The risk to the college, its employees and students from data loss and identity
theft is of significant concern to the college and can only be reduced through
the combined efforts of every employee and contractor. The college adopts this
sensitive information policy to help protect employees, students, contractors
and the college from damages related to the loss or misuse of sensitive information.
This policy will:
the physical security of data when it is printed on paper
the electronic security of data when stored and distributed
This policy and protection program applies to employees, contractors,
consultants, temporary workers, and other workers at the college (volunteers,
student ambassadors), including all personnel affiliated with third
DEFINITION OF SENSITIVE INFORMATION
Sensitive information includes the following items whether stored
in electronic, printed format or verbally shared:
Information – Sensitive information consists of personal information
including, but not limited to:
Card Information, including any of the following:
Card Number (in part or whole)
Card Expiration Date
Payment Information, including any of the following:
- EFT – EDI – Draft – Bank
Name & Address
Identification Numbers, including:
Related Information, including:
- W-2’s & W-4’s
- 1099’s & 1098’s
Tax Related Information Related to Filing
Related Information for any employees or students
Information, including, among other information:
Plan Check Requests and associated paperwork
(including online information)
Information for any employee or student,
including but not limited to:
names and claims
related personal medical information
Personal Information belonging to students,
employees and contractors, examples of
Information – Sensitive college information includes, but is
not limited to:
employee, student, vendor, supplier confidential, proprietary
information or trade secrets (except documents subject to the
Open Records Act).
document marked “confidential,” “sensitive,” “proprietary,” or
any document similarly labeled.
personnel are encouraged to use common sense judgment in securing the
college’s confidential information to the proper extent. For
personnel, faculty, and students should use common sense and
appropriate diligence, and follow other applicable law and/or
college policy, in any request/transaction outside the scope
of the program that could have information security or identity
theft implications: non-financial transaction (e.g., transcript
requests, requests for issuance of keys to campus offices, requests
to give an employee or student access to a sensitive or confidential
database, or access to locked areas).
an employee transports sensitive/non-public information/personal
identifying information and needs to leave the vehicle while
out, these items and all other sensitive/non-public information/personal
identifying information need to be placed out of sight (ex. under
seat/in trunk) and vehicle must be locked. All sensitive/non-public
information/personal identifying information must be returned
to the college location (unless authorized to retain overnight)
before leaving for the day. Any sensitive/non-public information
retained by employee must be kept inside a secured home/facility
If an employee is uncertain of the sensitivity of a particular
piece of information, he/she should contact their supervisor/manager.
HARD COPY DISTRIBUTION
Every employee and contractor performing work for the college will
comply with the following policies:
rooms containing documents with sensitive information and record
retention areas will be locked at the end of each workday.
workstations, work areas, printers and fax machines, and common shared
work areas will be cleared of all documents containing sensitive
information when not in use.
documents containing sensitive information are discarded, they will
be placed inside a locked shred bin. Locked shred bins are labeled “Confidential
paper shredding and recycling.” If you need any assistance
in locating one of these bins, please contact a supervisor/manager.
RED FLAG RULES IDENTITY THEFT PREVENTION PROGRAM
Putting the Identity Theft Prevention Program in place enables
the college to protect existing students, reducing risk from identity
fraud and minimize potential damage to the college from fraudulent
new accounts. The program will help the college:
risks that signify potentially fraudulent activity within new or
existing covered accounts
risks when they occur in covered accounts
to risks to determine if fraudulent activity has occurred and act
if fraud has been attempted or committed
the program periodically, including reviewing accounts that are covered
and identified risks that are part of the program.
The college has a primary relationship with its employees and students
other than as a creditor or lender, unlike the creditors/lenders
for which the Red Flags Rule was designed. Based on these relationships
of employer-employee and student-educational institution, various
identity verification measures are already in place under other applicable
laws/regulations/programs and should be used consistently (e.g.,
I-9 employment eligibility verification for employees (with DOB included),
National Student Clearinghouse, FAFSA for students, student identification
cards/government issued passports/state issued ID and drivers licenses).
The Program does not take the place of any such independent requirements.
Every new and existing customer account that meets the following
criteria is covered by this program.
personal and household information for which there are a reasonably
foreseeable risk of identity theft.
personal and household information for which there are a reasonably
foreseeable risk to the safety and/or soundness of the college from
identity theft, including financial, operational, compliance, reputation,
or litigation risks.
The following ‘Red Flags’ are potential indicators
of fraud and any time when a Red Flag, or a situation closely
resembling a Red Flag, is apparent, it should be investigated for verification.
provided for identification appear to have been altered or
forged (e.g. lamination from driver’s license is not
photograph or physical description on the identification is
not consistent with the appearance of the applicant/student/employee
presenting the identification.
information on the identification is not consistent with information
provided by the person opening a new covered account or student/employee
presenting the identification (e.g. verbal information is not
consistent with printed information).
information on the identification is not consistent with readily
accessible information that is on file with the college, such
as a signature card or a recent check.
application appears to have been altered or forged, or gives
the appearance of having been destroyed and reassembled.
Personal Identifying Information
identifying information provided by the student/employee is not
consistent with other personal identifying information provided
by the student/employee. For example:
Information collected from the FAFSA
and other data collected are inconsistent (William Smith-Bill
Loan information and enrollment information
Students may have multiple/different
college ID numbers.
identifying information provided is associated with known fraudulent
activity as indicated by internal or third-party sources used
by the financial institution or creditor. For example:
The address on an application is the
same as the address provided on a fraudulent application.
identifying information provided is of a type commonly associated with
fraudulent activity as indicated by internal or third-party sources
used by the college. For example:
The address on an application is fictitious,
a mail drop or prison.
The phone number is invalid.
SSN provided is the same as that submitted by other persons opening
an account or other students/employees.
address or telephone number provided is the same as or similar
to the address or telephone number submitted by an unusually
large number of other persons opening accounts or other students/employees.
person opening the covered account fails to provide all required
personal identifying information on an application or in response
to notification that the application is incomplete.
Use of, or Suspicious Activity Related to, the Covered Account
following the notice of a change of address for a covered account,
the institution or creditor receives a request for a change of student/employee’s
name or a new student identification card.
new revolving credit account is used in a matter commonly associated
with known patterns of fraud. For example:
The student/employee fails to make the
first payment or makes an initial payment but no subsequent
covered account is used in a matter that is not consistent with
established patterns of activity on the account. There is, for
Nonpayment when there is no history
of late or missed payments.
sent to the student/employee is returned repeatedly as undeliverable
although transactions continue to be conducted in connection with the
student/employee’s covered account.
college is notified that the student/employee is not receiving
from students/employees, victims of identity theft, law enforcement
authorities, service providers or other persons regarding possible
identity theft in connection with covered accounts held by the college.
college is notified of unauthorized charges or transactions in connection
with a student/employee’s covered account.
college is notified by a student/employee, a victim of identity
theft, a law enforcement authority or any other person that it
has opened a fraudulent account for a person engaged in identity
to the college of unauthorized access to or use of employee or
student account information.
is a breach in the college’s computer system security affecting
the employee’s/student’s account or loan.
RESPONDING TO RED FLAGS
Once potentially fraudulent activity is detected, it is essential
to act quickly as a rapid appropriate response can protect students/employees
and the college from damages and loss.
potentially fraudulent activity is detected, gather all related documentation
and write a description of the situation. Take this information and
present it to the designated authority for determination.
a transaction is determined to be fraudulent, appropriate actions
must be taken immediately. Actions may include:
an affected account and re-open with a new account number
any passwords or other access codes that permit access to the
actual student/employee that fraud has been attempted
to monitor account for evidence of identity theft
and cooperate with appropriate law enforcement
extent of liability to college
student/employee complete an Information Discrepancy Affidavit
PERIODIC UPDATES TO PLAN
needed, the program will be re-evaluated to determine whether all
aspects of the program are up to date and applicable in the current
reviews will include an assessment of which accounts are covered
by the program.
part of the review, Red Flags may be revised, replaced or eliminated.
New Red Flags may also be appropriate.
to take in the event that fraudulent activity is discovered may also
require revision to reduce damage to the college and its students/employees.
of Senior Administration
Identity Theft Prevention Program shall not be operated as
an extension to existing fraud prevention programs and its
importance warrants the highest level of attention.
Identity Theft Prevention Program is the responsibility of
the Board of Trustees. Approval of the initial plan must be
appropriately documented and maintained.
responsibility of the program can be delegated by the administration.
training shall be conducted for all employees, contractors, consultants,
temporary workers, and other workers at the college (volunteers-Student
Ambassadors), for whom it is reasonably foreseeable that they
may come into contact with accounts or Personally Identifiable
Information which may constitute a risk to the college or its
members shall continue to receive training as required as changes
to the program are made to ensure maximum effectiveness of the
of Service Provider Arrangements
is the responsibility of the college to ensure that the activities
of all Service Providers are conducted in accordance with reasonable
policies and procedures designed to detect, prevent, and mitigate
the risk of identity theft. If the college engages a service
provider to perform an activity in connection with one or more
accounts or loans covered by the Program, the college should
require, by contract, that the service provider will perform
its activity in accordance with reasonable policies and procedures
designed to detect, prevent and mitigate the risk of Identity
Theft and that the service provider will report any red flags
it detects to a member of the college administration with primary
responsibility for that service provider relationship.
ROLES AND RESPONSIBILITIES
Administration will have the responsibility to adopt, implement and
enforce this policy and ensure that it is followed by employee and
contractors. Additional responsibilities regarding the operation of
the Identity Theft Prevention Program may be outlined above or as listed
in additional written guidance.
|Board of Trustees
||In addition to the plain meaning, for colleges that
do not have a Board of Trustees, this
term is defined as a designated employee at the senior level of management.
||A printout of data stored in a computer. It is considered hard
because it exists physically
on paper, whereas a soft copy exists only electronically.
||Any person or entity that maintains, processes, or otherwise
is permitted access to
student/employee information or consumer information through the provision of
services directly to the college.
||Fraud committed or attempted by the unauthorized use of personal
identifying information of another person.
|Personal Identifying Information (PII)
||A name or number that can be used alone or with other information
to identify a specific person.
Ex: Name, SSN, DOB, etc.
|Non-Public Information (NPI)
||Information that is classified as sensitive information and not
available for public display. Ex: Name, Address, Phone Number,
SSN, DOB, Driver’s License
|| It is a pattern, practice or specific activity that indicates
the reasonable possibility of Identity Theft.
Any employee found to have violated this policy may be
subject to disciplinary action, up to and including termination of
Adopted December 14, 2009