Policies & Procedures
148.00 SENSITIVE INFORMATION AND RED FLAG RULES
The risk to the college, its employees and students from data loss and identity theft is of significant concern to the college and can only be reduced through the combined efforts of every employee and contractor. The college adopts this sensitive information policy to help protect employees, students, contractors and the college from damages related to the loss or misuse of sensitive information. This policy will:
the physical security of data when it is printed on paper
- Describe the electronic security of data when stored and distributed
This policy and protection program applies to employees, contractors, consultants, temporary workers, and other workers at the college (volunteers, student ambassadors), including all personnel affiliated with third parties.
DEFINITION OF SENSITIVE INFORMATION
Sensitive information includes the following items whether stored in electronic, printed format or verbally shared:
Information – Sensitive information consists of personal information
including, but not limited to:
Card Information, including any of the following:
Card Number (in part or whole)
Card Expiration Date
- Credit Card Number (in part or whole)
Payment Information, including any of the following:
- EFT – EDI – Draft – Bank
Name & Address
- Bank account numbers
Identification Numbers, including:
- Social Security Number
Related Information, including:
- W-2’s & W-4’s
- 1099’s & 1098’s
Tax Related Information Related to Filing
Related Information for any employees or students
- W-2’s & W-4’s
Information, including, among other information:
Plan Check Requests and associated paperwork
(including online information)
Information for any employee or student,
including but not limited to:
names and claims
related personal medical information
- Doctor names and claims
Personal Information belonging to students,
employees and contractors, examples of
- Student Number
- Date of Birth
- Credit Card Information, including any of the following:
Information – Sensitive college information includes, but is
not limited to:
- College, employee, student, vendor, supplier confidential, proprietary information or trade secrets (except documents subject to the Open Records Act).
- Any document marked “confidential,” “sensitive,” “proprietary,” or any document similarly labeled.
personnel are encouraged to use common sense judgment in securing the
college’s confidential information to the proper extent. For
personnel, faculty, and students should use common sense and
appropriate diligence, and follow other applicable law and/or
college policy, in any request/transaction outside the scope
of the program that could have information security or identity
theft implications: non-financial transaction (e.g., transcript
requests, requests for issuance of keys to campus offices, requests
to give an employee or student access to a sensitive or confidential
database, or access to locked areas).
an employee transports sensitive/non-public information/personal
identifying information and needs to leave the vehicle while
out, these items and all other sensitive/non-public information/personal
identifying information need to be placed out of sight (ex. under
seat/in trunk) and vehicle must be locked. All sensitive/non-public
information/personal identifying information must be returned
to the college location (unless authorized to retain overnight)
before leaving for the day. Any sensitive/non-public information
retained by employee must be kept inside a secured home/facility
If an employee is uncertain of the sensitivity of a particular piece of information, he/she should contact their supervisor/manager.
- College personnel, faculty, and students should use common sense and appropriate diligence, and follow other applicable law and/or college policy, in any request/transaction outside the scope of the program that could have information security or identity theft implications: non-financial transaction (e.g., transcript requests, requests for issuance of keys to campus offices, requests to give an employee or student access to a sensitive or confidential database, or access to locked areas).
HARD COPY DISTRIBUTION
Every employee and contractor performing work for the college will comply with the following policies:
- Storage rooms containing documents with sensitive information and record retention areas will be locked at the end of each workday.
- Desks, workstations, work areas, printers and fax machines, and common shared work areas will be cleared of all documents containing sensitive information when not in use.
- When documents containing sensitive information are discarded, they will be placed inside a locked shred bin. Locked shred bins are labeled “Confidential paper shredding and recycling.” If you need any assistance in locating one of these bins, please contact a supervisor/manager.
RED FLAG RULES IDENTITY THEFT PREVENTION PROGRAM
Putting the Identity Theft Prevention Program in place enables the college to protect existing students, reducing risk from identity fraud and minimize potential damage to the college from fraudulent new accounts. The program will help the college:
risks that signify potentially fraudulent activity within new or
existing covered accounts
risks when they occur in covered accounts
to risks to determine if fraudulent activity has occurred and act
if fraud has been attempted or committed
- Update the program periodically, including reviewing accounts that are covered and identified risks that are part of the program.
The college has a primary relationship with its employees and students other than as a creditor or lender, unlike the creditors/lenders for which the Red Flags Rule was designed. Based on these relationships of employer-employee and student-educational institution, various identity verification measures are already in place under other applicable laws/regulations/programs and should be used consistently (e.g., I-9 employment eligibility verification for employees (with DOB included), National Student Clearinghouse, FAFSA for students, student identification cards/government issued passports/state issued ID and drivers licenses). The Program does not take the place of any such independent requirements.
Every new and existing customer account that meets the following criteria is covered by this program.
- Business, personal and household information for which there are a reasonably foreseeable risk of identity theft.
- Business, personal and household information for which there are a reasonably foreseeable risk to the safety and/or soundness of the college from identity theft, including financial, operational, compliance, reputation, or litigation risks.
The following ‘Red Flags’ are potential indicators of fraud and any time when a Red Flag, or a situation closely resembling a Red Flag, is apparent, it should be investigated for verification.
provided for identification appear to have been altered or
forged (e.g. lamination from driver’s license is not
photograph or physical description on the identification is
not consistent with the appearance of the applicant/student/employee
presenting the identification.
information on the identification is not consistent with information
provided by the person opening a new covered account or student/employee
presenting the identification (e.g. verbal information is not
consistent with printed information).
information on the identification is not consistent with readily
accessible information that is on file with the college, such
as a signature card or a recent check.
- An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.
- Documents provided for identification appear to have been altered or forged (e.g. lamination from driver’s license is not sealed).
Personal Identifying Information
identifying information provided by the student/employee is not
consistent with other personal identifying information provided
by the student/employee. For example:
Information collected from the FAFSA and other data collected are inconsistent (William Smith-Bill Smith)
Loan information and enrollment information are inconsistent.
Students may have multiple/different college ID numbers.
identifying information provided is associated with known fraudulent
activity as indicated by internal or third-party sources used
by the financial institution or creditor. For example:
The address on an application is the same as the address provided on a fraudulent application.
identifying information provided is of a type commonly associated with
fraudulent activity as indicated by internal or third-party sources
used by the college. For example:
The address on an application is fictitious, a mail drop or prison.
The phone number is invalid.
SSN provided is the same as that submitted by other persons opening
an account or other students/employees.
address or telephone number provided is the same as or similar
to the address or telephone number submitted by an unusually
large number of other persons opening accounts or other students/employees.
- The person opening the covered account fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete.
- Personal identifying information provided by the student/employee is not consistent with other personal identifying information provided by the student/employee. For example:
Use of, or Suspicious Activity Related to, the Covered Account
following the notice of a change of address for a covered account,
the institution or creditor receives a request for a change of student/employee’s
name or a new student identification card.
new revolving credit account is used in a matter commonly associated
with known patterns of fraud. For example:
The student/employee fails to make the first payment or makes an initial payment but no subsequent
covered account is used in a matter that is not consistent with
established patterns of activity on the account. There is, for
Nonpayment when there is no history of late or missed payments.
sent to the student/employee is returned repeatedly as undeliverable
although transactions continue to be conducted in connection with the
student/employee’s covered account.
- The college is notified that the student/employee is not receiving mail.
- Shortly following the notice of a change of address for a covered account, the institution or creditor receives a request for a change of student/employee’s name or a new student identification card.
from students/employees, victims of identity theft, law enforcement
authorities, service providers or other persons regarding possible
identity theft in connection with covered accounts held by the college.
college is notified of unauthorized charges or transactions in connection
with a student/employee’s covered account.
college is notified by a student/employee, a victim of identity
theft, a law enforcement authority or any other person that it
has opened a fraudulent account for a person engaged in identity
to the college of unauthorized access to or use of employee or
student account information.
- There is a breach in the college’s computer system security affecting the employee’s/student’s account or loan.
- The college is notified of unauthorized charges or transactions in connection with a student/employee’s covered account.
RESPONDING TO RED FLAGS
Once potentially fraudulent activity is detected, it is essential to act quickly as a rapid appropriate response can protect students/employees and the college from damages and loss.
- Once potentially fraudulent activity is detected, gather all related documentation and write a description of the situation. Take this information and present it to the designated authority for determination.
a transaction is determined to be fraudulent, appropriate actions
must be taken immediately. Actions may include:
an affected account and re-open with a new account number
any passwords or other access codes that permit access to the
actual student/employee that fraud has been attempted
to monitor account for evidence of identity theft
and cooperate with appropriate law enforcement
extent of liability to college
- Have student/employee complete an Information Discrepancy Affidavit form
- Cancel the transaction
PERIODIC UPDATES TO PLAN
- As needed, the program will be re-evaluated to determine whether all aspects of the program are up to date and applicable in the current environment.
- Periodic reviews will include an assessment of which accounts are covered by the program.
- As part of the review, Red Flags may be revised, replaced or eliminated. New Red Flags may also be appropriate.
- Actions to take in the event that fraudulent activity is discovered may also require revision to reduce damage to the college and its students/employees.
of Senior Administration
Identity Theft Prevention Program shall not be operated as
an extension to existing fraud prevention programs and its
importance warrants the highest level of attention.
Identity Theft Prevention Program is the responsibility of
the Board of Trustees. Approval of the initial plan must be
appropriately documented and maintained.
- Operational responsibility of the program can be delegated by the administration.
- The Identity Theft Prevention Program shall not be operated as an extension to existing fraud prevention programs and its importance warrants the highest level of attention.
training shall be conducted for all employees, contractors, consultants,
temporary workers, and other workers at the college (volunteers-Student
Ambassadors), for whom it is reasonably foreseeable that they
may come into contact with accounts or Personally Identifiable
Information which may constitute a risk to the college or its
- Staff members shall continue to receive training as required as changes to the program are made to ensure maximum effectiveness of the program.
- Staff training shall be conducted for all employees, contractors, consultants, temporary workers, and other workers at the college (volunteers-Student Ambassadors), for whom it is reasonably foreseeable that they may come into contact with accounts or Personally Identifiable Information which may constitute a risk to the college or its students/employees.
of Service Provider Arrangements
- It is the responsibility of the college to ensure that the activities of all Service Providers are conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. If the college engages a service provider to perform an activity in connection with one or more accounts or loans covered by the Program, the college should require, by contract, that the service provider will perform its activity in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of Identity Theft and that the service provider will report any red flags it detects to a member of the college administration with primary responsibility for that service provider relationship.
ROLES AND RESPONSIBILITIES
Administration will have the responsibility to adopt, implement and enforce this policy and ensure that it is followed by employee and contractors. Additional responsibilities regarding the operation of the Identity Theft Prevention Program may be outlined above or as listed in additional written guidance.
|Board of Trustees||In addition to the plain meaning, for colleges that do not have a Board of Trustees, this term is defined as a designated employee at the senior level of management.|
|Hard Copy||A printout of data stored in a computer. It is considered hard because it exists physically on paper, whereas a soft copy exists only electronically.|
|Service Provider||Any person or entity that maintains, processes, or otherwise is permitted access to student/employee information or consumer information through the provision of services directly to the college.|
|Identity Theft||Fraud committed or attempted by the unauthorized use of personal identifying information of another person.|
|Personal Identifying Information (PII)||A name or number that can be used alone or with other information to identify a specific person. Ex: Name, SSN, DOB, etc.|
|Non-Public Information (NPI)||Information that is classified as sensitive information and not available for public display. Ex: Name, Address, Phone Number, SSN, DOB, Driver’s License|
|Red Flag||It is a pattern, practice or specific activity that indicates the reasonable possibility of Identity Theft.|
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.