In response to the growing threat of Identity Theft, the United States Congress passed the Fair and Accurate Credit Transactions Act of 2003. This amendment to the Fair Credit Reporting Act charged the Federal Trade Commission (FTC) with developing rules regarding Identity Theft. On November 7, 2007, the FTC created the final rules known as the “Red Flag” rule, and they go into effect June 1, 2010. The Red Flag rule requires the institutions that hold “Covered Accounts” to develop and implement an Identity Theft prevention program for new and existing accounts.
Wright State University takes the possibility of Identity Theft seriously and has developed and implemented an Identity Theft Program. After consideration of the size of the University’s operations, accounting systems, and activities, the President’s Cabinet determined that this Program was appropriate for WSU and therefore, approved this Program on June 10, 2009.
1105.2 Policy Detection and Prevention of Identity Theft
The purpose of this document is to establish an Identity Theft Prevention Program designed to detect, prevent, and mitigate Identity Theft in connection with the opening of a Covered Account, use of an existing Covered Account, and to provide for continued administration of the Program.
- WSU’s Identity Theft Prevention Program
As a means of detecting and mitigating Identity Theft, Wright State’s Program requires the University to:
- Identify relevant red flags for Covered Accounts it offers or maintains and incorporate those red flags into the program;
- Detect red flags that have been incorporated into any program of the University;
- Respond appropriately to any red flags that are detected to prevent and mitigate Identity Theft; and
- Ensure the Program is updated periodically to reflect changes in risks to students and the soundness of the University’s program to protect against Identity Theft.
The Program shall, as appropriate, incorporate existing policies and procedures that control reasonably foreseeable risks.
Covered Account means:
- An account that the University offers or maintains that involves or is designed to permit multiple payments or transactions. Examples include Student A/R accounts, Student Installment Payment Plans, Special Payment Plans for past due accounts, Institutional Loans including the Federal Perkins Loan Program, Payroll Deductions for Voluntary Retirement Contributions and Donations, COBRA Payments for former employees, Wright 1 Card deposits and off-campus spending, Advancement Pledges and Donations, and Transcript Payments.
- Any other account that the University offers or maintains for which there is a reasonable foreseeable risk to students or to the safety and soundness of Wright State University from Identity Theft, including financial, operational, compliance, reputation or litigation risks. Examples include sensitive academic records (also covered under the Family Educational Rights & Privacy Act-FERPA) such as Student Grades, Grade Point Averages, Student Transcripts, Disciplinary Records and Student Health Records (also covered under the Health Insurance Portability & Accountability Act-HIPAA)
Identity Theft means a fraud committed or attempted using the Identifying Information of another person without authority.
Identifying Information means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including; name, Social Security Number, date of birth, official state or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number, student identification number, unique, biometric data, or telecommunication identifying information or access device.
Red Flag means a pattern, practice or specific activity that indicates the possible existence of Identity Theft.
1105.3 Identifying Red Flags
Sources of Red Flags
Incidents of Identity Theft that the University has experienced; and
Methods of Identity Theft that the University has identified that reflect changes in Identity Theft risks.
Categories of Red Flags
Alerts, notifications or others warnings received from consumer reporting agencies or service providers, including but not limited to:
- A fraud or active duty alert included with a consumer report;
- A notice or credit freeze issued in response to a request to a consumer reporting agency for a consumer report;
- A notice of address discrepancy from a consumer reporting agency; and
- A consumer report indicating a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as:
- A recent and significant increase in the volume of inquires.
- An unusual number of recently established credit relationships.
- A material change in the use of credit.
- An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor.
The presentation of suspicious documents, including but not limited to:
- Documents provided for identification that appear to have been altered or forged;
- Identification documents where the photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification;
- Identification documents where the identification information is not consistent with information provided by the person opening a new Covered Account or customer presenting the identification;
- Identification documents where the identification information is not consistent with readily accessible information that is on file with the University, such as signature card or a recent check; or
- An application that appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.
The presentation of suspicious personal identifying information may include but is not limited to:
Personal identifying information that is inconsistent when compared against external information sources used by WSU. For example:
- The address does not match any address in the consumer report;
- Personal identifying information that is not consistent with other personal identifying information provided by the customer or with information that is on file with the University;
- Personal identifying information that is associated with known fraudulent activity as indicated by internal or third-party sources used by the University;
- An SSN that is the same as that submitted by other persons opening an account or other Covered Account holders; or
- An incomplete application or response to request for additional information that is incomplete.
The unusual use of or other suspicious activity related to a Covered Account, including but not limited to:
- A request for a new, additional, or replacement card, or for the addition of authorized users on the account, shortly after receiving a notice of a change of address for a Covered Account, that the University receives;
- Use of a new revolving credit account in a manner commonly associated with known patterns of fraud. For example:
- The majority of available credit is used for cash advances or merchandise that is easily convertible to cash; or
- The Covered Account holder fails to make the first payment or makes an initial payment but no subsequent payments.
- Circumstances where mail sent to the Covered Account holders is returned repeatedly as undeliverable;
- Circumstances where the University is notified that the Covered Account holder is not receiving electronic account statements; or
- Circumstances where the University is notified of unauthorized charges or transactions in connection with a Covered Account or notice regarding possible Identity Theft in connection with Covered Accounts held by the University.
1105.4 Detecting Red Flags
It is Wright State University’s policy to obtain identifying information about, and verify the identity of, a person opening a Covered Account. In addition, it is the University’s policy to authenticate Covered Account holders, monitor transactions, and verify the validity of change of address requests in the case of existing Covered Accounts.
- Student Enrollment/New Accounts
When a student opens a new Covered Account, the university requires certain identifying information, such as name, date of birth, academic records, home address or other identification and verifies the student’s identity at the time of issuance of a Wright1 or other student identification card by requiring the presentation of a driver’s license or other government-issued photo identification.
- Existing Accounts
In order to monitor for Red Flags in existing Covered Accounts, the University personnel will take the following steps:
- Verify the identification of students requesting information regarding, or changes to, a Covered Account using a series of identifying questions or other appropriate means;
- Verify the validity of requests to change billing addresses by mail, email or telephone and provide the student with a reasonable means of promptly reporting incorrect billing address changes; and
- Verify changes in banking information given for billing and payment purposes.
1105.5 Responding to Detected Red Flags and Protecting Student Identifying Information
- Responding to Detected Red Flags
Wright State University shall take appropriate responsive action to the Red Flags that the University has detected, commensurate with the degree of risk posed. In determining an appropriate response, the University shall consider aggravating factors that may heighten the risk of Identity Theft , such as a data security incident that results in unauthorized access to a Covered Account holders’ account records held by the University or notice that a Covered Account holder has provided information related to a Covered Account held by the University to someone fraudulently claiming to represent WSU or to a fraudulent website. Appropriate responses may include the following:
- Monitoring a Covered Account for evidence of Identity Theft;
- Contacting the Covered Account holder;
- Changing passwords, security codes, or other security devices that permit access to a Covered Account;
- Not opening a new Covered Account;
- Closing an existing Covered Account;
- Not attempting to collect on a Covered Account or not selling a Covered Account to a debt collector;
- Notifying law enforcement; or
- Determining that no response is warranted under the particular circumstances.
- Protecting Student Identifying Information
Wright State University is committed to protecting student Identifying Information. In order to further prevent the likelihood of Identity Theft from occurring with respect to Covered Accounts, the University will ensure that University staff are familiar with the University’s data and file security policies, including, but not limited to:
- Wright State University Security Awareness
- Safeguarding of Financial and Personal Information (Gramm-Leach-Bliley Act)
- Computing Habits & Guidelines for Protected Information
or other security policies that may be added or amended as necessary.
- Incident Reporting
All attempted identity theft incidents should be reported utilizing the university's on-line incident response form which can be found at https://www.wright.edu/cgi-bin/incidentresponse.cgi.
1105.6 Administration and Reporting
- Administration Oversight
The AVP for Finance and University Controller is responsible for development, implementation and administration of the policy and all related procedures. The AVP for Finance and University Controller will obtain initial approval of the policy from the President’s Cabinet and will also be responsible for training oversight. Questions regarding the interpretation and implementation of this policy should be directed to the AVP for Finance and University Controller.
Appropriate and effective oversight of the policy will include reviewing reports prepared by staff regarding compliance by WSU and reviewing reports summarizing instances of possible Identity Theft.
The AVP for Finance and University Controller should report annually to the President’s Cabinet on compliance by the University with this policy and related procedures. The report should address material matters related to the policy and evaluate issues such as: the effectiveness of the policies and procedures in addressing the risk of Identity Theft in connection with the opening of Covered Accounts and with respect to existing Covered Accounts, service provider arrangements, significant incidents involving Identity Theft and the University’s response, and recommendations for material changes to the policy.
- Program Updates
WSU will annually determine whether it offers or maintains Covered Accounts. As part of this determination, the University will take into consideration the methods it provides to open its accounts, the methods it provides to access its accounts, and previous experiences with Identity Theft.
WSU will periodically update the policy and related procedures to reflect changes in risks to Covered Account holders or to the safety and soundness of the University from Identity Theft, based on factors such as:
- The experiences of the University with Identity Theft;
- Changes in methods of Identity Theft;
- Changes in methods to detect, prevent, and mitigate Identity Theft;
- Changes in the types of accounts that the University offers;
- Changes in the business arrangements of the University, including changes in service provider arrangements; or
- Legislative changes.
Training will be developed and conducted by Computing and Telecommunications Services (CaTS) staff for employees that handle Covered Accounts or have the ability to change SSNs, addresses, etc. CaTS will work with the AVP for Finance and University Controller to identify specific staff members who must receive training on this policy and all related procedures. Because processes and procedures change year to year, the AVP for Finance and University Controller will annually review those departments and staff members which must be trained and document the training accordingly.
It is also the responsibility of all applicable departments to take the concepts and procedures outlined in this policy and in the CaTS training and apply them to their own operating units and develop a red flag program that sufficiently addresses red flags that are specific to those operating units. Each employee in those operating units must then be trained to gain a full understanding of its specific red flag program.
1105.7 Contractors and Third-Party Service Providers
WSU will exercise appropriate oversight of service provider arrangements.
It is the responsibility of WSU departments who engage third-party service providers to perform activities on covered accounts to ensure that the activities of these service providers and contractors are conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of Identity Theft.
WSU Purchasing will include appropriate language in Invitation-To-Negotiate documents and in associated contracts where applicable.
Contractors and service providers must notify WSU of any security incidents, even if such incidents may not have led to any actual compromise of WSU’s data.