Policy 4-006: Identity Theft Prevention Program
- Purpose and Scope
- This policy outlines the requirements for complying with the Fair and Accurate Credit Transaction Act of 2003 to prevent, mitigate and respond to Identity Theft. This policy applies to all “Covered Accounts” and University departments which defer payments, allow multiple payments over time, or who utilize credit reports for employment or credit decisions.
- Definitions
- Covered Account means a financial account used mostly for personal, family, or household purposes, and that involves deferred or multiple payments or transactions. Covered accounts include credit card payments, checking or savings accounts, cell phone accounts, and those where the University has extended credit to individual students, staff, faculty, patients, or visitors. A covered account is also an account for which there is a foreseeable risk of identity theft.
- Identity Theft means a fraud committed using the identifying information of another person.
- Red Flag means a pattern, practice, or specific activity that indicates the possible risk of identity theft.
- Policy
- The IT Compliance Office will develop, routinely update, and distribute guidance which
outlines methods of detecting Identity Theft Red Flags. In developing the guidance,
the following will be considered:
- Experience with Identity Theft;
- Changes in methods of Identity Theft; or
- Changes in methods to detect, prevent, and mitigate Identity Theft.
- Departments which have covered accounts shall review the guidance and update policies and procedures relevant to their operations, to reflect changes in risk, based on the published guidance.
- The IT Compliance Office shall also periodically assess departments to ensure compliance and, where gaps exist, assist departments in coming into compliance.
- The IT Compliance Office shall provide training to all departments identified as having covered accounts.
- The University Chief Information Officer provides oversight for this program, after
written approval from the Board of Trustees has been obtained.
-
- [Note: Parts IV-VII of this Regulation (and all other University Regulations) are Regulations Resource Information – the contents of which are not approved by the Academic Senate or Board of Trustees, and are to be updated from time to time as determined appropriate by the cognizant Policy Officer and the Institutional Policy Committee, as per Policy 1-001 and Rule 1-001.]
-
- The IT Compliance Office will develop, routinely update, and distribute guidance which
outlines methods of detecting Identity Theft Red Flags. In developing the guidance,
the following will be considered:
- Rules, Procedures, Guidelines, Forms and other related resources
- Rules
- Procedures
- Guidelines
- Memo Re: University Compliance with the Fair and Accurate Credit Transaction Act of 2003
- Forms
- Other related resource materials
- References
- Policy 4-004, University Information Technology Resource Security Policy
- Policy 4-001, University Institutional Data Management Policy
- Fair and Accurate Credit Transaction Act of 2003 (FACTA)
- Federal Trade Commission 16 CFR Part 681, Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003
- Contacts:
- The designated contact officials for this Policy are:
- Policy Owner (primary contact person for questions and advice): Chief Information Security and Privacy Officer.
- Policy Officer: Chief Information Officer
- These officials are designated by the University President or delegee, with assistance of the Institutional Policy Committee, to have the following roles and authority, as provided in University Rule 1-001:
- "A 'Policy Officer' will be assigned by the President for each University Policy, and will typically be someone at the executive level of the University (i.e., the President and his/her Cabinet Officers). The assigned Policy Officer is authorized to allow exceptions to the Policy in appropriate cases.... "
- "The Policy Officer will identify an 'Owner' for each Policy. The Policy Owner is an expert on the Policy topic who may respond to questions about, and provide interpretation of the Policy; and will typically be someone reporting to an executive level position (as defined above), but may be any other person to whom the President or a Vice President has delegated such authority for a specified area of University operations. The Owner has primary responsibility for maintaining the relevant portions of the Regulations Library... .[and] bears the responsibility for determining -requirements of particular Policies... ." University Rule 1-001-III-B & E
- The designated contact officials for this Policy are:
- History:
- Current version: Revision 0
- Presented for the information of the Academic Senate: May 4, 2009
- Approved by the Board of Trustees: May 12, 2009
- Revision History:
- This Policy was originally listed as a Rule (Rule 4-004) attached to Policy 4-004. When approved as a Policy it was renumbered as Policy 4-006.
- Rule 4-004 Revision 0: effective October 27, 2008 to May 11, 2009
- Current version: Revision 0
Policy 4-006 Rev: 0
Date: May 12, 2009
Date: May 12, 2009