Syracuse University has established this institutional policy in compliance with the provisions of the Federal Trade Commission’s (“FTC”) rules on Identity Theft Red Flags and Address Discrepancies under the “Fair and Accurate Credit Transactions Act of 2003”. This policy is intended to establish a program to detect, prevent and mitigate identity theft in connection with the opening and/or maintenance of accounts covered by the FTC’s rules in this area.
This policy is to be considered in conjunction with the University’s existing policies that protect financial accounts and related sensitive information maintained by the University.
Red Flags: A pattern, practice or specific activity that indicates the possible existence of identity theft. For the University’s purposes, Red Flags may include but are not limited to: alerts, notifications or other warnings received from consumer reporting agencies or from services providers, such as fraud detection services or third-party entities who have access to University-maintained information, such as student loan administrators or banks; suspicious documents; suspicious personal identifying information; unusual activity in covered accounts; or notices from students, employees, or law enforcement authorities regarding identity theft.
Account: A continuing relationship established by a person with the University to obtain products or services for personal, family, household, or business purposes.
Service Provider: A person or entity which provides services to the University.
Covered Account: Any account which the University offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions or any other account that the University offers or maintains for which there is a reasonably foreseeable risk to account holders or to the University’s financial soundness for identity theft.
Identity Theft Program:
- Identifying Red Flags. The University will consider the following factors in identifying Red Flags for covered accounts:
- The types of covered accounts which the University offers and/or maintains
- The methods the University uses to open accounts
- The methods the University allows to access its covered accounts
- Any previous problems with identity theft involving University accounts.
- Detecting Red Flags. The University’s procedure for detecting Red Flags in connection with the opening and access to covered accounts is as follows:
- The University will obtain identifying information about and will verify the identity of any person opening a covered account at the University.
- The University will monitor transactions and other types of access to covered accounts and will also verify change of address requests in connection with covered accounts.
- Preventing and Mitigating Identity Theft.
- Each University department will develop standards for handling Red Flags on covered accounts. The standard will provide initially for a risk assessment of the Red Flags.
- Upon completion of a risk assessment, each University department will notify the holder of a covered account and will implement any necessary enhanced security measures, including but not limited to account closure.
- Service Providers. The University will require all service providers who have access to covered account information to comply with this policy.
- Annual Reporting. The Director of Audit and Management Advisory Services will annually report to the Audit Committee of the Board of Trustees regarding the University’s compliance with this policy.
- Updating the Program. The University will periodically update this policy and the Program to reflect its experience with identity theft, changes in the University’s business practices, and updates in technology and methodology.
Links to Procedures and Related Information
- Access to Computerized Financial Data
- Fraudulent Activities, Prohibition of
- Payroll Authorization and Payroll Records
- Compliance with the Family Educational Rights and Privacy Act (FERPA)
- HIPAA, Compliance with Health Insurance Portability and Accountability Act
- HIPAA Compliance, Student Medical Records
- ID Card Policy
- Regulatory/Agency Inspections and Requests for Information
- Release of Student Information to Third Parties
- Student Contact Information Policy
- Access to HR Data
- Information Technology
Date: May 12, 2010