Red Flags Identity Theft Prevention Policy

The University at Buffalo (UB, university) has established a Program to detect, prevent, and mitigate activities related to identity theft with respect to University Covered Accounts. The Red Flags Identity Theft Prevention Program includes:

• Designation of the Associate Vice President and Controller as the University Program Administrator
• Guidance for the development of departmental Red Flags Rule Procedures for:
  • Identifying departmental Covered Accounts
  • Detecting potential indications of identity theft
  • Responding to potential or actual incidents of identity theft
  • Training employees on the Red Flags Rule Procedures
  • Mitigating risks associated with identity theft related to Covered Accounts
• Periodic evaluation and update of the Program to reflect the current threat environment
• Monitoring service providers and service provider agreements to ensure that providers have adequate identity theft prevention programs in place
• Retaining records relevant to the Program, including:
  • The Red Flags Identify Theft Prevention Policy
  • The departmental Red Flags Rule Procedures
  • Documentation on instances of significant identity theft and attempted identity theft
  • Contracts with service providers that perform activities related to Covered Accounts

The Federal Trade Commission (FTC) Red Flags Rule 16 C.F.R. Part 681.1, as pursuant to the Fair and Accurate Credit Transactions Act (FACTA), requires the development and implementation of a written identity theft prevention, detection, and mitigation program. The purpose of the program is to detect patterns, practices, and specific forms of activity that indicate the existence of identity theft and prevent an individual from using false identifying information to obtain goods, services, or credit.

The FTC rule 16 C.F.R. Part 641requires development of policies and procedures in association with debit cards and change of address requests to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card.

The FTC rule 16 C.F.R. Part 681.2 requires development of policies and procedures to verify when a notice of address discrepancy is received from a consumer reporting agency in response to a credit check.

This policy applies to all university entities and employees, students, contractors, service providers, and volunteers who have access to Covered Account information.

Covered Account

For purposes of the UB Red Flags Identity Theft Prevention Program, a Covered Account includes the following:

An account that receives multiple payments or transactions, deferred payments, extensions of credit, loans, or which establishes a continuing relationship with an individual who has received services from the university (e.g., student accounts, tuition payment plans, patient accounts, accounts associated with student lending activity, debit cards for use at off-campus vendors).

Any other new or existing account that may pose a reasonably foreseeable risk to consumers or the institution from identity theft due to information retained and/or maintained by the institution. This includes single transaction, one-time payment accounts or records that may be vulnerable to identity theft because of the information collected and retained such as date of birth, copies of checks, credit card numbers, social security number, and other personal identifying information.

Identity Theft

Any use or attempt by an individual to use another person’s identifying information to obtain a thing of value to which the individual is not entitled including, but not limited to money, credit, goods, or services such as education or medical care.

Notice of Address Discrepancy

Notice from a consumer reporting agency indicating a substantial difference between the address provided by the employee or applicant and the address the consumer reporting agency has on file.

Personal Identifying Information

Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including:

• Name, social security number, date of birth, official state or government-issued driver license or identification number, alien registration number, government passport number, employer or taxpayer identification number
• Unique biometric data, such as fingerprint, voice print, retina or iris image, or other
• Unique physical representation
• Unique electronic identification number, address, or routing code
• Debit/credit card or any other access device including any card, plate, code, account number, electronic serial number, mobile identification number, personal identification number; other telecommunications service, equipment, or instrument identifier; or other means of account access that can be used, alone or in conjunction with another device to obtain money, goods, services, other items of value, or to initiate a transfer of funds

Red Flag

A pattern, practice, or specific activity that indicates the possible existence of identity theft.

Service Provider

Contractor engaged by the university to perform an activity in connection with a Covered Account.

• Implement the Red Flags Identity Theft Prevention Program.
• Periodically evaluate the Program considering incidents of and attempts at identity theft, and update to reflect the current threat environment.
• Take necessary corrective action if it is determined that a department is not adequately guarding against threats of identity theft.
• Ascertain that service provider agreements are monitored so that, where applicable, such providers have adequate identity theft prevention programs in place.
• Retain records relevant to the Program, including:
  • Red Flags Identify Theft Prevention Policy
  • Documentation on instances of identity theft and attempted identity theft
  • Allow auditors and compliance officers access to the records
• Schedule periodic reviews of departmental Red Flags Rule Procedures.

• Document the department’s Red Flags Rule Procedures.
• Report incidents of identity theft by completing the Red Flags Incident Reporting form and submitting a copy to their supervisor and the University Program Administrator.
• Report noncompliance with the Red Flags Rule Procedures to their supervisor, and if unresolved, to the University Program Administrator.
• Maintain relevant records and make them available for review, including:
  • Red Flags Rule Procedures
  • Documentation on training, including name, title, and date
  • Documentation on instances of and attempts at identity theft
  • Contracts with service providers that perform activities related to Covered Accounts
  • Annually review the departmental Red Flags Rule Procedures to identify new Covered Accounts, changes to existing Covered Accounts, and changes in procedures for detecting, mitigating, and preventing identity theft.  Maintain documentation of the annual review
• Develop departmental awareness of the Red Flags Identity Theft Prevention Policy and appropriate responses to incidents of attempted identity theft.

• Perform the day-to-day application of the Red Flags Rule Procedures to Covered Accounts by detecting and responding to red flags.

• Notify their Red Flags Rule Contact Person, supervisor, or the University Program Administrator if they become aware of an incident of identity theft or a failure to comply with the Red Flags Rule Procedures.

The UB Red Flags Identity Theft Prevention Program requires that each department with Covered Accounts develop Departmental Red Flags Rule Procedures that consist of the following components:

1. Identify Covered Accounts
2. Identify Red Flags
3. Detect Red Flags
4. Respond to Detected Red Flags
5. Train Responsible Staff
6. Monitor Service Providers
7. Update the Program and the Departmental Red Flags Rule Procedures

Departmental Red Flags Rule Procedures must be approved by a senior manager within the unit and maintained in the department.  A template is available to assist departments in the development of their procedures.

University departments are responsible for determining whether they have oversight of Covered Accounts. The Departmental Red Flags Rule Procedures template provides helpful information for identifying Covered Accounts. Departments having Covered Accounts must develop their Red Flags Rule Procedures and include a list of their Covered Accounts.

Each department will identify the red flags associated with their Covered Accounts taking into consideration the types of accounts offered and maintained, the methods provided to open and access accounts, and previous experiences with identity theft.

The following types of notices, documents, personal information, and activities may be indicators or red flags that an individual’s identity may be compromised.

Suspicious Documents

• Documents provided for identification appear to have been altered or forged.
• The photograph and/or physical description on the identification is not consistent with the appearance of the customer presenting the identification.
• Other information on the identification is not consistent with information provided by the person opening an account or presenting the identification.
• Other information on the identification is not consistent with readily accessible information that is on file with the university.
• An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.

Suspicious Personal Identifying Information

• Personal identifying information provided is not consistent with external information sources used by the university.
• Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer.
• Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the University.
• Suspicious addresses are supplied, such as a mail drop or phone numbers associated with pagers or an answering service.
• The social security number provided is the same as that submitted by another individual opening an account or another customer.
• The address or telephone number provided is the same as or similar to the address or telephone number submitted by an unusually large number of other persons opening accounts or to another customer.
• The person opening the account fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete.
• Personal identifying information provided is not consistent with personal identifying information that is on file with the university.
• If the university uses a challenge question, the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.

Unusual Use of, or Suspicious Activity Related to, the Covered Account

• Shortly following the notice of a change of address, the university is made aware of a new cell phone number or the addition of authorized users on the account.
• A new revolving credit account is used in a manner commonly associated with known patterns of fraud.
• An account is used in a manner that is not consistent with established patterns of activity on the account.
• An account that has been inactive for a reasonably lengthy period of time is used.
• Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the account.
• Unusual credit activity such as an increased number of accounts or inquiries.

Notice from Customer, Victims of Identity Theft, Law Enforcement Authorities, or Other Persons Regarding Possible Identity Theft in Connection with Covered Accounts

• The university is notified that the customer is not receiving paper account statements.
• The university is notified of unauthorized charges or transactions in connection with a customer's account.
• The university is notified by a customer, victim of identity theft, law enforcement authority, or any other person that a fraudulent account has been opened.

Alerts, Notifications, or Warnings from a Consumer Reporting Agency

• A fraud or credit alert is included with a consumer report.
• A notice of credit freeze on a consumer report is provided from a consumer reporting agency.
• A consumer reporting agency provides a notice of address discrepancy.
• A consumer report indicates a pattern of activity inconsistent with the history and usual pattern of activity of a customer.

Compromised Systems

• Detection of compromised or breached systems that store Covered Accounts or personally identifiable information.

Additional Red Flags

• Additional red flags may be identified by UB entities, units, and/or departments for specific types of Covered Accounts.

Departments should develop and implement procedures to detect red flags associated with opening new or accessing existing Covered Accounts.

• Monitor account transactions for possible red flags. Require certain identity information such as name, date of birth, residential or business address, driver license, or other photo identification.
• Require multi-factor identification before conducting any transaction over the phone that relates to a Covered Account.
• Require that online transactions come through a secure, password protected portal in accordance with the Standards for Securing Regulated Private Data policy.
• Thoroughly follow up on each billing inquiry, especially inquiries regarding services not received and/or billing errors.
• Verify the validity of a change of address request on an existing account and provide the customer with a means to promptly report an incorrect address.

Departments should respond appropriately to detected red flags in order to prevent and mitigate identity theft. The response should be commensurate with the degree of risk posed.

Once potentially fraudulent activity is detected, an employee must act quickly as a rapid response can protect customers and the university from damages and loss.

If red flags are detected, one or more of the following steps may be taken:

• Monitor the Covered Accounts for evidence of identity theft
• Request additional documentation to validate identity
• Contact the consumer and verify if the activity is fraudulent
• Where appropriate, disable access or change passwords, security codes, or other security devices
• Close the Covered Account, and if needed reopen with a new account number
• Refuse to open a new Covered Account for the customer
• Notify the department’s Red Flags Contact Person and, the university’s Program Administrator
• Determine if law enforcement should be notified and if a Suspicious Activity Report (SAR) should be filed
• Not pursue collection of an account
• Other responses as determined by the department
• Determine that no response is warranted under the particular circumstances

When a Notice of Address Discrepancy is received from a consumer reporting agency indicating the address given by the employee or applicant differs from the address the consumer reporting agency has on file, the following steps are recommended to reasonably confirm that the address is accurate:

• Determine that the consumer report individual is a match to the employee or applicant for which it was requested
• Verify the address with the employee or applicant
• Verify the address of the employee or applicant through a review of the individual’s records, a third party source, or other reasonable method
• If an accurate address is confirmed, the department will provide the employee or applicant’s address to the consumer reporting agency from which it received the Notice of Address Discrepancy if:
  • A continuing relationship is established with the employee or applicant
  • In the ordinary course of business, information is regularly provided to the consumer reporting agency

When a change of address request is followed within 30 days by a request for an additional or replacement card, an additional or replacement card will not be issued until validity of the address change has been determined. Validity of requests for duplicate or replacement cards may be established by:

• Providing written or electronic notification to the cardholder of the request for an additional or replacement card
• Providing the cardholder with reasonable means of promptly reporting address changes

Each department having Covered Accounts will compile a list of their staff that are responsible for performing the day-to-day application of the Red Flags Rule Procedures to a specific Covered Account.

Responsible staff should receive training on the UB Red Flags Identity Theft Prevention Program and their department’s Red Flags Rule Procedures. The departmental Red Flags Rule Contact Person is responsible for maintaining documentation on training, including the employee’s name, title, and date training occurred.

The university will exercise appropriate and effective oversight of arrangements with service providers having access to Covered Accounts. Third party contractors and service providers are expected to be compliant with federal, state, and local laws and regulations as well as UB policies and procedures pertaining to identity theft prevention. Specific terms and issues of compliance must be addressed in the individual contractual agreements, and will include requiring service providers to:

• Have identity theft prevention policies and procedures in place
• Review the UB Identity Theft Prevention and Red Flags Policy and the departmental Red Flags Rule Procedures
• Report relevant red flags

Departments will identify service providers with access to Covered Accounts. The department’s Red Flags Contact Person will submit the service providers’ names and contact information in writing to the University Program Administrator on an annual basis.

The UB Identity Theft Prevention Program and associated departmental Red Flags Rule Procedures will be periodically evaluated. The University Program Administrator will monitor changes in legal requirements in the area of identity theft to determine if changes in the University’s Program are warranted.  Departments will review their Red Flags Rule Procedures annually and revise considering:

• Incidents of and attempts at identity theft
• Changes in identity theft methods
• New procedures for detecting, mitigating, and preventing identity theft
• Changes in the types of Covered Accounts maintained by the department
• Changes in business and service provider arrangements

Documentation of the review must be maintained in the department.