Financial and Business

Red Flag Identity Theft Prevention Program

Section: Financial & Business Policies
Policy Name: Red Flag Identity Theft Prevention Program
Policy Owner: Executive Vice President
Responsible University Office: Office of the Vice President For Finance and Deputy Treasurer
Origination Date: November 2, 2009
Revisions: January 2013
Legacy Policy Number: 3-29

    This policy addresses the University’s procedures for detecting, preventing, and mitigating identity theft in connection with “covered accounts” as indicated by the Identity Theft Red Flag Rule (Sections 114 and 315 of the Fair and Accurate Credit Transactions Act). This policy is intended to detect, prevent, and mitigate opportunities for identity theft at the University of Delaware. The Red Flag Rule applies to the University because of its participation in the Perkins and Nursing Loan programs, its small emergency loan program, the extension of credit for student accounts, the UD1 Flex stored value card, and the fact that the University requests credit reports for some potential employees.

    Analysis of the type and scope of activity covered in the regulation and the risk assessment of potential identity theft opportunities has resulted in a determination that there is a low level risk of possible identity theft at the University. However, the risk to the University and its students, faculty, staff, and other customers from data loss and identity theft is of significant concern to the University and the University will make reasonable efforts to detect, prevent and mitigate identity theft associated with an account. This policy is intended to work in conjunction with University policies involving institutional data, health privacy, and privacy and release of student educational records as well as any other privacy and security standards and requirements.

    1. Safeguarding of Records: The University maintains files, both electronic and paper, of employment records and student biographical, academic, health, financial, and admission records. These records may also include student billing information, Perkins and Nursing Loan records, and personal correspondence with students and parents. Existing policies provide an environment where identity theft opportunities are mitigated. These policies include:
      1. Gramm-Leach-Bliley Act (GLB) Legacy Policy 1-23
      2. Family Educational Rights and Privacy Act (FERPA) Legacy Policy 4-20
      3. Protect Personal Information Legacy Policy 1-22
      4. Information Security Policy Legacy Policy 1-15
      5. Access to Personnel Records Legacy Policy 4-18
      6. Departmental Information and Record Management Policies Legacy Policy 1-13
    2. Detecting Red Flag Activity: University staff should be watchful for suspicious activity. Some examples of potential fraudulent activity are:
      1. Multiple address discrepancies;
      2. Presentation of suspicious documents;
      3. Photograph or physical description on the identification that is not consistent with the appearance of the person when required to present identification;
      4. Personal identifying information provided that is not consistent with other personal identifying information on file with the University;
      5. Documents provided for identification that appear to have been altered or forged;
      6. Unusual or suspicious activity related to covered accounts;
      7. Notification from students, borrowers, law enforcement, or service providers of unusual activity related to a covered account;
      8. Notification from a credit bureau of fraudulent activity.
    3. Response: Should an employee identify a “red flag” (patterns, practices or specific activities that signal possible identity theft), the employee should immediately bring it to the attention of the Director of Billing and Collection, who will investigate the threat of identity theft to determine if there has been a breach and will respond appropriately to prevent future identity theft breaches. Additional actions may include:
      1. Monitoring the account for evidence of identity theft;
      2. Denying access or closing the covered account until other information is available to eliminate the red flag;
      3. Changing passwords or security codes that permit access to covered accounts;
      4. Notifying the student or employee of the attempted fraud;
      5. Notifying and cooperating with appropriate law enforcement.
    4. Enforcement
      1. A committee will be appointed to oversee the University’s compliance to these regulations.
      2. All University staff with access to “covered accounts” will participate in “Red Flag Training” developed by the committee appointed to the oversight of this policy.
      3. Third-party vendors used for loan or collection activity must confirm their compliance to the Red Flag Rules.
      4. Anyone claiming to be the victim of identity theft should be directed to Public Safety to file a police report.
    5. Oversight of Service Providers
      1. The University employs University Accounting Service Inc. (UAS), a loan servicer, for the purpose of billing and collection of Perkins and Nursing loan payments. The only information that is shared with UAS is information required to bill and collect loan payments as established by the United States Department of Education. This includes student name, address, telephone number, social security number, and date of birth. The University will collect and maintain documents from UAS attesting to their compliance with “Red Flag Rules”.
    6. Updates
      1. This policy will be re-evaluated annually to determine whether all aspects of the program are up-to-date and applicable in the current business environments, and revised as necessary. Operational responsibility of the program is delegated to the Assistant Vice President for Treasury Services.