Red Flag and Identity Theft Prevention

In this brief on Preventing Identity Theft you will find the Policies on Red Flag and Identity Theft Prevention.

PREVENTING IDENTITY THEFT

THE INFORMATION TECHNOLOGY DEPARTMENT and The Tennessee College of Applied Technology - Shelbyville want to help you be vigilant in securing your identity and reducing your risk of being a victim.

What is Identity Theft?

If someone is using your identifying information to obtain goods, services, credit, and/or open fraudulent accounts, you are the victim of identity theft. Victims are left with poor credit and the complicated task of restoring their good names. Usually, thieves target components of your personal identifying information, such as your:

Name
Date of Birth
Social Security Number
Driver's License Number

Identity Theft Can Happen to Anyone

Identity theft is one of the fastest growing crimes in the United States. Someone's identity is stolen every 4 seconds in the United States, and there are over 10 million identity theft victims in the US each year. The average costs for recovering from an attack on your identity is $8,000, plus an average of 600 hours in paperwork and other activities to clear your name. The majority of victims don't discover the theft until months after it occurs.

How Can My Identify Be Stolen?

Your best protection against identity theft is knowing where the thieves can get your information. Amazingly, most of us don't realize the most common ways our identity can be compromised by thieves:

Stealing or finding a lost wallet or purse containing a social security card, credit cards, driver’s license, etc.
Stealing mail that is being delivered to your home or that is left out for pick-up.
Diverting mail to another mailbox using a false "change-of-address" request.
Digging through dumpsters or trash looking for discarded checks, bank statements, credit card statements, or other account bills, medical records, pre-approved credit applications, etc.
Watching over your shoulder as you enter your PIN into an ATM.
Calling to "verify" account information or to "confirm" an enrollment or subscription by having you repeat bank or credit card account numbers.
Using false or misleading Internet sites to collect personal and financial information.
“Phishing” by sending phony e-mail or pop-up messages that appear to be from the University, your bank, your credit card company, your Internet Service Provider or some other entity you do business with. These phony messages usually claim some issue with your account and direct you to another website where you will be asked to supply log-in credentials, credit card information, or other personal information.

These are the most common methods, and the ones we hear the least about. Other ways thieves can target information include:

Burglarizing homes looking for purses, wallets, files containing personal and financial information.
Burglarizing businesses looking for computers or files containing personal and financial information on clients.
“Hacking” (breaking) into business or personal computers to steal private client files and personal financial information.

Reducing Your Risk

By being cautious, suspicious, and vigilant, you can reduce the chances of someone stealing your information:

Be very hesitant to give your personal or financial information to anyone.
Never provide personal identifying or financial information over the phone when someone calls you. This includes callers selling goods and services as well as charitable solicitors, banks, credit card companies, telephone companies, people purporting to be from the police department, sweepstakes promotions and others. Legitimate companies and organizations do not call to verify account numbers or to ask for your social security number or other personal information.
Never carry your social security card in your purse or wallet. In addition, never have your social security number printed on your checks, driver's license, or other financial documents.
Never respond to e-mail or pop-up messages on your computer claiming some problem with a credit card, Internet or other account. Remember, the Tennessee College of Applied Technology-Shelbyville will never ask you for any username or password information.
Update your computer virus and security software protection regularly.
Select passwords and PINs that will be tough for someone else to figure out. For example, don't use your birthday, home address, common numbers or personal information (like part of your social security number), or your pet's name. Don't keep Password and PIN information on or near your checkbook, debit card or leave them near your computer.
Practice home security. Safely store extra checks, credit cards, or other financial documents. Don't advertise to burglars that you're away from home. Don't post on social networking sites, such as Facebook, when you're going to be gone from home.
Use a "cross-cut" shredder (the kind that creates confetti, not the long strips) and shred all personal or financial documents you intend to discard before placing them in the trash.
Protect your incoming and outgoing mail. Promptly remove mail from your mailbox after it has been delivered. Ask the Post Office to hold your mail if you will be away from home for several days. Take outgoing mail to the post office, place mail in a post office blue collection box or hand it directly to a mail carrier.
Pay attention to your bank account statements and credit card bills. Watch for any suspicious activity. Also, contact your institution if a bank statement or credit card bill doesn't arrive on time; that could mean someone has stolen your account information and changed your mailing address in order to use your credit. Don't leave credit card receipts behind or throw them away in the nearest trashcan. Shred them when you get home.
Never e-mail personal or financial information. E-mail is not a secure method of transmitting personal information.
Practice Internet safety. Be suspicious of a web offer that seems too good to be true -- it probably is. Ensure the web site you are using is legitimate. Use your credit card and social security number only when absolutely necessary.
Create a throwaway email address (such as a second address at gmail.com or another free hosting site) to use with social networking, Internet forums or chat rooms, or entering online contests, and omit your real name in the account name. Use a different email for legitimate banking, credit card information, or your university information.

You should also check your credit report at least once a year. If you are a victim of identity theft, checking your credit report may help you catch the theft earlier. Call immediately if you discover any irregularities. A recent amendment to the Fair Credit Reporting Act (FCRA) requires that each of the three consumer credit reporting companies (Experian, Trans Union and Equifax) provide you with a free copy of your credit report once every twelve months.

Equifax: 1-800-525-6285; http://www.equifax.com
Experian: 1-888-EXPERIAN (397-3742); http://www.experian.com
TransUnion: 1-800-680-7289; http://www.transunion.com

If You Think It Has Happened to You

File a report with the local police department. For incidents originating on campus, Contact the Student Services Department.
Contact the Federal Trade Commission (FTC) to report the problem. The FTC is the Federal clearinghouse for complaints by victims of identity theft. The FTC helps by providing information to help resolve the financial and other problems that could result from identity theft. The FTC's toll free hotline number is 1-877-IDTHEFT (438-4338). At the Federal Trade Commission's Identity Theft Web site (http://www.ftc.gov/bcp/edu/microsites/idtheft2012/) you'll find information about contacting credit bureaus, closing accounts, filing complaints with the FTC, and more.
THE INFORMATION TECHNOLOGY DEPARTMENT provides information on the latest virus updates and news about potential technology attacks.
Contact the Social Security Administration Fraud hotline at 1-800-269-0271.
Notify the US Postal Inspector if your mail has been tampered with or stolen. Local numbers are listed under Federal Government in the telephone book or visit them online at http://www.usps.gov/websites/depart/inspect.
Contact your local Department of Motor Vehicles to see if another license has been issued in your name. If so, ask them to put a fraud alert on your driver's license.
Contact all creditors and financial institutions by telephone and in writing to advise them of the problem. Ask businesses to provide you with information about transactions made in your name. Set up a file to keep a detailed history of the crime including locations and dates if known. Keep a log of all contacts and make copies of all related documents.
Call each of the three major credit bureaus' fraud department to report identity theft. Ask to have a Fraud Alert / Victim Impact statement placed in your credit file asking that creditors call you before opening any new accounts. Call to request a copy of your credit report (free for fraud victims) from all three major credit reporting agencies.

Tennessee College of Applied Technology - Shelbyville
1405 Madison Street
Shelbyville, TN 37160
(931) 685-5013

Red Flag and Identity Theft Prevention Program

December 5, 2010

TABLE OF CONTENTS

Part I: Red Flags Identity Theft Prevention Program

Program Adoption and Background

Purpose Definitions

Identification of Red Flags

§  Notification and Warnings
§  Suspicious Documents
§  Suspicious Personal Identifying Information
§  Suspicious Covered Account Activity

Detecting Red Flags

§  Student Enrollment
§  Existing Accounts
§  Consumer (“Credit”) Report Requests

Responding to and Preventing and Mitigating Identity Theft

§  Response to Red Flags
§  Data Breach Laws
§  Prevent and Mitigate
§  Protect Identifying Information
§  Hard Copy Distribution

Part II: Policy Administration

§ Oversight

§ Staff Training and Reports

§ Service Provider Arrangements

§ Non-disclosure of Specific Practices

§ Policy Updates

Part III: Standard Practices Requiring Safeguards of Personally Identifiable Information (Gramm-Leach-Bliley Act and Family Educational Rights and privacy Act (GLB and FERPA)…………….………………………………………………………………………..12-13

Part IV: General Methods of Preventing and Mitigating Identity Theft............14-17

Verification of Identity
Document Imaging System
Authenticate Students and Employees
Monitor Transactions or Account Activity
Create and Maintain a Secure online Environment
Hard Copy and Electronic Records Protection

Part V: Resources........................................................………................................ 18

NACUBO 11/5/2009 FTC Delays RF Date

PART I: RED FLAGS IDENTITY THEFT PREVENTION PROGRAM

PROGRAM ADOPTION

In response to the threat of identity theft primarily through financial transactions, the United States Congress passed the Fair and Accurate Credit Transactions Act of 2003 (FACTA), Public Law 108-159, an amendment to the Fair Credit Reporting Act. In accordance with sections 114 and 315 of FACTA, the Office of the Comptroller of the Currency, Treasury; the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; the Office of Thrift Supervision, Treasury; the National Credit Union Administration; and the Federal Trade Commission jointly adopted and promulgated rules known as the “red flags rules” that require certain entities to enact certain policies and procedures by the June 1, 2010 effective date.

TBR 04:01:05:60

BACKGROUND

The Tennessee Board of Regents, on behalf of its institutions, has adopted an identity theft prevention policy and program, set forth in TBR Policy #4:01:05:60, in an effort to detect, prevent and mitigate identity theft, and to help protect institutions, faculty, staff, students and other applicable constituents from damages related to the loss or misuse of identifying information due to identify theft.

Tennessee Colleges of Applied Technology developed this policy in order to satisfy the requirements of the Red Flag rules and TBR Policy #4:01:05:60 in consideration of the college’s size and the nature of its activities, with oversight by the Program Administrator.

TBR 04:01:05:60

PURPOSE AND DEFINITIONS

Purpose

The purpose of the program is to detect, prevent and mitigate identity theft in connection with any covered account. This program envisions the creation of policies and procedures in order to achieve these goals. Under this policy the program will:

Identify relevant red flags for new and existing covered accounts and incorporate those red flags into the policy;
Detect red flags that have been incorporated into the policy;
Respond appropriately to any red flag that is detected to prevent and mitigate identify theft; and
Ensure the policy is updated periodically to reflect changes in risks to students and other College constituents from identity theft.
Promote compliance with state and federal laws and regulations regarding identity theft protection.

The program shall, as appropriate, incorporate existing TBR and institutional policies and guidelines, such as anti-fraud programs and information security programs that control reasonably foreseeable risks.

TBR 04:01:05:60

Definitions

"Confidential Data" includes information that the College is under legal or contractual obligation to protect.

“Covered Account” includes any account administered by the College that involves or is designed to permit multiple payments or transactions. New and existing accounts maintained by the College for its students, faculty, staff and other constituents for whom there exists a reasonably foreseeable risk: (1) to the students, faculty, staff, or other constituents related to identity theft, or (2) to the safety and soundness of the College itself from the financial, operational, compliance, reputation or litigation risks resulting from identity theft.

“Identifying Information” is any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including:

Personal information such as:

Name
Maiden name
Address
Date of birth
Telephone number

Student/Faculty/Staff identification number (e.g., the “A” number assigned by the college)
Computer internet protocol address

Credit card or other account information such as:

Credit card number, in whole or in part
Credit card expiration date

Tax identification numbers such as:

Social Security number
Business identification number
Employer identification number

Payroll information such as:

Paycheck
Paystub
Bank account/routing information

Medical information such as:

Doctor’s name
Insurance claim
Prescription
Any personal medical information

Government-issues identification numbers such as:

Driver’s license number
Alien registration number
Passport number

“Identity Theft” is a fraud committed or attempted using identifying information of another person without authorization.

"Need to Know" authorization is given to a user for whom access to the information must be necessary for the conduct of one's official duties and job functions as approved by the employee's supervisor.

"Public Record" is a record or data item that any entity, either internal or external to the College, can access.

“Red Flag” is a pattern, practice, or specific activity that indicates the possible existence of identity theft.

Sensitive Personal Information (SPI): Defined as an individual's name, address, or telephone number combined with any of the following:

Social security number or taxpayer ID number
Credit or debit card number
Financial/salary data
Driver's license number
Date of birth
Medical or health information protected under HIPAA
Student related data protected under FERPA

TBR Policy 4:01:05:06

IDENTIFICATION OF RED FLAGS

In order to identify relevant red flags, the college considers the types of accounts that it offers and maintains; methods it provides to open its accounts; methods it provides to access its accounts; and its previous experiences with identity theft. The following red flags are potential indicators of fraud that Tennessee Board of Regents and the College have identified. Any time a red flag or a situation closely resembling a red flag is apparent, it should be investigated for verification.

TBR Policy 4:01:05:06

Notifications and Warnings

A. Credit Reporting Agencies Red Flag Examples

A report of fraud or active duty alert in a credit or consumer report:
A notice of credit freeze from a credit or consumer reporting agency in response to a request for a credit or consumer report
A notice of address discrepancy in response to a credit or consumer report request; and,
A credit or consumer report that indicates a pattern of activity inconsistent with the history and usual pattern of activity of an applicant such as:

A recent and significant increase in the volume of inquiries;
An unusual number of recently established credit relationships;
A material change in the use of credit, especially with respect to recently established credit relationships; or,
An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor.

B. Suspicious Document Red Flag Examples

Documents provided for identification appear to have been altered or forged;
The photograph or physical description on the identification document is not consistent with the appearance of the student, faculty member, staff member, and other constituent presenting the identification;
Other information on the identification document is not consistent with information provided by the person opening a new covered account or individual presenting the identification.
Other information on the identification document is not consistent with readily accessible information that is on file with the College, such as a signature card or a recent check.
An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.

C. Suspicious Personally Identifying Information Red Flag Examples

Personally identifying information provided is inconsistent when compared against other sources of information used by the College.

For example:

a. The address does not match any address in the consumer report; or

b. The Social Security number (SSN) has not been issued or is listed on the Social Security Administration's Death Master File.

Personally identifying information provided by the individual is not consistent with other personally identifying information provided by that individual. For example, a lack of correlation between the SSN range and date of birth.
Personally identifying information provided is associated with known fraudulent activity.

For example:

a. The address on an application is the same as the address provided on a fraudulent
application; or,

b. The phone number on an application is the same as the number provided on a fraudulent
application

Personally identifying information provided is of a type commonly associated with fraudulent activity.

For example:

a. The address on an application is fictitious, a mail drop, or a prison; or

b. The phone number is invalid or is associated with a pager or answering service.

The social security number provided is the same as that submitted by another person opening an account.
The address or telephone number provided is the same as or similar to the address or telephone number submitted by that of another person.
The individual opening the covered account fails to provide all required personally identifiable information on an application or in response to notification that the application is incomplete.
Personally identifying information provided is not consistent with personally identifying information that is on file with the Institution.
When using security questions (mother's maiden name, pet's name, etc.), the person opening that covered account cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.

D. Suspicious Covered Account Activity or Unusual Use of Account Red Flag Examples

Change of address for an account followed by a request to change the student’s or other constituent’s name, or a request for new, additional or replacement goods or services, or for the addition of authorized users on the account;
Payments stopped on an otherwise consistently up-to-date account;
Account used in a way that is not consistent with an established pattern of activity on that account.

For example:

a. Nonpayment when there is no history of late or missed payments

b. A material change in purchasing or usage patterns

Mail sent to the student, employee, or other constituent is repeatedly returned as undeliverable although transactions continue to be conducted in connection with the covered account;
Notice to the College that a student, employee, or other constituent is not receiving paper account statements sent by the College;
Notice to the College that a covered account has unauthorized activity; and
Awareness of a breach in the College's computer system’s security or the security of paper files, resulting in unauthorized access to or use of account information of students, employees, or other constituents.

TBR Policy 4:01:05:06

DETECTING RED FLAGS

A. Student Enrollment

In order to detect any of the red flags identified above associated with the enrollment of a student, College personnel will take the following steps to obtain and verify the identity of the person opening the covered account by:
Requiring certain identifying information such as name, date of birth, academic records, home address or other identification; - and -
Verifying the student’s identity at the time of issuance of a student identification card (i.e., review of driver’s license or other government-issued photo identification).

B. Existing Accounts

In order to detect any of the red flags identified above for an existing covered account, College personnel will take the following steps to monitor that account:
Verify the identification of the student, employee, or other covered account holder if he/she requests information (in person, via telephone, via facsimile, via email);
Verify the validity of requests to change billing addresses by mail or email and provide the student or other covered account holder a reasonable means of promptly reporting incorrect billing address changes; and
Verify changes in banking information given for billing and payment purposes.

C. Consumer (“Credit”) Report Requests

In order to detect any of the red flags identified above for an employment or volunteer position for which a credit or background report is sought, College personnel will take the following steps to assist in identifying address discrepancies:

Require written verification from any applicant that the address provided by the applicant is accurate at the time the request for the credit report is made to the consumer reporting agency; and
In the event that notice of an address discrepancy is received, verify that the credit report pertains to the applicant for whom the requested report was made and report to the consumer reporting agency an address for the applicant that the College has reasonably confirmed is accurate.

TBR 4:01:05:06; TCAT Shelbyville Security Incidence Response

RESPONSING TO AND PREVENTING/MITIGATING IDENTITY THEFT

A. Response to Red Flags

In the event College personnel detect any identified red flag, an employee must act quickly, as a rapid appropriate response can protect students, faculty, staff, other constituents and the College from damages and loss. If a potentially fraudulent activity is detected, all related documentation should be gathered and a description of the situation should be summarized and reported to the Program Administrator. The College will respond in a reasonable and timely manner to possible data breaches and indicators of identity theft IAW Computer Services Policy 08:15 Security Incidence Response found in the on grounds policies. Depending on the degree of risk posed by the red flag, appropriate actions might include:

Determine that no response is warranted under the particular circumstances;
Cancel the transaction;
Continue to monitor the covered account for evidence of identity theft;
Refusal to open a new covered account;
Contact of the student, faculty, employee, applicant (for which a credit report was run) or other applicable constituent;
Change any password or other security device that permits access to Covered Account;
Provide the affected student, faculty or staff member with a new identification number (“A” number);
Notify appropriate law enforcement;
File or assist in filing a Suspicious Activities Report (“SAR”); and/or
Determine the extent of potential liability for the College.
Close and reopen the account.

TBR 4:01:05:06; TCAT Shelbyville Policy Security Incidence Response

B. Data Breach Laws

The State of Tennessee addresses accidental disclosure of SPI data in Tenn. Code Ann. § 47-18-2101 et seq. (the Tennessee Identity Theft Deterrence Act of 1999). In addition, H.R. 2221, the Data Accountability and Trust Act, http://www.govtrack.us/congress/bill.xpd?bill=h111-2221, protects consumers by requiring reasonable security policies and procedures to protect computerized data containing personal information, requires notification following discovery of a security breach of a system maintained by any person engaged in interstate commerce who owns or possesses data in electronic form containing personal information. The following guidance applies to both Red Flag and all other identity theft situations.

The bill requires notification to each individual whose personal information was acquired by an unauthorized person as a result of such a breach of security, and to the Federal Trade Commission. The bill includes special notification requirements for third party agents, telecommunications carriers, cable operators, information services, and interactive services, and for a breach involving health information.

Personal information, as defined in the bill, is an individual’s first name or initial and last name, or address, or phone number, in combination with any one or more of the following: the individual’s social security number, driver’s license number or other State identification number, or a financial account number or credit card number and any security or access code needed to access the account. Breach notification would be exempted, however, where the person that owns or possesses the data determines that there is “no reasonable risk of identity theft, fraud or unlawful conduct” from the unauthorized data access. Breaches of encrypted data would presumptively be exempt.

Where notification is required, the bill specifies methods for and required content of notification. Written or in some circumstances email notification is required; the notice must include a description of the information acquired, notice of the right to receive free consumer credit reports, and certain relevant telephone contact numbers. Substitute notification, allowing notification to be posted on the entity’s website and in print and broadcast media, is allowed for those persons owning or possessing the data of fewer than 1,000 individuals.

TBR 4:01:05:06; TCAT Shelbyville Responsible Use; TCAT Shelbyville Data Security

C. Prevent and Mitigate

In order to further prevent the likelihood of identity theft occurring with respect to covered accounts, the College will take the following steps with respect to its internal operating procedures to protect identifying information. For full requirements please review Internal Policies and Procedures listed in Section VIII: Other Resources.

TCAT Shelbyville Data Security

Ensure that websites providing access to covered accounts are secure;

TBR Policy 4:01:05:06; TCAT Shelbyville Responsible Use;TCAT Shelbyville Data Security

Ensure that office computers with access to covered account information are password protected;

TCAT Shelbyville Data Security

Ensure that laptops are password protected;
Avoid unnecessary use of Social Security numbers;
Ensure the security of the physical facility that contains covered account information;
Ensure that transmission of information is limited and encrypted when necessary;
Ensure computer virus protection is up-to-date;
Require and keep only the kinds of individual information that is necessary for College purposes in accordance with the College’s records retention guidelines. Ensure complete and secure destruction of paper documents and computer files containing individual account information in accordance with the College’s records retention guidelines;
College policy requires that data that is classified as Confidential in the Data Security policy be stored on Tennessee College of Applied Technology - Shelbyville's network storage facilities, not on local hard drives or media.
Ensure that file cabinets, desk drawers, and any other storage space or room containing documents with Identifying Information be locked when not in use or unsupervised;
Ensure that desks, workstations, printers, copiers, fax machines, whiteboards, dry-erase boards in common shared work areas will be cleared of all Identifying Information when not in use.

Items 12 – 20 TBR Policy 4:01:05:06

Continue to monitor a covered account for evidence of identity theft;
Contact the individual or applicant (for which a credit report was run);
Change any passwords or other security devices that permit access to covered accounts;
Refuse to open a new covered account;
Provide the individual with a new individual identification number;
Notify the Program Administrator/Committee for determination of the appropriate steps taken or that need to be taken if it’s suspected that a Red Flag violation has occurred;
Notify law enforcement;
File or assist in filing a Suspicious Activity Report (“SAR”) with the Financial Crimes Enforcement Network, United States Department of the Treasury or other relevant law enforcement agency http://www.occ.treas.gov/sar.htm.
Determine that no response is warranted under the particular circumstances after investigation.

TBR 4:01:05:06; TCAT Shelbyville Responsible Use; TCAT Shelbyville Data Security

D. Protect Identifying Information

In order to further prevent the likelihood of Identity theft occurring with respect to Identifying Information, the College will take the following steps with respect to its internal operating procedures to protect individual Identifying Information.

Ensure that its website is secure or provide clear notice that the website is not secure;
Ensure complete and secure destruction of paper documents and computer files containing Identifying Information when a decision has been made to no longer maintain such information per instructions in TBR Guideline 0-70;
Ensure that office computers with access to identifying information are password protected;
Ensure that all electronic storage and transmission of identifying information follows guidelines established by the College’s Computer Services department.
Avoid use of Social Security numbers;
Ensure computer virus protection is up to date;
Require and keep only the kinds of identifying information that is necessary for College purposes;
Ensure that file cabinets, desk drawers, and any other storage space or room containing documents with Identifying Information be locked when not in use or unsupervised;
Ensure that desks, workstations, printers, copiers, fax machines, whiteboards, dry-erase boards in common shared work areas will be cleared of all identifying Information when not in use.

TBR 4:01:05:06; TCAT Shelbyville Responsible Use; TCAT Shelbyville Data Security

E. Hard Copy Distribution

Each employee and contractor performing work for the College will comply with the following rules.

Physical security will be maintained over documents containing Identifying Information related to covered accounts. Examples include keeping offices locked after hours and locking rooms and files when staff is not present.
Desks, workstations, work areas, printers and fax machines, and common shared work areas will be cleared of all documents containing Identifying Information when not in use.
Whiteboards, dry-erase boards, writing tablets, and other writing surfaces in common shared work areas, which contain identifying information, will be erased, removed, or shredded when not in use.
When documents containing Identifying Information are discarded, they will be shredded timely in accordance with TBR Guideline -070 Disposal of Records.

PART II: POLICY ADMINISTRATION

TBR Policy 4:01:05:60

A. Oversight

Operational responsibility for developing, implementing and updating this policy lies with the Program Administrator and members of the Committee representing key units of the College. The Program Administrator will be responsible for ensuring appropriate training of College staff on the Policy, for reviewing any staff reports regarding the detection of red flags and the steps for preventing and mitigating Identity theft in relation to covered accounts, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the Policy.

The Program Administrator and head of the Committee is the Director. Responsibility for the Identity Theft Prevention Program is assigned to a Committee that may be comprised of the following positions:

Department
Program Administrator
Finance and Accounting
Human Resources
Records Office Internal Auditor

The Committee will work together and be responsible for coordinating the College’s Red Flag and Identity Theft Prevention Program, including the following:

Identifying relevant patterns, practices, and specific forms of activity that are "red flags" signaling possible Identity theft and incorporate those red flags into the program;
Detecting red flags that have been incorporated into the program; and
Responding appropriately to any red flag that is detected to prevent and mitigate theft;
Reviewing and update the Red flag and Identity Theft Prevention Program regularly, with changes approved by the Director of the College
Identifying training and education relevant to the Red Flag and Identity Theft Prevention Program; and
Developing and review policies and procedures as appropriate to the Red Flag andIdentity Theft Prevention Program.

TBR Policy 4:01:05:60 covers training

B. Staff Training and Reports

Training shall be conducted for all College employees for whom it is reasonably foreseeable that the employees may come into contact with covered accounts or Identifying Information that may constitute a risk to the College, its student, faculty, employees or other constituents. Training programs will be identified for required security training as required for staff, faculty, and adjuncts. Refresher training will be conducted on a regular basis. Failure to complete such training will lead to discipline, up to and including termination.

The training module for the College’s red flags Identity Theft Prevention Program will consist of the following:

a. Program Adoption and College Requirements

b. Purpose and Definitions

c. Covered Accounts

d. Identification of Red Flags

e. Notifications of Warnings

f. Suspicious Documents

g. Suspicious Personally Identifying Information

h. Suspicious Covered Account Activity or Unusual Use of Accounts

i. Detecting Red Flags

j. Responding to Red Flags

k. Prevention and Mitigation of Identity Theft

l. Protecting Personal Information

Requirements for Certification

a. Attendance at one of the required training sessions held during the academic year and quiz score of 90%.

b. Signed Employee Red Flags and Identity Theft Prevention Program Agreement Form

c. Confirmation of Certification

d. Certificate (signed by the College Director)

College employees are expected to notify the Program Administrator once they become aware of an incident of identity theft or of the College’s failure to comply with this policy. At least annually or as otherwise requested by the Director, the Program Administrator shall prepare a report on compliance with this Policy. The report should address such issues as effectiveness of the policies and procedures in addressing the risk of Identity theft in connection with the opening and maintenance of covered accounts, service provider arrangements, and significant incidents involving identity theft and management’s response, and recommendations for changes to the policy. Failure to do so will lead to discipline, up to and including termination. College employees who become aware of an incident of identity theft or of a failure by any College employee to comply with this policy must also notify the Department of Internal Audit.

TBR Policy 4:01:05:60

C. Service Provider Arrangements

In the event the College engages a service provider to perform an activity in connection with one or more covered accounts, the College will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft.

Require, by contract, that service providers have such policies and procedures in place; or

Require, by contract, that service providers review the College’s policy and report any red flags to the Program Administrator or the College employee with primary oversight of the service provider relationship.

Specific language for inclusion in contracts can be found in TBR Guideline G-030,Contracts and Agreements.

Whenever the College engages a third party or service to perform an activity that may include or expose SPI data, the College will review that the policies and procedures of the vendor are reasonable to detect, prevent and mitigate the risk of Identity theft.

D. Non-disclosure of Specific Practices

For the effectiveness of this identity theft prevention program and policy, knowledge about specific red flag identification, detection, mitigation and prevention practices may need to be limited to the Program Administrator and to those employees with a need to know them. Any document that may have been produced or is produced in order to develop or implement this policy and lists or describes such specific practices and information the document contains, is considered “confidential” and should not be shared with other College employees or the public.

TBR Policy 4:01:05:06

E. Policy Updates

The Program Administrator will periodically review and update this policy to reflect changes in risks to students, employees and other constituents and the soundness of the College from identity theft related to covered accounts. In doing so, the Program administrator will consider the College’s experiences with identity theft situations, changes in identity theft methods, changes in identity theft detection and prevention methods, and changes in the College’s business arrangements with other entities. After considering these factors, the Red Flag and Identity Theft Prevention Program Committee will determine whether changes to the Policy, including the listing of red flags, are warranted. If warranted, the Committee will update the policy.

Require, by contract, that service providers have such policies and procedures in place; or
Require, by contract, that service providers review the College’s policy and report any red flags to the Policy Administrator or the College employee with primary oversight of the service provider relationship.
Specific language for inclusion in contracts can be found in TBR Guideline G-030,Contracts and Agreements.

FERPA; TCAT Shelbyville Responsible Use; TCAT Shelbyville Data Security:

PART III: STANDARD PRACTICES REQUIRING SAFEGUARDS OF PERSONALLY IDENTIFIABLE INFORMATION (GRAMM-LEACH-BLILEY ACT and FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (GLB AND FERPA)

Many offices at the College maintain files, both electronic and paper, of student biographical, academic, health, financial, and admission records. These records may also include the following:

Student billing information
Federal Perkins Loan records
Personal correspondence with students and parents

Policies to insure compliance with Gramm-Leach-Bliley Act (GLB), Family Educational Rights and Privacy Act (FERPA), system and application security, and internal control procedures provide an environment where identify theft opportunities are mitigated. Records are safeguarded to ensure the privacy and confidentiality of student, parents, alumni and employees.

The Office of Human Resources performs credit and criminal background checks on some potential employees prior to their dates of hire. This population includes background checks on all employees in the Child Development College, Allied Health, Plant Operations, Security, and other employees who have financial responsibilities. This is for any civil/criminal and motor vehicle violations (misdemeanor and felony convictions.)

Additionally, some of the clinical affiliates (hospitals) are requiring criminal background checks of all students and faculty who participate in clinical activities at their facilities. These specific background checks are not a requirement of the College and the College does not keep records on these background checks except for fail/pass status.

The College’s controls over privileged information include:

Students are given the opportunity to set up an authorized payer that enables a third party (e.g., parents or grandparents) access to their student accounts, which includes information regarding their bills only.
Access to non-directory student data in the Banner system is restricted to those employees of the College with a need to properly perform their duties. These employees are trained to know FERPA and red flag regulations.
Social Security numbers are not used as primary student identification numbers and this data is classified as non-directory student data.
Student Financial Services employees managing covered accounts are trained to know FERPA and red flag regulations.
The College is sensitive to the personal data (unlisted telephone numbers, dates of birth, etc.) that it maintains in its personnel files and databases. The College will not disclose personal information, except by written request or signed permission of the employee (or unless there is a legitimate business "need-to-know", or if compelled by law.)
Every effort is made to limit the access to private information to those employees on campus with a legitimate "need-to-know." College staff members who have approved access to the administrative information databases understand that they are restricted in using the information obtained only in the conduct of their official duties. The inappropriate use of such access and/or use of administrative data may result in disciplinary action up to, and including, dismissal from the College.
The College’s official personnel files for all employees are retained in the Human Resources Office. Employees have the right to review the materials contained in their personnel files.
The College’s School of Nursing and Allied Health Sciences each has policies and procedures relating to obtaining and safeguarding information obtained through background checks of students.
The College has policies that address the safeguarding of various forms of confidential information. Those policies include:

a. FERPA Rights

b. Records Retention

Staff who have access to HR and payroll data have received training that non-directory information regarding employees is not to be provided unless approved in writing by the employee.
The student is required to give written authorization to the Registrar’s Office if his/her information is permitted to be shared with another party. A FERPA disclosure statement is distributed to the students each year informing him/her of his/her rights under FERPA.
Social Security numbers are not used as identification numbers and this data is classified as confidential
All paper files, when not in use, must be stored in locked filing cabinets. All offices must be secured during normal business hours and, when not occupied, are to be locked.
Access to confidential employee data in the College’s human resources and payroll systems is restricted to only those employees who have a need to know and for proper execution of their job functions. These employees receive training related to FERPA and “red flag” regulations
Employees and students are requested to report all changes in name, address, telephone number or marital status to the Office of Human Resources and/or the Registrar’s Office as soon as possible.
Any information classified as confidential contained within the personnel file remains confidential. Employees have the right to review the information contained in their personnel files.

The Tennessee Public Records Act is found in Tenn. Code Ann. § 10-7-101 et seq. and the sections that follow it. For purposes of access to public records, the operative provision is found in Tenn. Code Ann. § 10-7-503, which reads: “All state, county, and municipal records ... shall at all times, during business hours, be open for public inspection by any citizen of Tennessee, and those in charge of such records shall not refuse such right of inspection to any citizen, unless provided by state law.

“Records” are defined in Tenn. Code Ann. § 10-7-301(6) as “all documents, papers, letters, maps, books, photographs, microfilms, electronic data processing files and output, films, sound recordings, or other material, regardless of physical form or characteristics made or received pursuant to law or ordinance or in connection with the transaction of official business of any governmental agency.”

TBR Policy 4:01:05:60; TCAT Shelbyville Policy 08:13 Computer Passwords; TCAT Shelbyville Policy 08:14 Responsible Use; TCAT Shelbyville Policy 08:16 Data Security; TCAT Shelbyville Policy 08:18 Network Access

PART IV: GENERAL METHODS OF PREVENTING AND MITIGATING IDENTITY THEFT

Tennessee College of Applied Technology - Shelbyville has developed this program and policy to prevent and mitigate identity theft – Red Flag or Identifiable Information. Each department may have a unique set of interactions, transactions, and activities to be performed with students or staff in order to provide prevention and mitigation of identity theft. Proper procedures and training must take place at the departmental level to protect sensitive information, detect the situations that indicate identity theft, and guard against risks that might arise from that unit. This policy covers electronic records of people in Banner and any other system that stores sensitive personal information that could be used for identity theft. This policy also applies to paper and hard copy records that contain sensitive information.

TBR Policy 4:01:05:60

A. Verification of Identity

Review Sources of Personal Identification – Watch for documents provided that appear to have been forged or altered, a photograph or physical description that is not consistent with appearance, addresses or names that do not match other records or information on file, documents that appear to have been destroyed and reassembled, and documents provided that are not consistent when compared against external information sources.
Review Official Documents – Verify names, nicknames or full names that do not match other records, Social Security numbers that are duplicate or do not match information already on file, incomplete addresses or mail drops, incomplete personally identifying information submitted, and inability of an account holder to provide authenticating information when asked
New Records - When students or employees are added or modified in Banner or other systems, as much personally identifying information as possible should be gathered, verified and recorded. This information can be used in later steps to reduce the chance of fraud and increase the detection of suspicious activity.
Persons conducting identity verification should ask for both internal identification (College ID Card or ID number) and an additional outside ID that are not already recorded in Banner (e.g., driver’s license, other photo ID, passport) for proof of identity.
Identification Card (Campus ID) Issuance – Campus ID Cards are used for a wide range of identification.

When issuing cards, the person must already exist in Banner and at least one additional outside picture identification will be provided.

Manage Release of Information – Strengthen verification of the identity of people who request information (in person, via phone, via email). Monitor requests for transcripts, statements, or other information for possible fraud.
Review SSN and date-of-birth discrepancies that may be submitted through the Admissions/FAFSA process.
Audit for duplicate SSN’s in Banner to correct account creation or modification errors.

Future BDMS

B. Document Imaging System

Scan driver’s license or other government-issued photo ID for ongoing identification verification (document imaging system)
Capture account holder signatures for further verification and comparison to other documents (document imaging system)

TCAT Shelbyville Computer Passwords; TCAT Shelbyville Responsible Use; TCAT Shelbyville Data Security; Live.edu account Password Reset

Create better account verification questions and answers based on Banner data elements (shared among many departments). There should be three to five questions to assist in authenticating identity.

C. Authenticate Students and Employees

Require strong authentication methods (across all systems) for students and staff to access and maintain their records and perform transactions.
Monitor systems and logs for repeated account lockouts or failed password attempts.
Change account credentials, PIN’s or passwords if theft or compromise is suspected – if a suspicious activity or red flag indicator is presented that points to a reasonable likelihood of compromise, account and user credentials should be modified to block access until use and identification can be verified.
Require identity confirmation to perform manual PIN or password resets (that can’t be completed through self-service modules).
Increase the strength of the Banner credential (tie to domain credential)
Strengthen “self-service” PIN reset process (security question and answer).
Strengthen manual PIN reset process and coordinate between multiple offices (authenticating identity, creating a secure PIN, required change on first login)
Provide an email confirmation to account holders for manual PIN resets through self-service
Audit for frequent manual PIN or password resets, or other significant credential changes and might indicate hacking or other credential abuse.
Eliminate SSN as alternate credential (ID number)
Eliminate birth date as initial PIN
Implement a password change policy (across all systems)

TBR Policy 4:01:05:60

D. Monitor Transactions or Account Activity

Departments should develop a matrix of transactions that can be tracked and monitored for red flags and other suspicious activity (credential abuse, check refunds, etc.).
Verify Address Changes – Address changes are one common area where identity theft can begin. Changing addresses may provide access to other printed material that can be used in theft of information.
Match address changes to postal service records (is it a valid address?)
Monitor returned mail, incomplete address records.
Audit for no active mailing address, but ongoing account activity.
Email confirmation of certain address changes.
External partners or reporting agencies may provide fraud or active duty alerts. Request notices of a credit freeze, notices of address discrepancies, a recent increase in volume of inquiries, an unusual number of recent credit relationships, accounts being closed or identified for abuse.
Track alerts and notifications from the IRS that a Social Security number is wrong or a duplicate (student or employee tax information).
Monitor credit card charge disputes that may indicate fraud or abuse.
Monitor for suspicious account activity – address changes followed by a refund request, rapid increase in activity level or inquiry level, mail sent that is returned multiple times as undeliverable, documents or checks submitted that match other fraudulent activity (bounced checks, etc.), missing statements/invoices or other paper records, unusual cancelling of transactions, personally identifying information that is associated with other fraudulent activities (scams, phishing).
Monitor alerts from students or employees reporting their information has been misused (victims), reports from law enforcement about identity theft and fraud, reports from others about suspicious activity pertaining to a student or employee (identity has been stolen and is now being misused).

TBR Policy 4:01:05:60; TCAT Shelbyville Responsible Use; TCAT Shelbyville Data Security; TCAT Shelbyville Network Access

Contact/notify the student or employee to verify activities or transactions – the monitoring of routine transactions to determine unusual use patterns or suspicion of inappropriate activity may require personal contact or notification of the student or employee.

E. Create and Maintain a Secure Online Environment

Maintain strong control over data – all institutional data should be carefully guarded and controlled. Sensitive Personal Information (SPI) requires ever greater management. Extra safeguards must be in place to not distribute SPI more broadly than required. Keeping SPI data stored centrally, as much as possible, is the first step in managing its use.
Ensure that campus computers are secure - ensure that office computers are password protected, up-to-date, with virus protection, security firewalls, and strong credentials. Encrypt data stored on desktop and laptop devices to reduce risk of theft or loss. Require secure access to wireless networks.
Ensure the websites and other online resources are secured - Ensure that servers, websites and databases are well protected, regularly tested, and up-to-date. Perform regular audits of systems, servers, services, and logs to assure data security.
Monitor for suspicious network activity and might indicate keystroke loggers, or other malware used to capture device activity. Network sensors, firewalls, intrusion detection systems and reports can be used.
Lock down compromised accounts and require password resets and user notification in the event of suspicious account activity or release/communication of credentials.
Regularly audit desktop, laptop, and server security procedures and policies to assure a high level of protection is in place. Perform penetration testing to confirm security of resources.
Limit access to the Social Security number field in Banner.
Automate permission creation and maintenance based on attributes stored in Banner that govern access.

TBR Guideline G070 Disposal of Records; TCAT Shelbyville Responsible Use; TCAT Shelbyville Data Security

F. Hard Copy and Electronic Record Protection

All College employees must take steps to protect sensitive personal information they have access to or collect from students and staff. The following policies and procedures should be followed.

Hard copy records

File cabinets, desk drawers, or other storage locations that contain documents with sensitive information will be locked and secured when not in use.
Paper documents containing sensitive information will not be left on desks, tables, work areas, printers, fax machines, or other non-secure locations.
Documents containing sensitive information will not be stored longer than is needed and will be securely destroyed and discarded when no longer needed. Examples are

Identified paper/hard copy records to be reviewed;
Income Tax returns stored for Financial Aid processing;
Paper registration and student files (registration, internships, others ;)
Employee forms that contain SPI data.

Electronic records

Electronic records that contain SPI data shall be stored and maintained on central servers. Whether the record is in a database form, an email message, a Word or Excel document – the most effective method to protect the data is to know where it is stored.
While email is a convenient messaging tool, AVOID transmitting confidential or sensitive personal information through email, without appropriate encryption protection. Messages can be potentially intercepted as they travel across the internet, and once data is transmitted via email the opportunity to contain the distribution is lost.
SPI data shall not be stored on portable media (e.g., CD’s, DVD’s, USB drives, or removable hard disk drives).
SPI data (and most other campus/employee data for that matter) shall not be stored on home computers or personally owned mobile devices without appropriate encryption protection.

Certain information should not be kept

Compliance with Payment Card Industry-Data Security Standards (PCI-DSS) requires that credit card transactions not be stored within on-campus databases or on local servers that have not passed external audit controls. This means that a third-party payment processor will be used for all online transactions that process credit card payments.

TBR 4:01:05:60;

G. Awareness and Prevention Techniques

Inclusive of the College’s red flags Identity Theft Prevention Program, other awareness processes and/or practices relative to policies and prevention techniques regarding identity theft have been identified. For example:

Provide appropriate policies, procedures and standards to document best practices for data security, identity theft tricks and techniques, emerging tools to reduce the risk and mitigate the occurrences of fraud and misuse. Publish guidelines and procedures as appropriate.
Create a culture or awareness and knowledge about Identity theft, and the procedures in place to mitigate the risk.
Require FERPA training for all employees that have regular access to academic records (to include academic records in addition to the SPI data that could be used for identity theft).
Establish Security Awareness Month (including identity theft and FERPA awareness)
Encourage employees to request copies of credit reports at least once a year.
Annual FERPA “refresher” for all employees that access academic records.
Create an online "refresher" user security training program.
Provide appropriate policies, procedures and standards to inform departmental employees regarding identity theft and the indicators outlined under this policy. Publish guidelines and procedures as appropriate.
Require VPN training for all employees provided off-campus access to secure centralized resources.

PART V: RESOURCES

External

Fair and Accurate Credit Transactions Act of 2003 (FACTA) Public Law 108-159
http://www.gpo.gov/fdsys/pkg/PLAW-108publ159/pdf/PLAW-108publ159.pdf.

Gramm-Leach-Bliley Act
http://www.ftc.gov/privacy/glbact/glbsub1.htm.

Family Education Rights and Privacy Act (FERPA)
http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html.

Tennessee Public Records Act is found in Tenn. Code Ann. § 10-7-101.
http://www.tcog.info/law/law.htm.

Tennessee Public Records Act is found in Tenn. Code Ann. § 10-7-301 (6).
http://www.comptroller.tn.gov/openrecords/pdf/CJEPresentation8-14-08.pdf.

Tennessee Public Records Act is found in Tenn. Code Ann. § 10-7-503.
http://www.tcog.info/law/law.htm.

Tennessee Board of Regents Policy 1:08:00:00 Information Technology Resources
http://www.tbr.state.tn.us/policies/default.aspx?id=4862.

Tennessee Board of Regents Policy 4:01:05:06 Identity Theft Prevention Policy
http://www.tbr.state.tn.us/policies/default.aspx?id=5698.

Tennessee Board of Regents Guideline G-030, Contracts and Agreements
http://www.tbr.state.tn.us/policies/default.aspx?id=1722.

Tennessee Board of Regents Guideline G-070, Disposal of Records
http://www.tbr.state.tn.us/policies/default.aspx?id=1726.

Financial Crimes Enforcement Network, United States Department of the Treasury
http://www.occ.treas.gov/sar.htm

Search form