Email a Friend
Print
Larger
SmallerBALL STATE UNIVERSITY
IDENTITY THEFT PREVENTION PROGRAM
I PROGRAM ADOPTION. Ball State University ("University") has developed this Identity Theft Prevention Program (the "Program") pursuant to the "Red Flags" Rules, which implements Section 114 of the Fair and Accurate Transactions Act of 2003. The University is engaging in activities which are covered by the Red Flags Rules and the Board of Trustees has determined that this Program is appropriate for the University.
II PROGRAM PURPOSE. The University adopts this Program in an effort to detect, prevent and mitigate identity theft in connection with its covered accounts. The Program is further intended to help protect students, faculty, staff and other constituents and the University from damages related to the fraudulent activity of identity theft.
III SCOPE. This Program applies to students, faculty, staff
and other constituents at the University.
IV IDENTITY THEFT PROTECTION.
A. Definitions. The following Red Flags Rules definitions shall apply to this Program:
- "Account" means a continuing relationship established by a person with a creditor to obtain a product or service for personal, family, household or business purposes.
- "Covered Account:"
i. Any account the University offers ormaintains primarily for personal, family
or household purposes that involves multiple
payments or transactions; and
ii. Any other account the University offers or
maintains for which there is a reasonably
foreseeable risk to customers or to the safety
or soundness of the University from identity
theft.
3. "Credit" is the right granted by a creditor to a
debtor to defer payment of debt or to incur debt and
defer its payment or to purchase property or
services and defer payment thereto.
4. "Creditor" is an entity that regularly extends,
renews, or continues credit or an entity that
regularly arranges for the extension, renewal or
continuation of credit. Examples of activities that
indicate that a university is a "creditor" are:
· Participation in the Federal Perkins Loan
program;
· Participation as a school lender in the Federal
Family Education Loan Program;
· Offering institutional loans to students, faculty or
staff; and
· Offering a plan for payment of tuition or fees
throughout the semester, rather than requiring full
payment at the beginning of the semester.
5. "Customer" is any person with a covered account
with a creditor.
6. "Identifying information" means any name or
number that may be used, alone or in conjunction
with any other information, to identify a specific
person, including:
· Name
· Address
· Telephone number
· Social Security number
· Date of birth
· Government issued driver's license or
identification number
· Alien registration number
· Government passport number
· Employer or taxpayer identification number
· Unique electronic identification number
· Telecommunication identifying information or
access device
· Computer's Internet Protocol address or routing
code.
7. "Identity Theft" means a fraud committed or
attempted using the identifying information of
another person.
8. "Red Flag" means a pattern, practice, or specific
activity that indicates the possible existence of
identity theft.
V IDENTIFICATION OF RED FLAGS. In order to identify relevant Red Flags, the University considers the types of accounts that it offers and maintains, the methods it provides to open its accounts, the methods it provides to access its accounts, and its previous experiences with identity theft. The following Red Flags are potential indicators of fraud. Any time a Red Flag, or a situation closely resembling a Red Flag, is apparent, it should be investigated for verification.
A. Notifications and Warnings from a Consumer
Reporting Agency. Examples of these Red Flags
include the following:
1. A fraud or active duty alert included with a
consumer report;
2. A notice of credit freeze from a consumer
reporting agency in response to a request for a
consumer report;
3. A notice of address discrepancy from a
consumer reporting agency in response to a
consumer report request;
4. A consumer report that indicates a pattern of
activity inconsistent with the history and usual
pattern of activity of an applicant or customer,
such as:
· A recent and significant increase in the volume
of inquiries;
· An unusual number of recently established
credit relationships;
· A material change in the use of credit,
especially with respect to recently established
credit relationships; or
· An account that was closed by a financial
institution or creditor for cause or identified
for abuse of account privileges.
B. Suspicious Documents. Examples of these Red
Flags include the following:
1. Documents provided for identification that appear
to have been altered or forged;
2. The photograph or physical description on the
identification is not consistent with the appearance
of the student, faculty, staff, and other constituent
presenting the identification;
3. Other information on the identification is not
consistent with information provided by the
person opening a new covered account or student,
faculty, staff, and other constituent presenting the
identification;
4. Other information on the identification is not
consistent with readily accessible information that
is on file with the University; and
5. An application appears to have been altered or
forged, or gives the appearance of having been
destroyed and reassembled.
C. Suspicious Personally Identifying Information.
Examples of these Red Flags include the following:
1. Personally identifying information provided is
inconsistent when compared against external
information sources used by the University;
2. Personally identifying information provided is
associated with known fraudulent activity as
indicated by internal or third-party sources used
by the University;
3. Personally identifying information provided is of
a type commonly associated with fraudulent
activity as indicated by internal or third-party
sources used by the University;
4. The Social Security Number (SSN) provided is
the same as that submitted by another student,
faculty, staff, or constituent;
5. The person opening the covered account fails to
provide all required personally identifying
information on an application or in response to
notification that the application is incomplete;
6. Personally identifying information provided is not
consistent with personal identifying information
that is on file with the University; and
7. When using security questions (mother's maiden
name, pet's name, etc.), the person opening the
covered account cannot provide authenticating
information beyond that which generally would be
available from a wallet or consumer report.
D. Suspicious Account Activity or Unusual Use of
Covered Account. Examples of these Red Flags
include the following:
1. Shortly following the notice of a change of
address for a covered account, the University
receives a request for new, additional, or
replacement goods or services, or for the addition
of authorized users on the account;
2. A covered account is used in a manner that is not
consistent with established patterns of activity on
the account;
3. A covered account that has been inactive for a
reasonably lengthy period of time is used (taking
into consideration the type of account, the
expected pattern of usage and other relevant
factors);
4. Mail sent to the student, faculty, staff, or other
constituent is returned repeatedly as
undeliverable although transactions continue to be
conducted in connection with the covered
account;
5. The University is notified that the student, faculty,
staff, or other constituent is not receiving paper
account statements;
6. The University is notified of unauthorized charges
or transactions in connection with a covered
account;
7. The University receives notice from students,
faculty, staff, or other constituents, victims of
identity theft, law enforcement authorities, or
other persons regarding possible identity theft in
connection with covered accounts held by the
University; and
8. The University is notified by a student, faculty,
staff, or other constituent, a victim of identity
theft, a law enforcement authority, or any other
person that it has opened a fraudulent account for
a person engaged in identity theft.
VI DETECTING RED FLAGS. The Program's general Red Flags detection practices are described in this document. The Program Administrator will develop and implement specific methods and protocols appropriate to meet the requirements of this Program.
A. Detection. Once a Red Flag, or potential Red Flag,
is detected, University personnel should endeavor to
act quickly as a rapid response can protect students,
faculty, staff, and other constituents and the
University from damages and loss.
B. Documentation. University personnel should quickly
gather all related documentation and follow the
procedures implemented in the affected campus
department or unit.
C. Responding to Red Flags and Mitigating Identity
Theft. In the event University personnel detect any
identified Red Flags, appropriate steps to respond
and mitigate shall be instituted depending on the
nature and degree of risk posed by the Red Flag,
including but not limited to the following examples:
1. Continue to monitor an account for evidence of
identity theft;
2. Change any passwords or other security devices
that permit access to accounts;
3. Not open a new account;
4. Close an existing account;
5. Reopen an account with a new number;
6. Cancel the transaction;
7. Notify and cooperate with appropriate law
enforcement;
8. Notify the student, faculty, staff or other
constituent that fraud has been
attempted; and
9. Determine that no response is warranted under
the particular circumstances.
VII PROGRAM ADMINISTRATION.
A. Oversight. Establishment of the Identity Theft
Prevention Program is the responsibility of the
University's Board of Trustees. Operational
responsibility of the Program, including but not
limited to the oversight, development,
implementation, and administration of the Program,
approval of needed changes to the Program, and
implementation of needed changes to the Program is
delegated to the University's Vice President for
Business Affairs and Treasurer, or a designee of
the Vice President for Business Affairs and
Treasurer. A Program Administrator may be
designated by the Vice President for Business
Affairs and Treasurer and shall be responsible for
developing, implementing, and updating the
Program throughout the University; ensuring
appropriate training of University personnel on the
Program; reviewing any staff reports regarding the
detection of Red Flags and the steps for identifying,
preventing, and mitigating identity theft;
determining which steps of prevention and
mitigation should be taken in particular
circumstances; and considering periodic changes to
the Program. The Program Administrator shall
report at least annually to the Vice President for
Business Affairs and Treasurer on compliance with
the Program and make recommendations, if needed,
for material changes to the Program.
B. Training of University Personnel. Training shall
be conducted for all University personnel for whom
it is reasonably foreseeable, as determined by the
Vice President for Business Affairs and Treasurer
for the Program Administrator, that the employee
may come into contact with accounts or personally
identifiable information that may constitute a risk to
the University or its students, faculty, staff or other
constituents. The University's Office of Human
Resource Services is responsible, with assistance
from the Program Administrator, for ensuring that
identity theft training is conducted for all
employees for whom it is required. Training in all
elements of the Program shall be conducted for all
appropriate University personnel upon the initiation
of the Program and such employees shall continue
to receive additional training as changes to the
Program are made.
C. Service Provider Arrangements. In the event the
University engages a service provider to perform
an activity in connection with one or more
accounts, the University will take the following
steps to ensure the service provider performs its
activity in accordance with reasonable policies
and procedures designed to detect, prevent, and
mitigate the risk of identity theft:
1. Require, by contract, that service providers
have such policies and procedures in place; and
2. Require, by contract, that service providers
review the University's Program and report any
Red Flags to the Program Administrator or the
University employee with primary oversight of
the service provider relationship.
D. Application of Other Laws and University
Policies. University personnel should make
reasonable efforts to secure confidential
information to the proper extent required by law or
University policies. Furthermore, this Program
should be applied in conjunction with the Family
Education Rights and Privacy Act ("FERPA"), the
Gramm Leach Bliley Act ("GLBA"), the Indiana
Release of Social Security Number Act, the
University's GLBA Information Security Program,
the University's Information Technology
Confidentiality and Information Access Agreement,
and other applicable state and federal rules,
regulations and laws and other applicable
University policies. If an employee is uncertain of
the confidentiality of a particular piece of
information, the employee should contact the
University's Office of University Compliance.
Approved by the Board of Trustees 05/14/09
