Policy: Policy 7-4-3: Identity Theft Prevention Policy Date Adopted: Apr 01, 2009
Department: Finance & Administration Contact: Vice President of Finance and Administrative Services
Statement: Detection, identification and mitigation of identity theft

Western Nevada College (WNC) developed and implemented this Identity Theft Prevention Program pursuant to the Federal Trade Commissions Red Flags Rule, which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003. In recognition that some activities of WNC are subject to the provisions of this Rule as promulgated by the Commission, the college adopted the following policy. This policy complements, and is supported by existing department data security policies at the college.

Table of Contents:

  1. Purpose
  2. Definitions
  3. Program Administration and Maintenance
  4. Identification of Red Flags
  5. Detecting Red Flags
  6. Responding to Red Flags and Mitigating Identity Theft
  7. Staff Training and Reporting
  8. Service Provider Arrangements

Section 1: Purpose

As required, WNC establishes an Identity Theft Program to detect, identify, and mitigate identity theft in the accounts covered under the Red Flag rules at the college.

  1. The college will incorporate relevant Red Flags into a policy to enable the college to detect and respond to potential identity theft.
  2. The college shall ensure that the policy is updated periodically to reflect changes in risks to customers or creditors or to the college from identity theft.

Section 2: Definitions

Pursuant to the Red Flag regulations at 16 C.F.R. 681.2, the following definitions apply to this policy:

  1. Identity theft is a fraud committed or attempted using the identifying information of another person without authority.
  2. Covered accounts
    1. Any University account maintained primarily for a student or related to a loan administered by the University, which involves multiple payments or transactions.
    2. Any University account for which there is a reasonably foreseeable risk from identify theft to customers.
  3. Red Flag is a pattern, practice, or specific activity that indicates the possible existence of identity theft.
  4. Identifying information: Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including, but not limited to: name, address, telephone number, social security number, date of birth, government issued drivers license or identification number, alien registration number government passport number, employer or taxpayer identification number, unique electronic identification number (including student ID), computer Internet Protocol addresses or routing codes.
  5. Identification of a Responsible University Official
    1. The President designates the vice president of finance and administrative services as the Policy Administrator.
    2. The Policy Administrator shall exercise appropriate and effective oversight of the policy and shall report regularly to the President on the status of the policy.

Section 3: Program Administration and Maintenance

  1. The Policy Administrator is responsible for:
    1. Developing, implementing, and updating WNCs policy;
    2. Ensuring appropriate training of college staff on the policy;
    3. Reviewing staff reports regarding the detection of Red Flags;
    4. Reviewing steps for identifying, preventing, and mitigating identity theft;
    5. Determining appropriate prevention and mitigation steps to be taken in specific circumstances;
    6. Reviewing, evaluating, and promulgating periodic changes to the Policy based on:
      1. Changes in identity theft risks, detection, mitigation, and prevention methods
      2. Technological advances
      3. Colleges experiences with identity theft
      4. Changes in types of accounts the college maintains
      5. Changes in the colleges business arrangements with other entities
      6. Changes in legal requirements related to identity theft.

Section 4: Identification of Red Flags

The following are relevant Red Flags in each of the listed categories for which employees should be aware and diligent in monitoring:

  1. Notifications and warnings from credit reporting agencies
    1. Report of fraud accompanying a credit report;
    2. Notice or report from a credit agency of a credit freeze on a customer or applicant;
    3. Notice or report from a credit agency of an active duty alert for an applicant; and
    4. Indication from a credit report of activity that is inconsistent with a customers usual pattern or activity.
  2. Suspicious documents
    1. Identification document that appears to be forged, altered, or inauthentic;
    2. Identification document on which a persons photograph or physical description is inconsistent with the person presenting the document;
    3. Other document with information that is inconsistent with existing customer information (such as if a persons signature on a check appears forged); or
    4. Application for service that appears to have been altered or forged.
  3. Suspicious personal identifying information
    1. Identifying information presented that is inconsistent with other information the customer provides (example: inconsistent birth dates);
    2. Identifying information presented that is inconsistent with other sources of information (for instance, an address not matching an address on a credit report);
    3. Identifying information presented that is the same as information shown on other applications that were found to be fraudulent;
    4. Identifying information presented that is consistent with fraudulent activity (such as an invalid phone number or fictitious billing address);
    5. Social Security number presented that is the same as one given by another individual;
    6. An address or phone number presented that is the same as that of another person;
    7. A person fails to provide complete, personal identifying information on an application when reminded to do so (however, by law Social Security numbers may not be required in all instances); and
    8. A persons identifying information is inconsistent with the information that is on file for the customer.
  4. Suspicious account activity or unusual use of account
    1. Change of address for an account followed by a request to change the account holders name;
    2. Payments stop on an otherwise consistently up-to-date account;
    3. Account used in a way that is inconsistent with prior use (example: very high activity);
    4. Mail sent to the account holder is repeatedly returned as undeliverable;
    5. Notice to the college that a customer is not receiving mail sent by the institution;
    6. Notice to the college that an account has unauthorized activity;
    7. Breach in the colleges or NSHEs computer system security; and
    8. Unauthorized access to or use of customer account information.
  5. Alerts from others
    1. Notice to the college from an individual, identity theft victim, law enforcement, or other person who has opened or is maintaining a fraudulent account for a person engaged in identity theft.

Section 5: Detecting Red Flags

  1. New accounts
    1. College personnel will take the following steps to obtain and verify the identity of the person opening an account:
      1. Require personal identifying information such as name, date of birth, residential or business address, drivers license, or other identification;
      2. Verify customers identity (for instance, review a drivers license or other identification card);
      3. Independently contact the customer.
  2. Existing accounts
    1. College personnel will take the following steps to monitor transactions with an account:
      1. Verify the identification of customers if they request information (in person, via telephone, via facsimile, via email);
      2. Verify the validity of requests to change billing addresses; and
      3. Verify changes in banking information given for billing and payment purposes.

Section 6: Responding to Red Flags and Mitigating Identity Theft

  1. In the event college personnel detect identified Red Flags, such personnel shall take all appropriate steps to respond and to mitigate identity theft depending on the nature and degree of risk posed by the Red Flag, including but not limited to the following examples:
    1. Continue to monitor an account for evidence of Identity theft;
    2. Contact the individual;
    3. Change any passwords or other security devices that permit access to accounts;
    4. Not open a new account;
    5. Close an existing account;
    6. Reopen an account with a new number;
    7. Notify public safety and/or law enforcement; or
    8. Determine that no response is warranted under the particular circumstances.

Section 7: Staff Training and Reporting

  1. College employees responsible for implementing the Policy shall be trained in the detection of Red Flags, and the responsive steps to be taken when a Red Flag is detected.
  2. Appropriate staff shall provide reports to the Policy Administrator on incidents of identity theft, the effectiveness of the Policy, and the colleges compliance with the Policy.

Section 8: Service Provider Arrangements

  1. When the college engages a service provider to perform an activity in connection with one or more covered accounts, the college will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft:
    1. Require, by contract, that service providers have such policies and procedures in place; and
    2. Require, by contract, that any service providers review the colleges Policy and report any Red Flags to the Policy Administrator.

Date(s) Revised   Date(s) Reviewed