I. Program Adoption
Ball State University ("University") has developed this Identity Theft Prevention Program (the "Program") pursuant to the "Red Flags" Rules, which implements Section 114 of the Fair and Accurate Transactions Act of 2003. The University is engaging in activities which are covered by the Red Flags Rules and the Board of Trustees has determined that this Program is appropriate for the University.
II. Program Purpose
The University adopts this Program in an effort to detect, prevent and mitigate identity theft in connection with its covered accounts. The Program is further intended to help protect students, faculty, staff and other constituents and the University from damages related to the fraudulent activity of identity theft.
This Program applies to students, faculty, staff and other constituents at the University.
IV. Identity Theft Protection
A. Definitions. The following Red Flags Rules definitions shall apply to this Program:
1. "Account" means a continuing relationship established by a person with a creditor to obtain a product or service for personal, family, household or business purposes.
2. "Covered Account:"
i. Any account the University offers or maintains primarily for personal, family or household purposes that involves multiple payments or transactions; and
ii. Any other account the University offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety or soundness of the University from identity theft.
3. "Credit" is the right granted by a creditor to a debtor to defer payment of debt or to incur debt and defer its payment or to purchase property or services and defer payment thereto.
4. "Creditor" is an entity that regularly extends, renews, or continues credit or an entity that regularly arranges for the extension, renewal or continuation of credit. Examples of activities that indicate that a university is a "creditor" are:
- Participation in the Federal Perkins Loan program;
- Participation as a school lender in the Federal Family Education Loan Program;
- Offering institutional loans to students, faculty or staff; and
- Offering a plan for payment of tuition or fees throughout the semester, rather than requiring full payment at the beginning of the semester.
5. "Customer" is any person with a covered account with a creditor.
6. "Identifying information" means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including:
- Telephone number
- Social Security number
- Date of birth
- Government issued driver's license or identification number
- Alien registration number
- Government passport number
- Employer or taxpayer identification number
- Unique electronic identification number
- Telecommunication identifying information or access device
- Computer's Internet Protocol address or routing code
7. "Identity Theft" means a fraud committed or attempted using the identifying information of another person.
8. "Red Flag" means a pattern, practice, or specific activity that indicates the possible existence of identity theft.
V. Identification Of Red Flags
In order to identify relevant Red Flags, the University considers the types of accounts that it offers and maintains, the methods it provides to open its accounts, the methods it provides to access its accounts, and its previous experiences with identity theft. The following Red Flags are potential indicators of fraud. Any time a Red Flag, or a situation closely resembling a Red Flag, is apparent, it should be investigated for verification.
A. Notifications and Warnings from a Consumer Reporting Agency.
Examples of these Red Flags include the following:
1. A fraud or active duty alert included with a consumer report;
2. A notice of credit freeze from a consumer reporting agency in response to a request for a consumer report;
3. A notice of address discrepancy from a consumer reporting agency in response to a consumer report request;
4. A consumer report that indicates a pattern of activity inconsistent with the history and usual pattern of activity of an applicant or customer, such as:
- A recent and significant increase in the volume of inquiries;
- An unusual number of recently established credit relationships;
- A material change in the use of credit, especially with respect to recently established credit relationships; or
- An account that was closed by a financial institution or creditor for cause or identified for abuse of account privileges.
B. Suspicious Documents.
Examples of these Red Flags include the following:
1. Documents provided for identification that appear to have been altered or forged;
2. The photograph or physical description on the identification is not consistent with the appearance of the student, faculty, staff, and other constituent presenting the identification;
3. Other information on the identification is not consistent with information provided by the person opening a new covered account or student, faculty, staff, and other constituent presenting the identification;
4. Other information on the identification is not consistent with readily accessible information that is on file with the University; and
5. An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.
C. Suspicious Personally Identifying Information.
Examples of these Red Flags include the following:
1. Personally identifying information provided is inconsistent when compared against external information sources used by the University;
2. Personally identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the University;
3. Personally identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the University;
4. The Social Security Number (SSN) provided is the same as that submitted by another student, faculty, staff, or constituent;
5. The person opening the covered account fails to provide all required personally identifying information on an application or in response to notification that the application is incomplete;
6. Personally identifying information provided is not consistent with personal identifying information that is on file with the University; and
7. When using security questions (mother's maiden name, pet's name, etc.), the person opening the covered account cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.
D. Suspicious Account Activity or Unusual Use of Covered Account. Examples of these Red Flags include the following:
1. Shortly following the notice of a change of address for a covered account, the University receives a request for new, additional, or replacement goods or services, or for the addition of authorized users on the account;
2. A covered account is used in a manner that is not consistent with established patterns of activity on the account;
3. A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors);
4. Mail sent to the student, faculty, staff, or other constituent is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the covered account;
5. The University is notified that the student, faculty, staff, or other constituent is not receiving paper account statements;
6. The University is notified of unauthorized charges or transactions in connection with a covered account;
7. The University receives notice from students, faculty, staff, or other constituents, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the University; and
8. The University is notified by a student, faculty, staff, or other constituent, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.
VI. Detecting Red Flags
The Program's general Red Flags detection practices are described in this document. The Program Administrator will develop and implement specific methods and protocols appropriate to meet the requirements of this Program.
A. Detection. Once a Red Flag, or potential Red Flag, is detected, University personnel should endeavor to act quickly as a rapid response can protect students, faculty, staff, and other constituents and the University from damages and loss.
B. Documentation. University personnel should quickly gather all related documentation and follow the procedures implemented in the affected campus department or unit.
C. Responding to Red Flags and Mitigating Identity Theft. In the event University personnel detect any identified Red Flags, appropriate steps to respond and mitigate shall be instituted depending on the nature and degree of risk posed by the Red Flag, including but not limited to the following examples:
1. Continue to monitor an account for evidence of identity theft;
2. Change any passwords or other security devices that permit access to accounts;
3. Not open a new account;
4. Close an existing account;
5. Reopen an account with a new number;
6. Cancel the transaction;
7. Notify and cooperate with appropriate law enforcement;
8. Notify the student, faculty, staff or other constituent that fraud has been attempted; and
9. Determine that no response is warranted under the particular circumstances.
VII. Program Administration
A. Oversight. Establishment of the Identity Theft Prevention Program is the responsibility of the University's Board of Trustees. Operational responsibility of the Program, including but not limited to the oversight, development, implementation, and administration of the Program, approval of needed changes to the Program, and implementation of needed changes to the Program is delegated to the University's Vice President for Business Affairs and Treasurer, or a designee of the Vice President for Business Affairs and Treasurer. A Program Administrator may be designated by the Vice President for Business Affairs and Treasurer and shall be responsible for developing, implementing, and updating the Program throughout the University; ensuring appropriate training of University personnel on the Program; reviewing any staff reports regarding the detection of Red Flags and the steps for identifying, preventing, and mitigating identity theft; determining which steps of prevention and mitigation should be taken in particular circumstances; and considering periodic changes to the Program. The Program Administrator shall report at least annually to the Vice President for Business Affairs and Treasurer on compliance with the Program and make recommendations, if needed, for material changes to the Program.
B. Training of University Personnel. Training shall be conducted for all University personnel for whom it is reasonably foreseeable, as determined by the Vice President for Business Affairs and Treasurer for the Program Administrator, that the employee may come into contact with accounts or personally identifiable information that may constitute a risk to the University or its students, faculty, staff or other constituents. The University's Office of Human Resource Services is responsible, with assistance from the Program Administrator, for ensuring that identity theft training is conducted for all employees for whom it is required. Training in all elements of the Program shall be conducted for all appropriate University personnel upon the initiation of the Program and such employees shall continue to receive additional training as changes to the Program are made.
C. Service Provider Arrangements. In the event the University engages a service provider to perform an activity in connection with one or more accounts, the University will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft:
1. Require, by contract, that service providers have such policies and procedures in place; and
2. Require, by contract, that service providers review the University's Program and report any Red Flags to the Program Administrator or the University employee with primary oversight of the service provider relationship.
D. Application of Other Laws and University Policies. University personnel should make reasonable efforts to secure confidential information to the proper extent required by law or University policies. Furthermore, this Program should be applied in conjunction with the Family Education Rights and Privacy Act ("FERPA"), the Gramm Leach Bliley Act ("GLBA"), the Indiana Release of Social Security Number Act, the University's GLBA Information Security Program, the University's Information Technology Confidentiality and Information Access Agreement, and other applicable state and federal rules, regulations and laws and other applicable University policies. If an employee is uncertain of the confidentiality of a particular piece of information, the employee should contact the University's Office of University Compliance.
Approved by the Board of Trustees 05/14/09