13.15 / Identity Theft Prevention

  1. Purpose

    The purpose of this statement is to set forth University policy with regard to the detection, prevention, and mitigation of identity theft in connection with various accounts maintained by the University.

  2. Preamble

    The Federal Trade Commission's "Red Flags Rule" implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003. This policy is deemed by the University to be appropriate to the size and complexity of the university’s operations and the nature and scope of its activities.  This policy is intended to implement an Identity Theft Prevention Program for the University that:

    1. Identifies relevant warnings ("Red Flags") for certain identified Covered Accounts it offers or maintains;
    2. Detects those Red Flags that have been identified;
    3. Responds appropriately to any Red Flags that are detected to seek to prevent and mitigate identity theft;
    4. Ensures that the Identity Theft Prevention Program is reviewed periodically and updated as appropriate to reflect changes in risks to students and with regard to the safety and soundness of creditors from identity theft; and
    5. Encourages University employees to report suspected cases of identity theft involving a Covered Account or student to the Vice President for Finance and Administration or to the University General Counsel's Office.
  3. Policy

    1. Covered Accounts

      A "Covered Account" is an account that is offered or maintained primarily for personal, family or household purposes that involves or is designed to permit multiple payment transactions. has identified five types of Covered Accounts that are covered under this policy, four of which are administered by the University and one that is administered by a service provider.

      1. University Covered Accounts include:

        1. Refund of credit balances involving PLUS loans
        2. Refund of credit balances without PLUS loans
        3. Deferment of tuition payments
        4. Balances owed on account
      2. Service provider Covered Accounts include:

        1. Perkins payment plan administered by Educational Computer Systems, Inc. (ECSI). See Section D relating to the Oversight of Service Provider Arrangements.
    2. Identification of Relevant Red Flags

      The University Identity Theft Prevention Program identifies the following Red Flags:

      1. Documents provided for identification appear to have been altered or forged;
      2. The photograph or physical description on the identification is not consistent with the appearance of the student presenting the identification;
      3. A request made from a non- issued email account;
      4. A request to mail something to an address not listed on file; or
      5. Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with Covered Accounts.
    3. Detection of Red Flags

      The University Identity Theft Prevention Program will detect Red Flags relevant to each type of Covered Account as follows:

      1. Refund of credit balances involving PLUS loans - As directed by federal regulations (U.S. Department of Education), these balances are required to be refunded in the parent's name.  The refund amount is direct deposited in the parent’s bank account using the banking information provided to by the parent via their electronic refund profile.  If no account is provided, the refund amount will be mailed to their address on file within the time period specified. No request is required.

        Red Flag - None as this is initiated by the University.

      2. Refund of credit balances without PLUS loans - Request from current students must be made in writing by using the University form "Petition for Exception to Tuition Refund Policy." If the request is approved, the refund amount is direct deposited in the student's bank account using the banking information provided to by the student using their my ID and the student portal. If direct deposit is not available, checks can only be mailed to an address on file, as provided by the student. If an address is determined to be non-deliverable by the U.S. mail, checks can be picked up in person by showing their Photo ID.

        Red Flag - Photo ID does not appear to be authentic or does not match the appearance of the student presenting it.

      3. Deferment of tuition payments (tuition payment plan) - Students request a tuition payment plan by using their my ID to access the secure student portal. Requests are made electronically and payment plans are accepted provided the student has no delinquent charges on their account. 

        Red Flag - None, as students can only make this request via the secure portal. In person requests are not accepted.

      4. Balances owed on account – Person pays towards balance owed on account either in person or via the secure portal.

        Red Flag - No red flag when person pays via the secure portal. In person, a red flag is possible if the person’s identifying information is not consistent with the information that is on file for the customer.

    4. Oversight of Service Provider Arrangements

      The University shall take steps to ensure that the activity of a service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft whenever the organization engages a service provider to perform an activity in connection with one or more Covered Accounts.

      Currently the University uses ECSI to administer the Perkins Loan program. Students contact ECSI directly through its website or by telephone and provide personally identifying information to be matched to records that has provided ECSI.

    5. Staff Training

      University employees responsible for implementing the Identity Theft Prevention Program shall be trained in the detection of Red Flags and the responsive steps to be taken when a Red Flag is detected.

    6. Periodic Review

      The General Counsel will implement and facilitate an annual review of the University Identity Theft Prevention Program and suggest updates as deemed appropriate or as required by law. General Counsel shall consider the University's experiences with Identity Theft situations, changes in Identity Theft methods, changes in Identity Theft detection and prevention methods, and changes in the University's business arrangements with other entities.

    7. Oversight of the Identity Theft Prevention Program

      Overall responsibility for developing and implementing the Identity Theft Prevention Program lies with the Vice President for Finance and Administration or the Vice President's designee.

    8. Non-disclosure of Specific Practices

      For the effectiveness of this Program, knowledge about specific Red Flag identification, detection, mitigation and prevention practices may need to be limited. The Vice President for Finance and Administration or the Vice President’s designee shall disseminate the necessary information to employees with a need to know. Any documentation regarding the development or implementation of this Program that lists or describes specific practices or contains confidential information should not be shared with other University employees or the public. All documents and specific practices related to the Program should be maintained in a confidential manner.

See related policies:

13.14 Security of Payment Card Data

20.18 Privacy of Financial Information