Purdue University :: University Policies

Identity Theft Prevention Program (VI.2.2)

POLICY VI.2.2
Volume VI, Records
Chapter 2, Security of Records
Issuing Office: Executive Vice President for Business and Finance and Treasurer
Responsible Officer: VP Business Services
Responsible Office: VP Business Services
Originally Issued: March 16, 2009
Most Recently Revised: March 16, 2009

Table of Contents

Statement of Policy
Reason for Policy
Who Should Know This Policy
Related Documents
Contacts
Definitions
Procedures
Responsibilities
History

Statement of Policy

The Identity Theft Prevention Program is established to detect, prevent, and mitigate Identity Theft in connection with the opening of a Covered Account or maintenance of an existing Covered Account and to provide continued administration of the Program in compliance with 16 C.F.R. Part 681.1, 681.2, and 681.3.

Reason for Policy

The Identity Theft Prevention Program policy assures that Purdue University is complying with the FTC FACT act of 2003, as implemented through 16 CFR 681.1, 681.2, and 681.3.

Who Should Know This Policy

Board of Trustees
President
Provost
Vice Provosts
Chancellors
Vice Chancellors
Vice Presidents
Directors/Department Heads/Chairs

Related Documents

Federal Register Final Rules:
http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf (contains definitions and final rules for 16 CFR 681.1, 681.2, and 681.3.)
Personal Identify Theft Information:
http://www.purdue.edu/securepurdue/theft.cfm provides steps for Customers if identity theft is suspected.

Contacts

Contact	Telephone	E-mail
Bursar	(765) 494-7581	askbursar@purdue.edu
Comptroller (CAL)	(219) 989-2733	calumet_redflag@lists.purdue.edu
Comptroller (IPFW)	(260) 481-6322	ipfw_redflag@lists.purdue.edu
Comptroller (NC)	(219) 785-5225	nc_redflag@lists.purdue.edu
Comptroller (WL)	(765) 494-5353	wl_redflag@lists.purdue.edu
Internal Audit	(765) 494-7588	iadirector@purdue.edu
Identity Access	(765) 496-8289	iamo@purdue.edu

Definitions

Creditor
A person or entity that arranges for the extension, renewal, or continuation of credit, which in some cases could include third-party debt collectors.

Consumer
An individual.

Covered Account

(i) An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions.

(ii) Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to Customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.

Covered Account includes general activity relating to the tuition/fee or receivable billing, student loan origination and servicing, and ID card account maintenance.

Customer
A person that has a ‘‘covered account’’ with a financial institution or creditor.

Identity Theft
Fraud committed or attempted using the identifying information of another person without authority.

Information Security Program Committee
Purdue’s Information Security Program Committee, co-chaired by the Chief Security Officer and the Director of Audits, and includes the Executive Director Financial Aid, Bursar, University Counsel, and representatives from the Calumet, Fort Wayne, and North Central regional campuses. Other individuals may be added as needed. This committee meets biannually and as needed.

Notice of Address Discrepancy
A notice sent to a user of a consumer report by a Consumer Reporting Agency pursuant to 15 U.S.C. 1681c(h)(1), that informs the user of a substantial difference between the address for the Consumer provided by the user in requesting the consumer report and the address or addresses the Consumer Reporting Agency has in the Consumer’s file.

Personally Identifiable Information
An individual's first name and last name and at least one of the following data elements: Social Security Number, driver's license number or identification card number, and account number, credit card number, debit card number, security code, access code, or password of an individual's Covered Account.

Program
The Identity Theft Prevention Program.

Red Flag
A pattern, practice, or specific activity that indicates the possible existence of identity theft.

Procedures

Identification of Relevant Red Flags
The following Red Flags have been initially identified for inclusion in the Program:

Documents provided for identification appearing to have been altered or forged.
The photograph or physical description on the identification is not consistent with the appearance of the applicant or Customer presenting the identification.
Other information on the identification is not consistent with information provided by the person opening a new Covered Account or Customer presenting the identification.
An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.
Personal identifying information provided is inconsistent when compared against external information sources.
Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources.
The Social Security number provided is the same as that submitted by other persons opening an account or other Customers.
The Customer or the person opening the Covered Account fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete.
Personal identifying information provided is not consistent with personal identifying information that is on file.
Purdue University is notified of unauthorized charges or transactions in connection with a Customer’s Covered Account.
Purdue University receives notice from Customers, victims of Identity Theft, law enforcement authorities, or other persons regarding possible Identity Theft in connection with Covered Accounts.

Detection of Red Flags
The Program shall address the detection of Red Flags in connection with the opening of Covered Accounts and existing Covered Accounts by:

Obtaining identifying information about, and verifying the identity of, a person opening a Covered Account; and
Authenticating Customers, monitoring transactions, and verifying the validity of change of address requests in the case of existing Covered Accounts.

Responding to Red Flags
The Program shall provide for appropriate responses to detected Red Flags to prevent and mitigate Identity Theft. The response shall be commensurate with the degree of risk posed.

Once potentially fraudulent activity is detected, the employee or employees charged with responsibility shall act quickly, as a rapid appropriate response can protect Customers and Purdue University from damages and loss. Approved standards and responsive action must be maintained by each assigned resource based upon business and technical needs. These standards and responsive actions shall be reviewed by the Information Security Program Committee periodically to assure appropriate response to an incident.

Appropriate responses to the detection of Red Flags include:

Monitor a Covered Account for evidence of Identity Theft;
Contact the Customer;
Change any passwords, security codes, or other security devices that permit access to a Covered Account;
Reopen a Covered Account with a new account number;
Not open a new Covered Account;
Close an existing Covered Account;
Request additional documentation to validate identity;
Handle per regulatory requirements under law if applicable;
Notify law enforcement or regulatory entity; or
Determine no response is warranted under the particular circumstances.

Duties to Address Discrepancies Related to Consumer Reporting
Purdue University shall implement procedures intended to assist it with forming a reasonable belief that a consumer report relates to the Consumer for whom it was requested if a Notice of Address Discrepancy is received from a consumer reporting agency indicating the address given by the Consumer differs from the address contained in the consumer report.

Purdue University will reasonably confirm that an address is accurate by any of the following means:

Verification of the address with the Consumer,
Review of the individual’s records,
Verification of the address through third party sources, or
Other reasonable means.

If an accurate address is confirmed, Purdue University shall furnish the Consumer’s address to the consumer reporting agency from which it received the Notice of Address Discrepancy if:

Purdue University establishes a continuing relationship with the Consumer and
Purdue University regularly and in the ordinary course of business, furnishes information to the consumer agency.

Duties Regarding Change of Address as Related to Card Activity
Purdue University shall have procedures intended to assess the validity of a change of address upon receipt of a request for an additional or replacement card within 30 days of a notification of an address change. An additional or replacement card shall not be issued until an assessment of the validity of the address change has occurred. Validity of requests for duplicate or replacement cards will be further established by:

Providing written or electronic notification to the cardholder of the request for an additional or replacement card.
Providing a cardholder a reasonable means of promptly reporting address changes.

Purdue University will reasonably confirm that an address is accurate by any of the following means:

Verification of the address with the Consumer,
Review of the individual’s records,
Verification of the address through third party sources, or
Other reasonable means.

Training
Staff training shall be provided annually by each campus to all employees, officials, and contractors who might reasonably come into contact with Covered Accounts that may constitute a risk to Purdue University or its Customers. Additional training will be made available if significant changes are made to the Program. The following principles shall be included in training materials for those areas maintaining activity relating to a Covered Account:

Identity Theft is a serious risk for Customers and businesses that use or maintain financial or demographic information. It is necessary for Purdue University to seek methods to minimize potential impact to the institution and its clients and Customers.
Personally identifying information should not be provided to individuals as a rule. Rather, this information should be maintained in order to confirm the identity of Purdue’s Customers.
Staff should not store Personally Identifiable Information unless necessary to perform a business function, and should only store information in secured systems designated for those functions.
Identity Theft reports should be handled as priority incidents and immediate steps should be taken to remediate resulting issues.

Security Practices of Contractors and Service Providers
Purdue University shall exercise appropriate and effective oversight of service provider arrangements involving those service providers with access to Covered Accounts or information regarding Purdue’s Customers under this Program.

Purdue University third party contractors and service providers are expected to follow and be compliant with any federal, state, and local laws or regulations that are applicable to Purdue University, as well as Purdue University policies and procedures that are relevant to the underlying contract between the parties. The specific terms and issues of such compliance are addressed in Purdue University contractual documents. Third party contractors and service providers who have questions regarding appropriate information security practices and/or other components of this Program should review their Purdue University contracts and contact their Purdue University contract representative.

Responsibilities

Board of Trustees
Initial approval of the Program

Executive Vice President for Business and Finance and Treasurer
Administrative oversight of the Program

Information Security Program Committee
Functional oversight, program changes, and training

All business activity relating to a Covered Account under this Program shall be conducted by a resource with appropriate training as assigned by the Information Security Program Committee. Approved standards and processes must be maintained by each assigned resource based upon business and technical needs. These standards and processes shall be reviewed and approved by the Information Security Program Committee.

The Program shall consider the following risk factors in identifying relevant Red Flags for Covered Accounts as appropriate:

The types of Covered Accounts offered or maintained,
The methods provided to open Covered Accounts,
The methods provided to access Covered Accounts, and
Its previous experience with Identity Theft.

The Program shall incorporate relevant Red Flags from sources such as:

Incidents of Identity Theft previously experienced,
Methods of Identity Theft that reflect changes in risk, and
Applicable supervisory guidance.

The Program will be re-evaluated annually to determine whether all aspects of the Program are up to date and applicable in the current business environment. Periodic reviews will include an assessment of which accounts are covered by the Program. As part of the review, Red Flags may be revised, replaced, or eliminated. Defining new Red Flags may also be appropriate.

Appropriate remedial actions required following the discovery of fraudulent activities shall also be reviewed and may require revision to reduce damage to Purdue University and its Customers.

History

This is the first such policy for this Program.