regulations.
Covered Accounts Identified as of March 1, 2011: