Presentation on theme: "WELCOME Iowa State University Identity Theft Prevention Program"— Presentation transcript:
1WELCOME Iowa State University Identity Theft Prevention Program
2The Reason Behind the Red Flag Rules More than 10 million Americans are victims of identity theft each year.The total financial losses due to identity theft are estimated to be about $50 billion every year.
3Risks to Iowa State University Lost productivityReputationFinesNotification expensesLoss of ability to accept payment cards for services rendered (i.e. credit/debit cards, etc.)
4Examples of Impacted Departments Accounts ReceivableID Card OfficeTreasurer’s OfficeStudent Financial AidStudent Counseling ServicesOffice of AdmissionsUniversity ExtensionDepartment of ResidenceInformation Technology ServicesThielen Student Health CenterPayrollHuman Resources
5How Information is Obtained By stealing purses and walletsBy stealing checks or credit card information out of the mailBy completing a “change of address form” to divert mail to another location.By abusing their employer’s authorized access to customer or employee informationBy getting credit reports from abusing their employer’s authorized access to it.By dumpster divingBy computer hacking
6Iowa State University Identity Theft Prevention Program A Red Flag is a pattern, practice or specific activity that indicates the possible existence of identity theft or fraudThe Red Flag Rules – issued by Federal Trade Commission (FTC), for creditors to develop and implement written identity theft prevention programs as part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA)Programs must be in place to provide for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft by January 1, 2011
7The FTC regulations, known as the Red Flag Rules are organized into three parts including: 1. Duties of users of consumer reports regarding address discrepancies.2. Duties of creditors regarding the detection, prevention and mitigation of identity theft.3. Duties of card issuers regarding changes of address. (Not applicable to ISU)Users of consumer reports must develop reasonable policies and proceduresto verify the identity of consumers andconfirm their addresses, when necessaryApplies to any areas of ISU that utilize consumer reporting agencies (Equifax, Experian, TransUnion) for any reason, i.e. credit or background checks for loans or collection purposes, or for new hire applicants
8The FTC regulations, known as the Red Flag Rules are organized into three parts including: 1. Duties of users of consumer reports regarding address discrepancies.2. Duties of creditors regarding the detection, prevention and mitigation of identity theft.3. Duties of card issuers regarding changes of address. (Not applicable to ISU)It has been determined by university legal counsel that Iowa State University is a “creditor” as defined by the Red Flag Rules for the following reasons:Regularly extend, renew, or continue credit for student and employee accounts involving student loans, institutional loans and payment for services received over time.
9Identity Theft Prevention Program 1. Identify relevant red flags for covered accounts ISU offers or maintains and incorporate those red flags into the program 2. Detect red flags that have been incorporated into the program 3. Respond appropriately to any red flags that are detected to prevent and mitigate identity theft 4. Assure the program is updated periodically to reflect changes and risks involving possible identity theft and fraud
10Definitions: Covered Accounts A covered account is a consumer account used by customers of ISU primarily for personal, family, or household purposes that is designed to permit multiple payments or transactions. These are accounts where payments are deferred and made by the customer (borrower) periodically over time. At ISU, a covered account includes the following: 1. Participation in the following Federal student loan programs: Perkins Loan, Health Profession Student Loan and Loans for Disadvantaged Students; 2. Participation in institutional loans to students, faculty or staff 3. Participation in a plan for payment of tuition or fees throughout the semester, rather than requiring full payment at the beginning of the semester 4. Participation in a plan for payment for services received over time rather than requiring full payment upon receipt of services 5. Participation in other services provided by third party service providers that satisfy the definition of a covered account
11Definitions:Creditor A creditor is a person or entity that regularly extends, renews, or continues credit and any person or entity that regularly arranges for the extension, renewal, or continuation of credit. Customer A customer is a person or entity that has a covered account with ISU. Customer includes students, faculty, staff and persons or entities doing business with ISU. Service Provider A service provider is a third party that is contracted to provide outsourced operations directly to ISU customers that are related to a covered account. Identity Theft Identity theft is a fraud committed or attempted using the identifying personal information of another person.
12Definitions: Personal Information Specific items of personal information identified in Iowa Code Section 715C.1(11). This information includes an individual’s name in combination with any one or more of the following data elements:Social Security number,Driver’s license number,Health insurance information,Medical information, orFinancial account number (such as a credit card number, debit card number or bank account number) or an ISU issued university identification number (UID) when the numbers are in combination with any required security code, access code, or password that would permit access to an individual’s financial account or the ISU AccessPlus account for an individual.
14DETERIn order to identify relevant Red Flags within its covered accounts, ISU considers the types of accounts that it offers and maintains, methods it provides to open its accounts, methods it provides to access its accounts, and its previous experiences with identity theft. Any time a Red Flag, or a situation closely resembling a Red Flag, is detected, it should be evaluated by ISU personnel for verification of the person or entity involved and implementation of an appropriate response pursuant to Section 5 of the Identity Theft Prevention Program.Alerts received by ISU from a Credit Reporting AgencySuspicious DocumentsSuspicious Personal Identifying InformationUnusual Use or Suspicious Account ActivityNotice from Others Indicating Possible Identity Theft
15DETECTIn order to detect any of the Red Flags identified in Section 3 of the Identity Theft Prevention Program that are associated with the opening of a covered account for a customer or for monitoring transactions on an existing covered account, ISU personnel will take one or more of the following steps to obtain and verify the identity of the person opening a covered account or using an existing covered account in accordance with the written operational policies of the unit that manages the covered account:A. Require certain identifying information such as name; date of birth; residential, business or in-session university address; or other identification in conjunction with a signature and/or other communication with the person or entity whose covered account is involved;B. Presentation of an ISU Card or government issued photo identification document and determining that the image matches appearance of the customer and the document has not been altered, forged or destroyed and reassembled.C. Verify any changes made electronically to financial information contained in a covered account by ing customers to alert them to changes made to their account.
16DEFENDIn the event ISU personnel detect any identified Red Flags, such personnel shall respond depending on the degree of risk posed by the Red Flag. The appropriate responses to the relevant Red Flags can include any one or more of the following:A. Deny access to the covered account until other information is available to eliminate the Red Flag;B. Contact the customer to advise that a fraud has been attempted on their covered account;C. Change any passwords, security codes or other security devices that permit access to a covered account;D. Notify law enforcement; orE. Determine that no response is warranted under the particular circumstances.
17Responsibility for Compliance Under the university's Identity Theft Prevention Program, ISU employees have a responsibility to obtain and verify the identity of persons opening or using covered accounts.ISU employees are expected to notify the program administrator (i.e., the director of Accounts Receivable) if they become aware of an incident of identity theft or of failure to comply with the program.At least annually or as otherwise requested by the program administrator, ISU staff responsible for development, implementation, and administration of the program shall report to the program administrator on compliance with this program.
18Program Administration Oversight by an Identity Theft Prevention Committeelies with the Vice President for Business and FinanceProgram Administrator shall be the Director of Accounts Receivable Office with the following duties:Training of ISU staff on the program, Reviewing related reports, Determining steps for detecting and defending against identity theft, and considering periodic updates to the programStaff Training and ReportsIdentity Theft Prevention Program Updates
19Service ProvidersISU remains responsible for compliance with the Red Flag Rules even if it outsources operations regarding covered accounts to a third party service provider. In the event ISU engages a service provider to perform an activity in connection with one or more covered accounts, ISU will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft.B. A service provider that maintains its own Identity Theft Prevention Program, consistent with the guidance of the Red Flag Rules and validated by appropriate due diligence, may be considered to be meeting these requirements.
20Test Your Red Flag Rules Knowledge… The Red Flag Rules apply to anyone who deals with financing and credit, including car dealerships, banks, physicians' offices, retail merchants, mortgage companies, and cell phone carriers.a. Trueb. FalseThe Red Flag Rules apply to any person or entity which maintains covered accounts, no matter what business they are in.
21Test Your Red Flag Rules Knowledge… Under the Red Flag Rules, all "covered accounts" must be marked with a small red flag symbol.a. Trueb. False
22Test Your Red Flag Rules Knowledge… Personal Identification Information (PII) includes:a. Any name or numberb. Any name or number, used alone or in conjunction with any other informationc. Any name or number that may be used, alone or in conjunction with any other information, to identify a specific individuald. None of the above
23Test Your Red Flag Rules Knowledge… "Suspicious" refers to which of the following:a. Inconsistent signatures of fileb. Driver’s license photo doesn’t match personc. Inability to recall mother’s maiden named. Phone number given is answered by prison switchboarde. Any and all of the above
24Test Your Red Flag Rules Knowledge… Which of the following is NOT a required part of an Identity Theft Prevention Program?a. Reasonable policies and procedures to identify potential "red flags"b. dedicated phone line for customers to call in identity theft reportsc. Specific procedures to detect the "red flags" identified as potential threatsd. Appropriate actions to take when "red flags" are detectede. A plan for regularly re-evaluating the program
25Test Your Red Flag Rules Knowledge… 6. Red Flag procedures must be "fully implemented" by December 31, That means:a. ...the procedures just have to be written and accessible to everyoneb. ...the procedures have to be written and everyone needs to be trained to use them
26Test Your Red Flag Rules Knowledge… 7. After you have identified the red flags of ID Theft that you’re likely to come across in your business, what do you do next?a. Set up procedures to detect those red flags in your day-to-day operationsb. Train all employees who will use the procedures.c. Decide what actions to take when a red flag is detectedd. Periodically review your list of red flags to be sure they are still relevante. All of the above
27Test Your Red Flag Rules Knowledge… 8. Because the federal Red Flag Rules are so comprehensive, Iowa's state laws concerning identity theft prevention no longer apply.a. Trueb. FalseThere is no pre-emption clause included in the Red Flag Rules, so both sets of laws must be considered.
28Test Your Red Flag Rules Knowledge… 9. The one thing you will NOT do when you finish this test is:a. Identify which of your accounts are "covered" and develop some policies and procedures for how to identify red flags associated with those accountsb. Plan training for your employees who will need to be able to detect red flagsc. Ignore this training and go on with your work because It's the way things have always been doned. Report any known or suspected red flags immediately
29Test Your Red Flag Rules Knowledge… 10. The purpose of the Red Flag Rules is:a. To detect the warning signs – or “red flags” – of identity theft in day-to-day operations, take steps to prevent the crime, and mitigate the damage it inflictsb. To add one more item of busy-work to already over loaded staff, since there's no way to really prevent Identity Theft
30QUESTIONS? Contact: Director of Accounts Receivable - Duane Reeves
31WEBSITESFederal Trade Commission – Fair Credit Reporting – Major Links - you can find the How-To Guide for Red Flag Rules on this websitePCI Security Standards Council websitehttps://www.pcisecuritystandards.org/PCI Security Standards Council Quick Reference Guidehttps://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdfTreasury Institute for Higher EducationListing of breaches for 2009