Identity Theft Detection and Prevention
Memorandum #312 Identity Theft Detection and Prevention
August 1, 2009
The purpose of this policy is to require the identification, detection and response to activity that may indicate identity theft and to comply with FTC Red Flags Rules.
In 2007, the FTC issued the Red Flags Rules under sections 114 and 315 of the Fair and Accurate Credit Transaction Act (FACT Act), which amended the Fair Credit Reporting Act (FCRA). The rule requires financial institutions and creditors that hold covered accounts to develop and implement an identity theft prevention program for new and existing accounts.
Policy and Program Rationale:
Community College of Philadelphia has developed this Identity Theft Policy and Prevention Program to detect, prevent and mitigate identity theft with the oversight and approval of the Board of Trustees. The program shall include, according to Federal regulations, reasonable policies and procedures to:
- Identify relevant red flags for covered accounts it offers or maintains and incorporate those red flags into the program;
- Detect red flags that have been incorporated into the program;
- Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
- Ensure the program is updated periodically to reflect changes in risks to customers and to the safety and soundness of the creditor from identity theft.
The program shall, as appropriate, incorporate existing policies and procedures that control reasonably foreseeable risks.
Administration of Program:
Vice President for Academic and Student Success or designee, in conjunction with the CIO, shall be responsible for the development, implementation, oversight and continued administration of the program.
Vice President for Academic and Student Success or designee in conjunction with the CIO, shall train staff, as necessary, to effectively implement the program.
Vice President for Academic and Student Success or designee in conjunction with the CIO shall exercise appropriate and effective oversight of service provider arrangements.
The Director of Information Technology serves as the backup support in the absence of the CIO.
Identify theft means fraud committed or attempted using the identifying information of another person without authority.
Covered account means a consumer account that a creditor offers or maintains, primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions. Covered accounts include, but are not limited to, credit (debit) cards, loans, and unpaid or partially unpaid student accounts.
Red flag means a pattern, practice or specific activity that indicates the possible existence of identity theft.
Creditor means any person who defers payment for services rendered, such as an organization that bills at the end of the month for services rendered the previous month. The college is considered a creditor by participating in the Federal Perkins Loan Program, Federal Family Education Loan Program, Forgivable Loan Program, Computer Loan Program, Deferred Tuition Payment Plan and Deferred Financial Aid Payment Plan.
Security Incident means a collection of related activities or events which provide evidence that personal information could have been acquired by an unauthorized person.
Identification of Red Flags:
The College considers the following categories in identifying relevant Red Flags:
- Alerts – alerts, notifications, or warnings from a consumer reporting agency including fraud alerts, credit freezes, or official notice of address discrepancies.
- Suspicious Documents – such as those appearing to be forged or altered, or where the photo ID does not resemble its owner, or an application which appears to have been cut up, re-assembled and photocopied.
- Suspicious Personal Identifying Information – such as discrepancies in address, Social Security Number, or other information on file; an address that is a mail-drop, a prison, or is invalid; a phone number that is likely to be a pager or answering service; personal information of others already on file; and/or failure to provide all required information.
- Unusual Use or Suspicious Account Activity –such as material changes in payment patterns, notification that the account holder is not receiving mailed statement, or that the account has unauthorized charges.
- Notice from Others Indicating Possible Identify Theft –such as the institution receiving notice from a victim of identity theft, law enforcement, or another account holder reports that a fraudulent account was opened.
Detection of Red Flags:
Detection of Red Flags in connection with the opening of covered accounts as well as existing covered accounts can be made through such methods as:
- Obtaining and verifying identity;
- Authenticating students; and/or
- Monitoring transactions.
Response to Red Flags:
The detection of a Red Flag by an employee shall be reported to the Chief Information Officer and Vice President, Academic and Student Success or designee. Based on the type of red flag, the Vice President for Academic and Student Success or designee and the Chief Information Officer will determine the appropriate response. The Director of Information Technology serves as the backup support in the absence of the CIO. In addition, a copy of the response will be forwarded to the Internal Auditor for review. Some of these responses may include:
- Monitoring a covered account for evidence of identity theft
- Contacting the account holder
- Changing the passwords, security codes, or other security devices that permit access to a covered account
- Reopening a covered account with a new account number
- Not opening a covered account
- Closing an existing account
- Denying access to a covered account until adequate information is available to eliminate the red flag
- Notifying law enforcement
- Determining that no response is warranted under the circumstances
Security Incident Reporting:
An employee who believes that a security incident has occurred shall complete a Red Flag incident report found on the college staff web page. Once submitted, this electronic report will automatically notify the Vice President, Academic and Student Success or designee and the Chief Information Officer for immediate action. The Director of Information Technology serves as the back-up support in the absence of the CIO. In addition, the Internal Auditor and Director, Public Safety, will also be notified.
The College remains responsible for compliance with the Red Flags Rules even if it outsources operations to a third party service provider. The written agreement between the College and the third party service provider shall require the third party to have reasonable policies and procedures designed to detect relevant Red Flags that may arise in the performance of their service provider’s activities. The written agreement must also indicate whether the service provider is responsible for notifying only the College of the detection of a Red Flag or if the service provider is responsible for implementing appropriate steps to prevent or mitigated identify theft.
All employees who process any information related to a covered account shall receive training on the procedures outlined in this document. Refresher training may be provided annually.