2.37 Identity Theft Policy

Approved by the Ithaca College Board of Trustees on May 16, 2009

Purpose

Ithaca College (“College”) developed this Identity Theft Policy (“Program”) pursuant to the Federal Trade Commissions’ Red Flags Rule (“Rule”) which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). The purpose of this policy is to establish an Identity Theft Prevention Program designed to reasonably detect, prevent and mitigate identity theft in connection with the opening of a covered account or an existing covered account and to provide for continued administration of the Program.


Responsible College Official

The President is given the authority by the Board to designate a Program Administrator of the Program. The Program Administrator shall exercise appropriate and effective oversight over the Program and shall report on cases of identity theft to the President. The Program Administrator will have the responsibility of developing, implementing and updating the program. It will also be the responsibility of the Program Administrator to develop an appropriate training program for relevant College staff on the Program.

The Program Administrator will periodically review the program to insure that any changes in the program reflect changes in technology that might impact on identify theft risks. In conducting the periodic review of the program, the Program Administrator will consider experiences of the College with identify theft, changes in identity theft methods, changes in identity theft detection and prevention methods, changes in types of accounts the College maintains and changes in the College’s business arrangements with other entities. The Program Administrator will update the Program if after conducting the periodic review it is determined whether the changes to Program are necessary or whether the listing of “Red Flags” needs to be modified.

If any changes are to be made following the periodic review of the Program, the Program Administrator shall annually inform the President of the College. The President’s approval shall be sufficient to make changes to the Program.

Definitions

Identify Theft means fraud committed or attempted using the identifying information of another person without authority. Pursuant to the Red Flag regulations at 16 C.F.R. section 681.2, the following definitions shall apply to the program:

“Covered Accounts”:

1. An account the College offers or maintains primarily for personal, family or household purposes that involves or is designed to permit multiple payment or transactions.

2. Any other account the College offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the College from Identity Theft.

“Red Flag”: A pattern, practice, or specific activity that indicates the possible existence of Identity Theft.

“Identity Theft”: A fraud committed using the identifying information of another person.

Covered Accounts

The College has identified the types of accounts that it maintains and has determined that the following may constitute covered accounts: financial aid transactions including, but not limited to, refund of credit balances, deferment of tuition payments and emergency loans, any on-line human resource transactions not password protected particularly related to pension and benefit transactions, transactions related to the addition or deletion of money related to the College’s ID Express, and any third party tuition payment plans used by the College

Identification of Relevant Red Flags

The following are relevant Red Flags which employees should be aware of and diligent in monitoring for in relation to the covered accounts listed above:

A. Notifications and Warnings from Credit Reporting Agencies including:

Report of fraud accompanying a credit report:
Notice or report from a credit agency of a credit freeze on a customer or applicant
Notice or report from a credit agency of an active duty alert for an applicant; and
Indication from a credit report of activity that is inconsistent with a customer’s usual pattern or activity.

B. Suspicious Documents

Identification document or card on which a person’s photograph or physical description is not consistent with the person presenting the document:
Identification document or card that appears to be forged, altered or inauthentic;
Other document with information that is not consistent with existing customer information(such as if a person’s signature on a check appears forged); and
Application for service that appears to have been altered or forged.

C. Suspicious Personal Identifying Information

Identifying information presented that is inconsistent with other information the customer provides (example: inconsistent birth dates);
Identifying information presented that is inconsistent with other sources of information (for instance, an address not matching an address on a credit report);
Identifying information presented that is the same as information shown on other applications that are found to be fraudulent;
Identifying information presented that is consistent with fraudulent activity (such as an invalid phone number or fictitious billing address);
Social security number presented that is the same as one given by another customer;
An address or phone number presented that is the same as that of another person;
A person fails to provide complete personal identifying information on an application when reminded to do so; and
A person’s identifying information is not consistent with the information that is on file for the customer.

D. Suspicious Account Activity or Unusual Use of Account:

Change of address for an account followed by a request to change the account holder’s name;
Payments stop on an otherwise consistently up-to-date account;
Account used in a way that is not consistent with prior use (example: very high activity);
Mail sent to the account holder is repeatedly returned as undeliverable;
Notice to the College that a customer is not receiving mail sent by the College;
Notice to the College that an account has unauthorized activity;
Breach in the College’s computer system security, and
• Unauthorized access to or use of customer account information

E. Alerts from Others

Notice to the College from a customer, identify theft victim, law enforcement or other person that it has opened or is maintaining a fraudulent account for a person engaged in Identify Theft.

Response to a Red Flag

Once potentially fraudulent activity is detected an employee must act quickly to provide an appropriate response to protect the affected person from damage or loss. Appropriate responses to Red Flags are as follows:

A. Deny access to the covered account until other information is available to eliminate the Red Flag.
B. Cancel the transaction
C. Notify and cooperate with law enforcement
D. Re-open a covered account with a new account number
E. Notify the affected person that fraud has been attempted
F. Change any passwords, security codes, or other security devices that permit access to a covered account.
G. Determine that no response is warranted under the particular circumstances.

Service Provider Arrangements

When the College engages a third party service provider, steps will be taken to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate identity theft. This review of service provider agreements needs to occur whenever the provider is providing services related to covered accounts.

Added: May 16, 2009