Policy Statement on the Family Educational Rights and Privacy Act of 1974, as Amended and Identity Theft Prevention Plan: Difference between pages

From Appalachian State University Policy Manual
(Difference between pages)
imported>Deaskc
 
>Deaskc
 
Line 1: Line 1:
Policy 105.3
Policy 105.5
== Introduction ==
== Introduction ==
1.1 Appalachian State University endorses and seeks to comply with all provisions of the "Family Educational Rights and Privacy Act of 1974," as amended, (“FERPA”) and all pertinent regulations. The purpose of this legislation was and is to afford students certain rights with regard to their respective education records. In essence, these rights are: (1) the right to inspect and review education records, (2) the opportunity to challenge the contents of education records, and (3) the right to exercise some control over the disclosure of information from education records. The intent of this policy statement is to explain, in detail, the conditions and procedures under which the University will implement the law.
=== Program Adoption ===
1.1.1 As a best practice and using as a guide the Federal Trade Commission's Red Flags Rule (16 CFR Part 681, implementing Section 114 of the Fair and Accurate Credit Transactions Act of 2003, Public Law 108-159) and North Carolina General Statutes, Chapter 75, Article 2A, Appalachian State University (the "University") has developed an Identity Theft Prevention Program (the "Program") described below. This Program was developed with oversight and approval of the Board of Trustees of Appalachian State University (the "Board"). After consideration of the size and complexity of the Universitys operations and account systems, and the nature and scope of the Universitys activities, the Board determined that this Program was appropriate for the University, and approved it on September 24, 2010 (the "Effective Date"). The purpose of this Program is to detect, prevent and mitigate identity theft in connection with any covered account. This Program envisions the implementation of policies and procedures subject to the Chancellor's approval in order to achieve these goals.


== Scope ==
== Scope ==
2.1 This policy applies to all students of Appalachian State University.
2.1 All University personnel whose employment duties require or allow access to identifying information of other employees or students are responsible for implementing this Program.


== Definitions  ==
== Definitions  ==


=== Student ===
=== "Covered Account"  ===  
:Any person who as an undergraduate or graduate student (1) is currently attending the University, or (2) has attended the University. (An exception: under common law, the privacy rights of an individual cease with the death of that individual.)
:any account that constitutes a continuing financial relationship or is designed to permit multiple payments or transactions between the University and a person for a service, such as extension of credit, debit cards, Perkins Loans, Federal Family Education Loan Program (FFELP), institutional loans, accounts covered by the Health Insurance Portability and Accountability Act (HIPAA), deposit accounts, scholarship accounts, student accounts, and tuition payment plans.  


=== Education Records ===
:any other account that the University offers or maintains for which there is a reasonably foreseeable risk to holders of the account or to the University from identity theft, such as use of consumer reports for employee background checks, credit applications and institutional debit card applications. This may include operations of utilities (e.g., New River Light & Power Company), clinical and research activities, and public service activities.
:Any record (in handwriting, print, tapes, film, computer, or other medium) maintained by Appalachian State University and which personally identifies a student, except :


#A personal record kept by a University employee if it is kept in the sole possession of the maker of the record and is not accessible by or revealed to any other person except a temporary substitute for the maker of the record.
=== Identifying Information ===
#Records created and maintained by Appalachian State University's Office of Public Safety/University Police solely for law enforcement purposes.
:means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including, but not limited to:
#An employment record of an individual whose employment is not contingent upon the fact that he or she is a student, provided that the record is used only in relation to the individual's employment.
 
#Records made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional when that person is acting in his or her professional or paraprofessional capacity, and if the records are used solely for treatment of the student and made available only to those persons providing the treatment.  
#name
#Records which contain information about a student after he or she is no longer in attendance at Appalachian State University and which do not relate to the person as a student.
#address
#telephone number
#social security number
#date of birth
#government-issued driver's license or identification number
#alien registration number
#government passport number
#employer or taxpayer identification number
#individual identification number
#computer's Internet Protocol address
#bank or other financial account routing code
 
=== Identity Theft ===
:means a fraud committed or attempted using the identifying information of another person without authority [16 CFR 603.2(a)].
 
=== Program Administrator ===
:means the individual designated with primary responsibility for oversight of this Program.
 
=== Red Flag ===
:means a pattern, practice, alert or specific activity that indicates the possible existence of identity theft.
 
=== Service Provider ===
:means a person or entity that provides a service directly to the University.


== Policy and Procedure Statements  ==
== Policy and Procedure Statements  ==


=== Notification of Student Rights Under FERPA ===
=== Identification of Red Flags ===
4.1.1 In order to identify relevant red flags, the University considers the types of covered accounts it offers or maintains, the methods it provides to open its covered accounts, the methods it provides to access its covered accounts, and its previous experiences with identity theft. Red flags may be detected while implementing existing account opening and servicing procedures (example: individual identification, caller authentication, third party authorization, and address changes).
 
4.1.2 The University identifies the following as red flags in each of the listed categories:
 
#Notifications and warnings from consumer reporting agencies
##Report of fraud accompanying a credit report;
##Notice or report from a credit agency of a credit freeze on an applicant;
##Notice or report from a credit agency of an active duty alert for an applicant;
##Receipt of a notice of address discrepancy in response to a credit report request; and
##Indication from a credit report of activity that is inconsistent with an applicant's usual pattern or activity
#Suspicious documents
##Identification document or card that appears to be forged, altered or inauthentic;
##Identification document or card on which a person?s photograph or physical description is not consistent with the person presenting the document;
##Other document with information that is not consistent with existing individual information; and
##Application that appears to have been altered or forged.
#Suspicious personal identifying information
##Identifying information that is inconsistent with other information the individual provides (example: inconsistent birth dates);
##Identifying information that is inconsistent with other sources of information (example: an address not matching an address on a loan application);
##Identifying information that is the same as information shown on other applications that were found to be fraudulent;
##Identifying information that is consistent with fraudulent activity (examples: an invalid phone number or fictitious billing address);
##Social security number that is the same as one given by another individual;
##An address or phone number that is the same as that of another person;
##A person fails to provide complete personal identifying information on an application when reminded to do so; and
##A person's identifying information is not consistent with the information that is on file for the individual. 
#Suspicious covered account activity
##Change of address for an account followed by a request to change the individual's name;
##Payments stop on an otherwise consistently up-to-date account;
##Account used in a way that is not consistent with prior use;
##Mail sent to the individual is repeatedly returned as undeliverable;
##Notice to the University that an individual is not receiving mail sent by the University;
##Notice to the University that an account has unauthorized activity;
##Breach in the University's computer system security; and
##Unauthorized access to or use of individual account information. 
#Alerts from others
##Notice to the University from an identity theft victim, law enforcement officer or other person that the University has opened or is maintaining a fraudulent account for a person engaged in identity theft.
 
=== Detection of Red Flags ===
 
==== Student Enrollment ====
 
4.2.1.1 In order to detect any of the red flags identified above associated with the enrollment of a student, University personnel shall take the following steps to obtain and verify the identity of the person opening the account:
 
#Require certain identifying information such as name, date of birth, academic records, home address or other identification; and
#Verify the individual's identity at time of issuance of individual
4.2.1.2 Identification card (example: review of driver's license or other government-issued photo identification).
 
==== New Customers or Clients ====
 
4.2.2.1 In order to detect any of the red flags identified above associated with service to a new customer or client, University personnel shall take the following steps to obtain and verify the identity of the person opening the account:


4.1.1 Students at Appalachian State University are notified of their FERPA rights, as follows:
#Require certain identifying information such as name, date of birth, academic records, home address or other identification; and
#Verify the individual's identity at time of issuance of individual


#An abstract of the student's rights under FERPA is found in Appalachian State University's General Bulletin and Graduate Bulletin.
4.2.2.2 Identification card (example: review of driver's license or other government-issued photo identification).
#An abstract of the student's rights under FERPA is found in the Schedule of Classes published by Appalachian State University and distributed prior to and during each academic term. (This notice shall include statements required under U. S. Department of Education regulations found at 34 C.F.R. 99.7.)
#An abstract of the student's rights under FERPA is found in The Appalachian State University Student Handbook of Rights and Responsibilities (revised and published annually).
#A complete statement of the University policy regarding FERPA is found in and can be obtained from the Registrar's Office.


=== Procedure for the Inspection of Education Records ===
==== Existing Accounts ====
4.2.1 The Registrar's Office is designated by the University as the official custodian of education records.


4.2.2 A student should submit to the Registrar's Office a written request which identifies as precisely as possible the record or records he or she wishes to inspect.
4.2.3.1 In order to detect any of the red flags identified above for an existing covered account, University personnel shall take the following steps to monitor transactions on an account:


4.2.3 The Registrar's Office will make the necessary arrangements for access and notify the student of the time and place where the records may be inspected. Access will be given in forty-five (45) days or less from the date of the request.
#Verify the identification of individuals if they request information (in person, via telephone, via facsimile, via email);
#Verify the validity of requests to change billing addresses by mail or email and provide the individual a reasonable means of promptly reporting incorrect billing address changes; and
#Verify changes in banking information given for billing and payment purposes.


4.2.4 When a record contains information about more than one student, the student may inspect and review only that portion of the record which pertains directly to him or her.
==== Consumer ("Credit") Report Requests ====


=== Limitations on the Student's Right of Access ===
In order to detect any of the red flags identified above in regard to an employment or volunteer position for which a credit or background report is sought, University personnel shall take the following steps to assist in identifying address discrepancies:


4.3.1 Appalachian State University will refuse access by the student to the following education records:
#Require written verification from any applicant that the address provided by the applicant is accurate at the time the request for the credit report is made to the consumer reporting agency; and
#In the event that notice of an address discrepancy is received, verify that the credit or background report pertains to the applicant for whom the requested report was made and report to the consumer reporting agency an address for the applicant that the University has reasonably confirmed is accurate.


#A financial record submitted by the student's parents.
=== Response to Red Flags ===
#Letters and statements of recommendation for which the student has waived his or her right of access (when used only for their intended purpose), or which were maintained before January 1, 1975.
#Records connected with an application to attend Appalachian State University if that application was denied.
#Those records which are excluded from the FERPA definition of education records.


=== Refusal to Provide Copies of Education Records ===
4.3.1 Once potentially fraudulent activity is detected, an employee must act promptly to protect individuals and the University from damages and loss. At a minimum, the employee must gather all related documentation, write a description of the situation, and present this information to the program administrator.


4.4.1 Appalachian State University may decline a student's request for a copy of his or her education records if the student has an unpaid financial obligation to the University. (Note: It is not the intent of this policy to deny the student access to his or her education records--the right to inspect and review education records is mandated by FERPA unconditionally. It is merely a statement of the condition under which the University will not provide a copy of the student's education records.)
4.3.2 The program administrator will complete additional investigation if necessary to determine whether the attempted transaction was fraudulent or authentic.


=== Fees Charged for the Copying of Records ===
4.3.3 If a transaction is determined to be fraudulent, appropriate actions must be taken immediately. Actions may include (1) canceling the transaction; (2) notifying and cooperating with appropriate law enforcement personnel; (3) determining the extent of liability of the University; and (4) notifying the individual upon whom fraud has been attempted or whose identifying information has been subjected to a security breach.


4.5.1 With the exception of an official academic transcript, Appalachian State University does not charge a fee for a copy of an education record. The charge for an official academic transcript is subject to change, and is governed by the schedule of fees in effect at the time of the request.
=== Prevention and Mitigation of Identity Theft ===


=== Types and Locations of Education Records ===
In the event University personnel detect any identified red flags, such personnel shall take one or more of the following steps to prevent and mitigate identity theft, depending on their determination of the degree of risk posed by the red flag:


4.6.1 As previously noted, the Registrar's Office is designated as the official custodian of education records at Appalachian State University. All requests for inspection and review of education records, regardless of the nature of the record (i.e., academic, financial, etc.), should be directed to the Registrar's Office. Though not inclusive, the following list contains the primary categories of education records and their locations:
#Continue to monitor a covered account for evidence of identity theft; 
{| border="1"
#Contact the individual or applicant (for whom a credit or background report was run);
|'''Types'''
#Change any passwords or other security devices that permit access to covered accounts;
|'''Responsible Officials/Locations'''
#Refuse to open a new covered account;
|-
#Provide the individual with a new individual identification number;
|Admissions Records
#Notify the program administrator for determination of the appropriate step(s) to take;
|University Registrar
#Notify appropriate law enforcement personnel;
John E. Thomas Academic Support Services Building
#File or assist in filing a Suspicious Activity Report ("SAR") with the Financial Crimes Enforcement Network, United States Department of the Treasury; and/or  
|-
#Determine that no response is warranted under the particular circumstances.  
|Academic Records
|University Registrar
John E. Thomas Academic Support Services Building
|-
|Financial Records
|Director, Office of Student Accounts
John E. Thomas Academic Support Services Building
|-
|Placement Records
|Director, Career Development Center
John E. Thomas Academic Support Services Building
|-
|Academic Progress Records
|Maintained by the Dean of the College/School and the chairperson of the academic department in which the student has formally declared his or her major. If the student has not declared a major, these records are maintained by the Director, Office of General Studies, D. D. Dougherty Building
|-
|Disciplinary Records
|Director, Office of Student Conduct
Plemmons Student Union
|-
|Financial Aid Records
|Director, Office of Student Financial Aid
John E. Thomas Academic Support Services Building
|-
|Campus Housing Records
|Director, Office of Residence Life
John E. Thomas Academic Support Services Building
|-
|Extra-Curricular Records
|Director, Center for Student Involvement and Leadership
Plemmons Student Union
|-
|Records of Students as Athletes
|Director, Office of Athletic Media Relations
Broome-Kirk Gymnasium
|}


=== Disclosure of Education Records ===
==== Protect Identifying Information ====


4.7.1 Appalachian State University will disclose information from a student's education records only with the explicit written consent of the student, except that records may be disclosed without such consent when the disclosure is:
In order to further prevent the likelihood of identity theft occurring with respect to covered accounts, the University will take the following steps to protect individual identifying information:
#To Appalachian State University officials who have a legitimate educational interest in the records.
#To officials of another educational institution in which the student seeks admission or intends to enroll, upon request by that institution.
#To certain officials of the U. S. Department of Education, the Comptroller General, and state and local educational authorities, in connection with an audit or evaluation of certain state or federally supported education programs, or for compliance with the legal requirements of such programs.
#In connection with a student's request for or receipt of financial aid -- i.e., in order to determine the eligibility, amount, or conditions of the financial aid, or to enforce the terms and conditions of the aid.
#To State and local officials or authorities if specifically required by a North Carolina law in effect on or before November 19, 1974.
#To organizations conducting certain studies for, or on behalf of, educational institutions (under conditions set forth in 34 C.F.R. 99.31[6]).
#To accrediting organizations for the purpose of enabling them to carry out their functions.
#To the parents of a student when the parents claim the student as a dependent for federal income tax purposes.
#To comply with a judicial order or a lawfully issued subpoena.
#To appropriate parties when necessary to protect the health or safety of the student or other individuals.
#To individuals or organizations requesting "Directory Information" so designated by Appalachian State University.
#The result of a disciplinary proceeding conducted by Appalachian State University against an alleged perpetrator of a "crime of violence" (as that term is defined in 18 U.S.C. 16) with respect to that crime of violence. The result may be disclosed only to the alleged victim of the crime and may be disclosed without the consent of the alleged perpetrator of the crime.
#To an individual or organization requesting information about a deceased student. (Note: Under common law, the privacy rights of an individual cease with the death of that individual.)


4.7.2 An Appalachian State University official is:
#Ensure that its website is secure or provide clear notice that the website is not secure;
#a person employed by the University in an administrative, supervisory, academic, research or support staff position, including health and medical staff.
#Ensure complete and secure destruction of paper documents and computer files containing individual account information when a decision has been made to no longer maintain such information;
#a person employed by or under contract to Appalachian State University to perform a special task such as an attorney or auditor.
#Ensure that office computers with access to covered account information are password protected;
#a student serving on an official committee, such as a disciplinary or grievance committee, or who is assisting another school official in performing employment tasks.
#Ensure that laptops are password protected and encrypted;
#a person who is employed by Appalachian State University's Office of Public Safety/University Police.
#Avoid use of social security numbers;
#a member of the Appalachian State University Board of Trustees, acting in his or her official capacity.
#Ensure the security of the physical facility that contains covered account information;
#a representative of the General Administration of the University of North Carolina, acting in his or her official capacity.
#Ensure that transmission of information is limited and encrypted when necessary;
#a member of the Board of Governors of the University of North Carolina, acting in his or her official capacity.
#Ensure computer virus protection is up to date; and
#A person or entity with a capability needed but not possessed by the University or its contractors and employed by such contractors with the consent of the University or otherwise authorized to perform a specific task involving University records or operations.
#Require and keep only the kinds of individual identifying information that is necessary for University purposes.


4.7.3 An Appalachian State University official has a legitimate educational interest if that official is:
=== Additional Identity Theft Prevention Measures ===
#performing a task that is specified in his or her position description or contract agreement.
==== Hard Copy Distribution ====
#performing a task related to a student's education.
Each employee and contractor performing work for the University will comply with the following procedures:
#performing a task related to the discipline of a student.
#providing a service or benefit relating to the student or student's family, including, but no limited to, healthcare, counseling, job placement, or financial aid.
#maintaining the safety and security of the campus.


4.7.4  As of January 3, 2012, the U.S. Department of Education's FERPA regulations expand the circumstances under which a student’s education records and personally identifiable information (PII) contained in such records — including a student’s Social Security Number, grades, or other private information — may be accessed without the student’s consent. First, the U.S. Comptroller General, the U.S. Attorney General, the U.S. Secretary of Education, or state and local education authorities ("Federal and State Authorities") may allow access to a student’s records and PII without the student’s consent to any third party designated by a Federal or State Authority to evaluate a federal- or state-supported education program. The evaluation may relate to any program that is "principally engaged in the provision of education," such as early childhood education and job training, as well as any program that is administered by an education agency or institution. Second, Federal and State Authorities may allow access to a student’s education records and PII without the student’s consent to researchers performing certain types of studies, in certain cases even when the University objects to or does not request such research. Federal and State Authorities must obtain certain use-restriction and data security promises from the entities that they authorize to receive a student’s PII, but the Authorities need not maintain direct control over such entities. In addition, in connection with Statewide Longitudinal Data Systems, State Authorities may collect, compile, permanently retain, and share without a student’s consent PII from the student’s education records, and they may track a student’s participation in education and other programs by linking such PII to other personal information about the student that they obtain from other Federal or State data sources, including workforce development, unemployment insurance, child welfare, juvenile justice, military service, and migrant student records systems.
#File cabinets, desk drawers, overhead cabinets, and any other storage space containing documents with identifying information will be locked when not in use.
#Storage rooms containing documents with identifying information and record retention areas will be locked at the end of each workday or when unsupervised.
#Desk workstations, work areas, printers and fax machines, and common shared work areas will be cleared of all documents containing identifying information when not in use.
#Whiteboards, dry-erase boards, writing tablets, and other writing surfaces in common shared work areas will be erased, removed, or shredded when not in use.
#When documents containing identifying information are discarded, they will be placed inside a locked shred bin or immediately shredded using a mechanical cross cut or Department of Defense-approved shredding device. Locked shred bins are labeled "Confidential paper shredding and recycling."


=== Record of Requests for Disclosure ===
=== Program Administration ===
4.8.1 With the exceptions of (1) a request from a University official deemed to have a legitimate educational interest, and (2) a request for "Directory Information," Appalachian State University will maintain as part of the education record all written requests for and/or disclosures of information from a student's education records. This record will indicate the name of the party making the request, any additional party to whom it may be redisclosed, and the legitimate interest each party had in requesting or obtaining the information. (NOTE: With the exception of "Directory Information," any personal information from education records will be disclosed only on the condition that the recipient will not permit access to such information by a third party without the written permission of the student.)
==== Oversight ====
The responsibility for developing, implementing and updating this Program lies with the program administrator designated by the Chancellor. The program administrator shall be responsible for ensuring appropriate training of University staff on the Program, for reviewing any staff reports regarding the detection of red flags and the steps for preventing and mitigating identity theft, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the Program.


=== Directory Information ===
==== Staff Training ====
4.9.1 Appalachian State University designates the following items as Directory Information: the student's name; local telephone listing; University Post Office box number; E-mail address; academic classification; enrollment status during a particular academic term (i.e., full-time or part-time); field(s) of study; dates of attendance; degrees, honors and awards received; participation in officially recognized activities and sports; weight, height, athletic statistics and photographic representations of members of athletic teams. The University will disclose any of these items without prior consent, unless instructed by the student in writing to the contrary. (Note: For "Directory Information" to be withheld, the student must submit a written request to the Registrar's Office. To be effective during a particular academic term, the request must be submitted by the date specified in the published Schedule of Classes for that academic term.)
University employees responsible for implementing the Program shall be trained under the direction of the program administrator in the detection of red flags and the responsive steps to be taken when a red flag is detected.


=== Procedure for the Correction of Education Records ===
==== Reports ====
4.10.1 If a student believes that the education record is inaccurate, misleading, or otherwise in violation of his or her privacy rights, the student has the right to request that the record be corrected. Procedures for the correction of an education record at Appalachian State University are a follows:
Appropriate staff shall report to the program administrator at least annually on compliance with this Program. The report shall address matters such as the effectiveness of the policies and procedures of the University in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; service provider arrangements; significant incidents involving identity theft and the University's response; and recommendations for material changes to the Program.


#A student must contact the Registrar's Office, in writing, asking that a record be amended. In so doing, the student should clearly identify the part of the record to be amended and specify why the student believes it to be inaccurate, misleading, or otherwise in violation of the student's rights.
==== Service Provider Arrangements ====
#The University, represented by the Registrar's Office and, if applicable, in consultation with the office that maintains the record in question, will decide either to comply or to not comply. If the University decides to comply, it will amend the record and notify the student, in writing, that the record has been amended. If the University decides to not comply, it will notify the student of the decision and advise the student of his or her right to a hearing to challenge the information believed to be inaccurate, misleading, or otherwise in violation of the student's rights.
In the event the University engages a service provider to perform an activity in connection with one or more covered accounts, the University will take the following steps to ensure the service provider performs its obligations in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft, including the following:
#Upon receiving the student's written request, the University will arrange for a hearing and notify the student, in sufficient time, of the date, place, and time of the hearing.
#The hearing will be conducted by a hearing officer who is a disinterested party; the hearing officer may, however, be an official of the University. The student shall be afforded a full and fair opportunity to present evidence relevant to the issues raised in the original request to amend the student's education record. Present at the hearing will be the hearing officer, the student, a representative of the Registrar's Office and , if applicable, a representative of the University office in which the education record is maintained. The student may be assisted by one or more individuals, including (at the student's expense) an attorney.
#The hearing officer will prepare a written report which will include a recommendation to either comply or to not comply with the student's request. The report and recommendation will be based solely on the evidence presented at the hearing. The report will include a summary of the evidence presented and the reasons for the recommendation. The report will be transmitted to the Registrar's Office within ten (10) days of the hearing.
#If the recommendation of the hearing officer is to comply with the student's request, i.e., the report finds that the education record is inaccurate, misleading, or otherwise in violation of the student's right, the University will amend the record and notify the student, in writing, that the record has been amended.
#If the recommendation of the hearing officer is to not comply with the student's request, i.e., the report finds that the challenged information is not inaccurate, misleading, or otherwise in violation of the student's rights, the University will, in writing, so notify the student and inform the student that he or she has the right to place in the record a statement commenting on the challenged information and/or a statement setting forth reasons for disagreeing with the decision.
#The student's statement will be maintained as part of his or her education record as long as the contested portion is maintained. If the University discloses the contested portion of the record, it will also disclose the student's statement.


=== Procedure for Filing an Official Complaint ===
#Require, by signed contract, that service providers have such policies and procedures in place; and
#Require, by signed contract, that service providers review the University's Program and report any red flags to the program administrator.


4.11.1 If the student believes that Appalachian State University is in error in its interpretation of FERPA, he or she may file a complaint with:
==== Program Updates ====
[http://www2.ed.gov/policy/gen/guid/fpco/index.html The Family Policy Compliance Office],U. S. Department of Education, 600 Independence Avenue, SW, Washington, DC 20202-4605, Telephone Number: (202) 260-3887, FAX: (202) 260-9001
The program administrator shall review and update this Program at least annually to reflect changes in risks to individuals and the University from identity theft. In doing so, the program administrator shall consider the University's experiences with identity theft situations, changes in identity theft methods, changes in identity theft detection and prevention methods, and changes in the University's business arrangements with other entities.


== Additional References ==
== Additional References ==
This Program incorporates by reference the following policies and procedures:
#[http://policy.appstate.edu/Use_of_Computers_and_Data_Communications Policy on the Use of Computers and Data Communication]
#[http://www.nss.appstate.edu/standards/open-servers-vlan-policy Computer Systems Security Policy]
#[http://policy.appstate.edu/Remote_Access_Policy University Remote Access Policy]
#[http://www.nss.appstate.edu/standards/trusted-access-policy Trusted Access Policy]
#[http://www.nss.appstate.edu/standards/risk-assessment-policy Risk Assessment Policy]
#[http://www.nss.appstate.edu/standards/vpn-policy Virtual Private Network (VPN) Policy]
#[http://www.nss.appstate.edu/standards/wireless-networking-policy Wireless Networking Policy]
#[http://www.nss.appstate.edu/standards/wireless-trusted-network-policy Wireless to Trusted Network Policy]
#[https://password.appstate.edu/pswdchgform/Confidentiality_Policy.aspx Confidentiality Statement]


== Authority ==
== Authority ==


16 CFR Part 681
Fair and Accurate Credit Transactions Act of 2003, Public Law 108-159
North Carolina General Statutes, Chapter 75, Article 2A


== Contact Information ==
== Contact Information ==
Line 174: Line 208:


== Revision Dates ==
== Revision Dates ==
[[Category:Contents]]
[[Category:Governance and Administration]]
[[Category:Records]]

Revision as of 20:27, 19 March 2014

Policy 105.5

Introduction

Program Adoption

1.1.1 As a best practice and using as a guide the Federal Trade Commission's Red Flags Rule (16 CFR Part 681, implementing Section 114 of the Fair and Accurate Credit Transactions Act of 2003, Public Law 108-159) and North Carolina General Statutes, Chapter 75, Article 2A, Appalachian State University (the "University") has developed an Identity Theft Prevention Program (the "Program") described below. This Program was developed with oversight and approval of the Board of Trustees of Appalachian State University (the "Board"). After consideration of the size and complexity of the Universitys operations and account systems, and the nature and scope of the Universitys activities, the Board determined that this Program was appropriate for the University, and approved it on September 24, 2010 (the "Effective Date"). The purpose of this Program is to detect, prevent and mitigate identity theft in connection with any covered account. This Program envisions the implementation of policies and procedures subject to the Chancellor's approval in order to achieve these goals.

Scope

2.1 All University personnel whose employment duties require or allow access to identifying information of other employees or students are responsible for implementing this Program.

Definitions

"Covered Account"

any account that constitutes a continuing financial relationship or is designed to permit multiple payments or transactions between the University and a person for a service, such as extension of credit, debit cards, Perkins Loans, Federal Family Education Loan Program (FFELP), institutional loans, accounts covered by the Health Insurance Portability and Accountability Act (HIPAA), deposit accounts, scholarship accounts, student accounts, and tuition payment plans.
any other account that the University offers or maintains for which there is a reasonably foreseeable risk to holders of the account or to the University from identity theft, such as use of consumer reports for employee background checks, credit applications and institutional debit card applications. This may include operations of utilities (e.g., New River Light & Power Company), clinical and research activities, and public service activities.

Identifying Information

means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including, but not limited to:
  1. name
  2. address
  3. telephone number
  4. social security number
  5. date of birth
  6. government-issued driver's license or identification number
  7. alien registration number
  8. government passport number
  9. employer or taxpayer identification number
  10. individual identification number
  11. computer's Internet Protocol address
  12. bank or other financial account routing code

Identity Theft

means a fraud committed or attempted using the identifying information of another person without authority [16 CFR 603.2(a)].

Program Administrator

means the individual designated with primary responsibility for oversight of this Program.

Red Flag

means a pattern, practice, alert or specific activity that indicates the possible existence of identity theft.

Service Provider

means a person or entity that provides a service directly to the University.

Policy and Procedure Statements

Identification of Red Flags

4.1.1 In order to identify relevant red flags, the University considers the types of covered accounts it offers or maintains, the methods it provides to open its covered accounts, the methods it provides to access its covered accounts, and its previous experiences with identity theft. Red flags may be detected while implementing existing account opening and servicing procedures (example: individual identification, caller authentication, third party authorization, and address changes).

4.1.2 The University identifies the following as red flags in each of the listed categories:

  1. Notifications and warnings from consumer reporting agencies
    1. Report of fraud accompanying a credit report;
    2. Notice or report from a credit agency of a credit freeze on an applicant;
    3. Notice or report from a credit agency of an active duty alert for an applicant;
    4. Receipt of a notice of address discrepancy in response to a credit report request; and
    5. Indication from a credit report of activity that is inconsistent with an applicant's usual pattern or activity
  2. Suspicious documents
    1. Identification document or card that appears to be forged, altered or inauthentic;
    2. Identification document or card on which a person?s photograph or physical description is not consistent with the person presenting the document;
    3. Other document with information that is not consistent with existing individual information; and
    4. Application that appears to have been altered or forged.
  3. Suspicious personal identifying information
    1. Identifying information that is inconsistent with other information the individual provides (example: inconsistent birth dates);
    2. Identifying information that is inconsistent with other sources of information (example: an address not matching an address on a loan application);
    3. Identifying information that is the same as information shown on other applications that were found to be fraudulent;
    4. Identifying information that is consistent with fraudulent activity (examples: an invalid phone number or fictitious billing address);
    5. Social security number that is the same as one given by another individual;
    6. An address or phone number that is the same as that of another person;
    7. A person fails to provide complete personal identifying information on an application when reminded to do so; and
    8. A person's identifying information is not consistent with the information that is on file for the individual.
  4. Suspicious covered account activity
    1. Change of address for an account followed by a request to change the individual's name;
    2. Payments stop on an otherwise consistently up-to-date account;
    3. Account used in a way that is not consistent with prior use;
    4. Mail sent to the individual is repeatedly returned as undeliverable;
    5. Notice to the University that an individual is not receiving mail sent by the University;
    6. Notice to the University that an account has unauthorized activity;
    7. Breach in the University's computer system security; and
    8. Unauthorized access to or use of individual account information.
  5. Alerts from others
    1. Notice to the University from an identity theft victim, law enforcement officer or other person that the University has opened or is maintaining a fraudulent account for a person engaged in identity theft.

Detection of Red Flags

Student Enrollment

4.2.1.1 In order to detect any of the red flags identified above associated with the enrollment of a student, University personnel shall take the following steps to obtain and verify the identity of the person opening the account:

  1. Require certain identifying information such as name, date of birth, academic records, home address or other identification; and
  2. Verify the individual's identity at time of issuance of individual

4.2.1.2 Identification card (example: review of driver's license or other government-issued photo identification).

New Customers or Clients

4.2.2.1 In order to detect any of the red flags identified above associated with service to a new customer or client, University personnel shall take the following steps to obtain and verify the identity of the person opening the account:

  1. Require certain identifying information such as name, date of birth, academic records, home address or other identification; and
  2. Verify the individual's identity at time of issuance of individual

4.2.2.2 Identification card (example: review of driver's license or other government-issued photo identification).

Existing Accounts

4.2.3.1 In order to detect any of the red flags identified above for an existing covered account, University personnel shall take the following steps to monitor transactions on an account:

  1. Verify the identification of individuals if they request information (in person, via telephone, via facsimile, via email);
  2. Verify the validity of requests to change billing addresses by mail or email and provide the individual a reasonable means of promptly reporting incorrect billing address changes; and
  3. Verify changes in banking information given for billing and payment purposes.

Consumer ("Credit") Report Requests

In order to detect any of the red flags identified above in regard to an employment or volunteer position for which a credit or background report is sought, University personnel shall take the following steps to assist in identifying address discrepancies:

  1. Require written verification from any applicant that the address provided by the applicant is accurate at the time the request for the credit report is made to the consumer reporting agency; and
  2. In the event that notice of an address discrepancy is received, verify that the credit or background report pertains to the applicant for whom the requested report was made and report to the consumer reporting agency an address for the applicant that the University has reasonably confirmed is accurate.

Response to Red Flags

4.3.1 Once potentially fraudulent activity is detected, an employee must act promptly to protect individuals and the University from damages and loss. At a minimum, the employee must gather all related documentation, write a description of the situation, and present this information to the program administrator.

4.3.2 The program administrator will complete additional investigation if necessary to determine whether the attempted transaction was fraudulent or authentic.

4.3.3 If a transaction is determined to be fraudulent, appropriate actions must be taken immediately. Actions may include (1) canceling the transaction; (2) notifying and cooperating with appropriate law enforcement personnel; (3) determining the extent of liability of the University; and (4) notifying the individual upon whom fraud has been attempted or whose identifying information has been subjected to a security breach.

Prevention and Mitigation of Identity Theft

In the event University personnel detect any identified red flags, such personnel shall take one or more of the following steps to prevent and mitigate identity theft, depending on their determination of the degree of risk posed by the red flag:

  1. Continue to monitor a covered account for evidence of identity theft;
  2. Contact the individual or applicant (for whom a credit or background report was run);
  3. Change any passwords or other security devices that permit access to covered accounts;
  4. Refuse to open a new covered account;
  5. Provide the individual with a new individual identification number;
  6. Notify the program administrator for determination of the appropriate step(s) to take;
  7. Notify appropriate law enforcement personnel;
  8. File or assist in filing a Suspicious Activity Report ("SAR") with the Financial Crimes Enforcement Network, United States Department of the Treasury; and/or
  9. Determine that no response is warranted under the particular circumstances.

Protect Identifying Information

In order to further prevent the likelihood of identity theft occurring with respect to covered accounts, the University will take the following steps to protect individual identifying information:

  1. Ensure that its website is secure or provide clear notice that the website is not secure;
  2. Ensure complete and secure destruction of paper documents and computer files containing individual account information when a decision has been made to no longer maintain such information;
  3. Ensure that office computers with access to covered account information are password protected;
  4. Ensure that laptops are password protected and encrypted;
  5. Avoid use of social security numbers;
  6. Ensure the security of the physical facility that contains covered account information;
  7. Ensure that transmission of information is limited and encrypted when necessary;
  8. Ensure computer virus protection is up to date; and
  9. Require and keep only the kinds of individual identifying information that is necessary for University purposes.

Additional Identity Theft Prevention Measures

Hard Copy Distribution

Each employee and contractor performing work for the University will comply with the following procedures:

  1. File cabinets, desk drawers, overhead cabinets, and any other storage space containing documents with identifying information will be locked when not in use.
  2. Storage rooms containing documents with identifying information and record retention areas will be locked at the end of each workday or when unsupervised.
  3. Desk workstations, work areas, printers and fax machines, and common shared work areas will be cleared of all documents containing identifying information when not in use.
  4. Whiteboards, dry-erase boards, writing tablets, and other writing surfaces in common shared work areas will be erased, removed, or shredded when not in use.
  5. When documents containing identifying information are discarded, they will be placed inside a locked shred bin or immediately shredded using a mechanical cross cut or Department of Defense-approved shredding device. Locked shred bins are labeled "Confidential paper shredding and recycling."

Program Administration

Oversight

The responsibility for developing, implementing and updating this Program lies with the program administrator designated by the Chancellor. The program administrator shall be responsible for ensuring appropriate training of University staff on the Program, for reviewing any staff reports regarding the detection of red flags and the steps for preventing and mitigating identity theft, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the Program.

Staff Training

University employees responsible for implementing the Program shall be trained under the direction of the program administrator in the detection of red flags and the responsive steps to be taken when a red flag is detected.

Reports

Appropriate staff shall report to the program administrator at least annually on compliance with this Program. The report shall address matters such as the effectiveness of the policies and procedures of the University in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; service provider arrangements; significant incidents involving identity theft and the University's response; and recommendations for material changes to the Program.

Service Provider Arrangements

In the event the University engages a service provider to perform an activity in connection with one or more covered accounts, the University will take the following steps to ensure the service provider performs its obligations in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft, including the following:

  1. Require, by signed contract, that service providers have such policies and procedures in place; and
  2. Require, by signed contract, that service providers review the University's Program and report any red flags to the program administrator.

Program Updates

The program administrator shall review and update this Program at least annually to reflect changes in risks to individuals and the University from identity theft. In doing so, the program administrator shall consider the University's experiences with identity theft situations, changes in identity theft methods, changes in identity theft detection and prevention methods, and changes in the University's business arrangements with other entities.

Additional References

This Program incorporates by reference the following policies and procedures:

  1. Policy on the Use of Computers and Data Communication
  2. Computer Systems Security Policy
  3. University Remote Access Policy
  4. Trusted Access Policy
  5. Risk Assessment Policy
  6. Virtual Private Network (VPN) Policy
  7. Wireless Networking Policy
  8. Wireless to Trusted Network Policy
  9. Confidentiality Statement

Authority

16 CFR Part 681

Fair and Accurate Credit Transactions Act of 2003, Public Law 108-159

North Carolina General Statutes, Chapter 75, Article 2A

Contact Information

Effective Date

Revision Dates

Retrieved from "https://policy.appstate.edu/index.php?title=Policy_Statement_on_the_Family_Educational_Rights_and_Privacy_Act_of_1974,_as_Amended&oldid=12710"