The identity theft red flags program is designed to provide information to assist individuals in 1) detecting, preventing, and mitigating identity theft in connection with the opening of a “covered account” or any existing “covered account” or who believe that a security incident has occurred and 2) reporting a security incident. This program was developed pursuant to the Fair and Accurate Credit Transactions Act of 2003 and the Federal Trade Commission’s Red Flags Rule, which require creditors to adopt policies and procedures to prevent identity theft.
Covered accounts maintained by the University of Southern Indiana include:
- Bursar/Student Accounts
- Stored Value/Eagle Access ID Cards
- Payroll Cards
Identification of Red Flags
Broad categories of “Red Flags” include the following:
- Alerts - alerts, notifications, or warnings from a consumer reporting agency including fraud alerts, credit freezes, or official notice of address discrepancies
- Suspicious Documents - such as those appearing to be forged or altered, or where the photo ID does not resemble its owner, or an application which appears to have been cut up, re-assembled and photocopied
- Suspicious Personal Identifying Information - such as discrepancies in address, Social Security Number, or other information on file; an address that is a mail-drop, a prison, or is invalid; a phone number that is likely to be a pager or answering service; personal information of others already on file; and/or failure to provide all required information
- Unusual Use or Suspicious Account Activity - such as material changes in payment patterns, notification that the account holder is not receiving mailed statement, or that the account has unauthorized charges
- Notice from Others Indicating Possible Identify Theft - such as the institution receiving notice from a victim of identity theft, law enforcement, or another account holder reports that a fraudulent account was opened
Detection of Red Flags
Detection of Red Flags in connection with the opening of covered accounts as well as existing covered accounts can be made through such methods as:
- Obtaining and verifying identity
- Authenticating customers
- Monitoring transactions
An information security incident that results in unauthorized access to a customer’s account record or a notice that a customer has provided information related to a covered account to someone fraudulently claiming to represent USI or to a fraudulent web site may heighten the risk of identity theft and should be considered Red Flags.
Response to a Red Flag
Any suspected Red Flag detection needs to be reported to IT Security for support in the Information Security Incident Response Process. Based on the type of red flag, the appropriate IT Security team member will work with the employee and Public Safety to determine the appropriate response.
Security Incident Reporting
Any employee who believes that a security incident has occurred must immediately report the suspicious activity to the IT Help Desk.
Service Providers
USI remains responsible for compliance with the Red Flag Rules even if it outsources operations to a third-party service provider. The written agreement with the third-party service provider shall require the third-party to have reasonable policies and procedures designed to detect relevant Red Flags that may arise in the performance of their service provider’s activities. Including notification to USI if a Red Flag is detected and the steps implemented to prevent or mitigate additional identify theft.
Training
All employees who process any information related to a covered account shall receive training on procedures as outlined in this document. Additionally, refresher training may be provided annually.
Red Flag Definitions
Covered Account - A consumer account designed to permit multiple payments or transactions. These are accounts where payments are deferred and made by a borrower periodically over time such as a tuition or fee installment payment plan.
Creditor - A person or entity that regularly extends, renews, or continues credit and any person or entity that regularly arranges for the extension, renewal, or continuation of credit.
Identity Theft – A fraud committed or attempted using the identifying information of another person without authority.
Red Flag - A pattern, practice or specific activity that indicates the possible existence of identity theft.
Security Incident - A collection of related activities or events which provide evidence that personal information could have been acquired by an unauthorized person.