|| Siri Strom, Controller
|| Vice President of Support Services
|Date of Approval:
|| November 29, 2011
|Date of Last Revision:
|Next Review Date:
Heritage University has a formal identity theft program to safeguard the identity and privacy of faculty, staff, students, and donors from all types of theft. This policy is required by any institution engaged in a loaning activity.
Reason for Policy/Purpose
Heritage University (the University), in response to a growing problem of identity theft, endeavors to safeguard personal and private information of its faculty, staff, students and donors. Additionally, the University understands the importance of complying with applicable federal regulations under sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACT Act) of 2003 to establish an Identity Theft Prevention Program designed to detect, prevent and mitigate identity theft in connection with conducting University business, as defined by federal regulations.
Who Needs to Know this Policy
This policy applies to all employees of Heritage University.
Website Address for this Policy
Vice President for Support Services
Identity Theft: means fraud committed or attempted using the identifying information of another person without authority.
Covered Accounts include: a consumer account that involves multiple payments or transactions, such as a loan or account that is billed or payable monthly.
- Heritage University Education Loan Agreement for Deferred Tuition Payments
- Federal Perkins Loan Program
- Student Emergency Loan Program
- Employee Advance Program
- Other Student Accounts Related to Loans
- Sallie Mae Tuition Payment Plans
Red Flag: patterns, practices and specific activities that signal possible existence of identity theft.
Identifying information: is any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including: name, address telephone number, social security number, date of birth, government issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number, student identification number, computer's Internet Protocol address, or routing code.
Heritage University establishes an Identity Theft Prevention Program (the Program) to detect, prevent and mitigate identity theft. The Program shall include reasonable policies and procedures to:
- Identify relevant red flags for new and existing covered accounts and incorporate those red flags into the program.
- Detect red flags that have been incorporated into the Program.
- Respond appropriately to any red flags that are detected to prevent and mitigate Identity Theft; and
- Ensure the Program is updated periodically to reflect changes in risks to customers or to the safety and soundness of the creditor from identity theft.
Administration of the Program:
- The Vice President of Support Services shall be responsible for the development, implementation, oversight and continued administration of the Program.
- The Program shall train staff, as necessary, to effectively implement the Program; and
- The Program shall exercise appropriate and effective oversight of service provider arrangements.
Identification of Red Flags
In order to identify relevant Red Flags, the University considers the types of accounts that it offers and maintains, methods it provides to open accounts, methods it provides to access its accounts, and is previous experiences with Identity Theft.
- The Program shall include relevant red flags from the following categories as appropriate:
- Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services;
- The presentation of suspicious documents;
- The presentation of suspicious personal identifying information;
- The unusual use of, or other suspicious activity related to, a covered account;
- Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts.
- The Program shall consider the following risk factors in identifying relevant red flags for covered accounts as appropriate:
- The types of covered accounts offered or maintained;
- The methods provided to open covered accounts;
- The methods provided to access covered accounts; and
- Its previous experience with identity theft.
Detection of Red Flags
The Program shall address the detection of red flags in connection with the opening of covered accounts and existing covered accounts, such as by:
- Obtaining identifying information about, and verifying the identity of, a person opening a covered account; and
- Authenticating customers, monitoring transactions, and verifying the validity of change of address requests in the case of existing covered accounts.
The Program shall provide for appropriate responses to detected red flags to prevent and mitigate identity theft. The response shall be commensurate with the degree of risk posed. Appropriate responses may include:
- Monitor a covered account for evidence of identity theft;
- Contact the customer;
- Change any passwords, security codes or other security devices that permit access to a covered account;
- Reopen a covered account with a new account number;
- Not open a new covered account;
- Close an existing covered account;
- Notify law enforcement; or
Updating the Program
The Program shall be updated periodically, at least every 3 years or more often as needed, to reflect changes in risks to customers or to the safety and soundness of the organization from identity theft based on factors such as:
- The experiences of the organization with identity theft;
- Changes in methods of identity theft;
- Changes in methods to detect, prevent and mitigate identity theft;
- Changes in the types of accounts that the organization offers or maintains;
- Changes in the business arrangements of the organization, including mergers, acquisitions, alliances, joint ventures and service provider arrangements.
Oversight of the Program
Responsibility for developing, implementing and updating the Program lies with an Identity Theft Committee (“Committee”) for the University. The Committee is headed by the Vice President of Support Services. The Committee will consist of the Vice President for Advancement, the Assistant Vice President for Financial Operations, the Director of Admissions, the Director of Financial Aid, the Director of Information Technology and the Registrar. The Committee leader will be responsible for ensuring appropriate training of University staff on the Program, for reviewing any staff reports regarding the detection of Red Flags and the steps for preventing and mitigating Identity Theft, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the Program.
Staff Training and Reports
University staff responsible for implementing the Program shall be trained either by or under the direction of the Program Administrator in the detection of Red Flags and the responsive steps to be taken when a Red Flag is detected.
- University staff shall be trained, as necessary, to effectively implement the Program.
- University employees are expected to notify the Program Administrator once they become aware of an incident of Identity Theft or of the University’s failure to comply with this Program.
- At least annually or as otherwise requested by the Program Administrator, University staff responsible for development, implementation, and administration of the Program shall report to the Program Administrator on compliance with this Program.
- The report should address such issues as effectiveness of the policies and procedures in addressing the risk of identity theft in connection with the opening and maintenance of Covered Accounts, service provider arrangements, significant incidents involving identity theft and management’s response, and recommendations for changes to the Program.
Service Provider Arrangements
In the event the University engages a service provider to perform an activity in connection with one or more Covered Accounts, the University will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of Identity Theft.
- Require, by contract, that service providers have such policies and procedures in place; and
- Require, by contract, that service providers review the University’s Program and report any Red Flags to the Program Administrator or the University employee with primary oversight of the service provider relationship.
- Carry liability insurance coverage for providing these services to the University.
Non-disclosure of Specific Practices
For the effectiveness of this Identity Theft Prevention Program, knowledge about specific Red Flag identification, detection, mitigation and prevent practices may need to be limited to the Committee who developed this Program and to those employees with a need to know them.
- Any documents that may have been produced or are produced in order to develop or implement this program that list or describe such specific practice and the information those documents contain are considered "Confidential" and should not be shared with other University employees or the public.
- The Program Administrator shall inform the Committee and those employees with a need to know the information of those documents or specific practices which should be maintained in a confidential manner.
Related Policies and Resources
Identity Theft Prevention Program Policy