Identity Theft Prevention Policy and Program
In November 2007, the Federal Trade Commission (“FTC”) and Federal banking agencies issued a regulation known as the “Identify Theft Red Flag Rule.” The intent of the Rule is to prevent the unauthorized acquisition or use of personal information. Under the Rule, Seton Hall University (“Seton Hall” or the “University”) is required to establish an identity theft prevention program tailored to the size, complexity and nature of the University’s operations. The Rule will be enforced as of June 1, 2010.
- “Identity Theft” is a fraud committed or attempted using the identifying information of another person without authority.
- “Red Flag” is a pattern, practice or specific activity that indicates the possible existence of Identity Theft.
- “Covered Account” is an account maintained primarily for personal or family purposes that involves or is designed to permit multiple payments or transactions and includes all student accounts, such as tuition payment plans and meal and/or flex plan accounts that are administered by the University.
- “Identifying information” is any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including credit card information, social security numbers, payroll information, personal and student identification numbers, financial aid information, date of birth, driver’s license number, alien registration number, as well as a computer’s Internet Protocol address or routing code.
- Scope of Policy
This policy applies to all University employees, faculty, students and University vendors or other service providers that have, or are granted access to, “covered accounts” and/or “identifying information” of an individual, as defined in this policy.
- Policy Statement and Purpose
The purpose of this policy is to establish an Identity Theft Prevention Program (the “Program”) designed to prevent, detect and minimize the risk of identity theft in connection with the opening of a covered account or an existing covered account and to provide for the continued administration of the Program. The Program will ensure that there are adequate controls in place to secure identifying information and to address any instances of identity theft through a covered account. The Program will identify who has the responsibility for periodic review of these procedures. This policy and Program are separate and apart from Information Technology data security policies. The Program shall:
- Identify relevant red flags for covered accounts that are offered by the University.
- Have systems and adequate controls in place to detect red flags.
- Immediately and appropriately respond to the red flags to prevent or mitigate identity theft.
- Ensure the Program is updated periodically to reflect changes in risks to students, employees and third parties and to the safety of the creditor from identity theft.
- Incorporate existing policies and procedures, as appropriate, that control reasonably foreseeable risks and breaches of security.
Anyone who maintains or accesses identifying information on behalf of the University is responsible for using that information in compliance with all applicable federal and state laws and regulations and University policies
- Departments Involved
Although not exhaustive, this listing identifies numerous University departments that have Covered Accounts or access to identifying information:
- Financial Aid
- Information Technology
- Human Resources
- Public Safety
- Accounts Payable
- Health Services/Counseling Services
- Business Affairs
- University Advancement
- Grants and Research
- Office of the Controller
- Career Services
- Office of International Programs
- Campus ID
- Housing and Residence Life
- Athletics Department
- Community Development
- All schools and colleges that conduct background checks on students in connection with clinical placements
- Identifying Red Flags
Although not exhaustive, this listing identifies several major Red Flags:
- A covered account, credit card number or ID number that has been inactive for an extended period of time is reactivated.
- A request for an additional or replacement ID card (student, employee, faculty member or contractor) is received within 30 days after a change of address has been processed.
- Alerts, notifications or warnings received from a consumer reporting agency (Experian, Equifax and TransUnion).
- An address on the presented documentation does not match the address on file with the University.
- Documents provided for identification have been altered or forged.
- Mail sent to an individual or organization is repeatedly returned as “undeliverable” although transactions continue in connection with the covered account.
- Photo or personal description provided is not consistent with readily accessible information on file with the University.
- The social security number, employee identification number or student identification number is the same as that submitted by another individual.
- Detecting Red Flags
Although not exhaustive, this list sets out steps that can be taken in order to detect Red Flags:
- Verify identification for any student, faculty or staff requesting services.
- Verify that the picture on the identification provided matches the appearance of the individual presenting the identification.
- Verify that the information on the identification is consistent with other information on file at the University, particularly on the customer’s account.
- Notify the Compliance Office if an account is used in a manner not consistent with regular patterns of activity.
- Call or e-mail the customer if mail addressed to the customer is returned twice as “undeliverable” although transactions continue to be conducted with their account.
- Notify the Compliance Office if an account has three (3) different address changes in the past 90 days.
- Not provide any information to an individual claiming to be the victim of identity theft without them providing evidence of a police case number or an FTC affidavit of identity theft. If an individual needs assistance of this type, the request must be in writing with a detailed description of the information requested as well as proof of positive identification and proof of a claim of identity theft (police report of FTC affidavit).
- Preventing and Mitigating Identify Theft
When potentially fraudulent activity is detected, action must be taken as soon as possible by appropriate University officials/Program administrators in order to protect the injured party or parties and limit their financial exposure. The response will be commensurate with the degree of risk posed and may include the following:
- Gather all related documentation and write a description of the alleged fraudulent activity. Provide the narrative and information to the designated unit manager and the Compliance Office. The manager and Compliance Office will attempt to determine if the activity is fraudulent or legitimate.
- Deny access to the covered account until other information is available to eliminate the red flag.
- Contact the injured party (student, employee, faculty member or contractor) whose identifying information may have been compromised as a result of the fraudulent activity.
- Change any passwords or security codes that allow access to the covered account(s).
- Determine the extent of liability to Seton Hall University and the injured party.
- Determine if an institutional response to the community is warranted in connection with the alleged fraudulent activity.
- Immediately notify the appropriate law enforcement agency, if warranted.
- Program Administration
The University’s Compliance Office will be responsible for implementing this Program and providing updates to the University. The managers of each of the primary departments are responsible for ensuring that their staffs are properly trained and aware of any changes in the identification of Red Flag indicators or corrective responses. In addition, departments are responsible for reporting any suspected or confirmed violations to the Compliance Office as soon as possible. The program will be audited annually by the University’s Internal Audit Department.
- Employee Professional Development
University employees involved in the implementation and operation of the Identity Theft Program must be trained. This training should address the identification and detection of any Red Flags and the correct institutional response in compliance with the law and best practices. All training will be conducted by representatives from the Human Resources Department.
- Program Review and Update
The Identity Theft Prevention Program will be reviewed and updated annually to reflect changes in the risk to employees, students and third party individuals/organizations. The Compliance Office shall prepare a report for the Executive Vice President that addresses the risk of identity theft, describes any significant incidents involving identity theft during the fiscal year and the institutional response and makes any recommendations for changes to the Program which are in compliance with the law and best practices.
- Disciplinary Action
Employees who violate this policy and the Identify Theft Prevention Program may be subject to disciplinary action, up to and including termination of employment.
Approved by Monsignor Robert Sheeran on the recommendation of the Executive Cabinet on April 23, 2009.
Approved by the Board of Regents on the recommendation of Monsignor Robert Sheeran on June 23, 2009.
- Effective Date
June 23, 2009
June 23, 2009
Division of Finance