Policy Manual and Identity Theft Prevention Plan: Difference between pages

From Appalachian State University Policy Manual
(Difference between pages)
imported>Mcnaneym
 
>Hildebranwl
 
Line 1: Line 1:
__NOTOC__
Policy 105.3
Welcome to the Appalachian State University Online Policy Manual. These policies and procedures are periodically updated or revised. Efforts are made to keep this online version current. If any questions arise about the authenticity of the online version, please contact the Office of General Counsel (828-262-2751). In the event of any discrepancy between the online version and printed documents approved by the Chancellor, the printed documents shall govern. Departments have forms on their web pages and at the [https://www.webapp.appstate.edu/electronicforms/newdefault.asp ASU Electronic Forms page]. Many departments have provided the forms related to the associated policies and procedures in Portable Document Format (.pdf). To view PDF documents, you must have Acrobat Reader installed on your computer. [http://get.adobe.com/reader/ Acrobat Reader] is available from Appalachian State University's application explorer icon on university-owned computers.
== Introduction ==
=== Program Adoption ===
1.1.1 As a best practice and using as a guide the Federal Trade Commission's Red Flags Rule (16 CFR Part 681, implementing Section 114 of the Fair and Accurate Credit Transactions Act of 2003, Public Law 108-159) and North Carolina General Statutes, Chapter 75, Article 2A, Appalachian State University (the "University") has developed an Identity Theft Prevention Program (the "Program") described below. This Program was developed with oversight and approval of the Board of Trustees of Appalachian State University (the "Board"). After consideration of the size and complexity of the Universitys operations and account systems, and the nature and scope of the Universitys activities, the Board determined that this Program was appropriate for the University, and approved it on September 24, 2010 (the "Effective Date"). The purpose of this Program is to detect, prevent and mitigate identity theft in connection with any covered account. This Program envisions the implementation of policies and procedures subject to the Chancellor's approval in order to achieve these goals.


Comments, suggestions or questions regarding the Policy Manual should be directed to the Office of General Counsel at [email protected] or to the department with primary responsibility for implementation.
== Scope ==
2.1 All University personnel whose employment duties require or allow access to identifying information of other employees or students are responsible for implementing this Program.


== Definitions  ==


''':NOTE:  For purposes of all Appalachian State University policies, references to SPA (subject to the State Personnel Act [former terminology]) shall be interchangeable with SHRA (subject to the State Human Resources Act [current terminology]); and references to EPA (exempt from the State Personnel Act [former terminology]) shall be interchangeable with EHRA (exempt from the State Human Resources Act [current terminology]).'''
=== "Covered Account"  ===
:Any account that constitutes a continuing financial relationship or is designed to permit multiple payments or transactions between the University and a person for a service, such as extension of credit, debit cards, Perkins Loans, Federal Family Education Loan Program (FFELP), institutional loans, accounts covered by the Health Insurance Portability and Accountability Act (HIPAA), deposit accounts, scholarship accounts, student accounts, and tuition payment plans.  


:Any other account that the University offers or maintains for which there is a reasonably foreseeable risk to holders of the account or to the University from identity theft, such as use of consumer reports for employee background checks, credit applications and institutional debit card applications. This may include operations of utilities (e.g., New River Light & Power Company), clinical and research activities, and public service activities.


== Table of Contents ==
=== Identifying Information ===
<div id="no-bullet">
:Means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including, but not limited to:
* [[:Category:Governance and Administration|100 Governance and Administration]]
 
** [[Policy on Policies|101 Policy on Policies]]
#name
** [[University Organization and Administration|102 University Organization and Administration]]
#address
** [[Board of Trustees|103 Board of Trustees]]
#telephone number
*** [[Bylaws|103.1 Bylaws]]
#social security number
*** [[Audit Committee Charter|103.2 Audit Committee Charter]]
#date of birth
*** [[Naming of Facilities and Programs|103.3 Naming of Facilities and Programs]]
#government-issued driver's license or identification number
*** [[Honorary Degrees|103.4 Honorary Degrees]]
#alien registration number
** [[Facility Use|104 Facility Use]]
#government passport number
** [[:Category:Records|105 Records]]
#employer or taxpayer identification number
*** [[Record Retention Policy|105.1 Record Retention Policy]]
#individual identification number
*** [[University Archives|105.2 University Archives]]  
#computer's Internet Protocol address
*** [[Policy Statement on the Family Educational Rights and Privacy Act of 1974, as Amended|105.3 Policy Statement on the Family Educational Rights and Privacy Act of 1974, as Amended]]
#bank or other financial account routing code
*** [[Identity Theft Prevention Plan|105.5 Identity Theft Prevention Plan]]
 
*** [[Public Records Requests|105.6 Public Records Requests]]
=== Identity Theft ===
** [[Drugs and Alcohol|106 Drugs and Alcohol]]
:Means a fraud committed or attempted using the identifying information of another person without authority [16 CFR 603.2(a)].
*** [[Alcohol at University Events|106.1 Alcohol at University Events]]
 
*** [[Tailgating|106.2 Tailgating]]
=== Program Administrator ===
**[[Substantive Change for Accreditation Purposes|107 Substantive Change for Accreditation Purposes]]
:Means the individual designated with primary responsibility for oversight of this Program.
**[[Compliance Calendar|108 Compliance Calendar]]
 
**[[Debt Management|109 Debt Management]]
=== Red Flag ===
**[[Discrimination and Harassment|110 Discrimination and Harassment]]
:Means a pattern, practice, alert or specific activity that indicates the possible existence of identity theft.
**[[:Category:Protection of Minors|111 Protection of Minors]]
 
***[[Protection of Minors|111.1 Protection of Minors]]
=== Service Provider ===
***[[Reporting Suspected Child Abuse and Neglect|111.2 Reporting Suspected Child Abuse and Neglect]]
:Means a person or entity that provides a service directly to the University.
**[[Sex-Based Misconduct|112 Sex-Based Misconduct]]
 
**[[Chalking|113 Chalking]]
== Policy and Procedure Statements  ==
**[[Equal Opportunity|114 Equal Opportunity]]
 
* [[:Category:Academic Affairs|200 Academic Affairs]]
=== Identification of Red Flags ===
** [[Faculty Handbook|201 Faculty Handbook]]
4.1.1 In order to identify relevant red flags, the University considers the types of covered accounts it offers or maintains, the methods it provides to open its covered accounts, the methods it provides to access its covered accounts, and its previous experiences with identity theft. Red flags may be detected while implementing existing account opening and servicing procedures (example: individual identification, caller authentication, third party authorization, and address changes).
** [[Undergraduate Bulletin|202 Undergraduate Bulletin]]
 
** [[Graduate Bulletin|203 Graduate Bulletin]]
4.1.2 The University identifies the following as red flags in each of the listed categories:
** [[Buyout Policy for Externally Sponsored Projects|204 Buyout Policy for Externally Sponsored Projects]]
 
** [[Academic Integrity Code|205 Academic Integrity Code]]
#Notifications and warnings from consumer reporting agencies
** [[Final Grade Appeal Procedure|206 Final Grade Appeal Procedure]]
##Report of fraud accompanying a credit report;
** [[Intellectual Property Transfer|207 Intellectual Property Transfer]]
##Notice or report from a credit agency of a credit freeze on an applicant;
** [[Review of Research Involving Human Subjects|209 Review of Research Involving Human Subjects]]
##Notice or report from a credit agency of an active duty alert for an applicant;
** [[Payments to Human Subjects|210 Payments to Human Subjects]]
##Receipt of a notice of address discrepancy in response to a credit report request; and
** [[Integrity in Scholarship and Scientific Research|211 Integrity in Scholarship and Scientific Research]]
##Indication from a credit report of activity that is inconsistent with an applicant's usual pattern or activity
** [[Use of Recombinant DNA in Research and Teaching Laboratories|212 Use of Recombinant DNA in Research and Teaching Laboratories]]
#Suspicious documents
** [[Care and Use of Animals for Research Teaching or Demonstration|213 Care and Use of Animals for Research Teaching or Demonstration]]
##Identification document or card that appears to be forged, altered or inauthentic;
** [[Credit Hour Policy|214 Credit Hour Policy]]
##Identification document or card on which a person?s photograph or physical description is not consistent with the person presenting the document;
** [[Policy on Internet/Web-Based Courses|215 Policy on Internet/Web-Based Courses]]
##Other document with information that is not consistent with existing individual information; and
** [[Human Subject Research Recruitment|216 Human Subject Research Recruitment]]
##Application that appears to have been altered or forged.
** [[Export Controls Compliance|217 Export Controls Compliance]]
#Suspicious personal identifying information
** [[Policy on Independent Studies|218 Policy on Independent Studies]]
##Identifying information that is inconsistent with other information the individual provides (example: inconsistent birth dates);
** [[Policy on Faculty Workload|219 Policy on Faculty Workload]]
##Identifying information that is inconsistent with other sources of information (example: an address not matching an address on a loan application);
** [[Facilities and Administrative Cost Policy|220 Facilities and Administrative Cost Policy]]
##Identifying information that is the same as information shown on other applications that were found to be fraudulent;
** [[Fellowship Policy|221 Fellowship Policy]]
##Identifying information that is consistent with fraudulent activity (examples: an invalid phone number or fictitious billing address);
** [[Global Learning Management System Policy|222 Global Learning Management System Policy]]
##Social security number that is the same as one given by another individual;
** [[Campus Survey Policy|223 Campus Survey Policy]]
##An address or phone number that is the same as that of another person;
* [[:Category:Public Safety| 300 Public Safety]]
##A person fails to provide complete personal identifying information on an application when reminded to do so; and  
** [[:Category:Police|301 Police]]
##A person's identifying information is not consistent with the information that is on file for the individual. 
*** [[Special Services|301.1 Special Services]]
#Suspicious covered account activity
*** [[University Police Services|301.2 University Police Services]]
##Change of address for an account followed by a request to change the individual's name;
*** [[Criminal Trespass|301.3 Criminal Trespass Warning]]
##Payments stop on an otherwise consistently up-to-date account;
*** [[Clery_Act_Compliance_Policy|301.4 Clery Act Compliance Policy]]
##Account used in a way that is not consistent with prior use;
*** [[Bicycle Helmets|301.5 Bicycle Helmets]]
##Mail sent to the individual is repeatedly returned as undeliverable;
** [[:Category:Emergency Management|302 Emergency Management]]
##Notice to the University that an individual is not receiving mail sent by the University;
*** [[Emergency Management Program|302.1 Emergency Management Program]]
##Notice to the University that an account has unauthorized activity;
*** [[Communication Guidelines|302.2 Communication Guidelines for Emergencies and Campus Issues]]
##Breach in the University's computer system security; and  
*** [[Emergency Operations Plan|302.3 Emergency Operations Plan]]
##Unauthorized access to or use of individual account information. 
*** [[Building Emergency Plans|302.4 Building Emergency Plans]]
#Alerts from others
*** [[Infectious Disease Plan|302.5 Pandemic Infectious Disease Plan]]
##Notice to the University from an identity theft victim, law enforcement officer or other person that the University has opened or is maintaining a fraudulent account for a person engaged in identity theft.
*** [[International Crisis Management|302.6 International Crisis Management]]
 
*** [[Emergency Notification System|302.7 Emergency Notification System]]
=== Detection of Red Flags ===
** [[:Category:Environmental Health and Safety|303 Environmental Health and Safety]]
 
*** [[Office of Occupational Safety and Health Introduction|303.1 Office of Occupational Safety and Health Introduction]]
==== Student Enrollment ====
*** [[OSHA Regulations|303.2 OSHA Regulations]]
 
*** [[Safety Committees|303.3 Safety Committees]]
4.2.1.1 In order to detect any of the red flags identified above associated with the enrollment of a student, University personnel shall take the following steps to obtain and verify the identity of the person opening the account:
*** [[Personal Protective Equipment|303.4 Personal Protective Equipment]]
 
*** [[Accident Reports|303.5 Accident Reports]]
#Require certain identifying information such as name, date of birth, academic records, home address or other identification; and
*** [[Safety Hazards|303.6 Safety Hazards]]
#Verify the individual's identity at time of issuance of individual
*** [[Hazardous Communication Program|303.7 Hazardous Communication Program]]
*** [[Exposure Control Plan For Bloodborne Pathogens|303.8 Exposure Control Plan for Bloodborne Pathogens]]
4.2.1.2 Identification card (example: review of driver's license or other government-issued photo identification).
*** [[Chemical Hygiene Plan|303.9 Chemical Hygiene Plan]]
 
*** [[Open Flame Policy|303.10 Open Flame Policy]]
==== New Customers or Clients ====
*** [[Fall Protection Plan|303.11 Fall Protection Plan]]
 
*** [[Respiratory Protection Program|303.12 Respiratory Protection Program]]
4.2.2.1 In order to detect any of the red flags identified above associated with service to a new customer or client, University personnel shall take the following steps to obtain and verify the identity of the person opening the account:
*** [[Multi-Passenger Vehicles|303.13 Multi-Passenger Vehicles]]
 
*** [[Lockout/Tagout Procedures|303.14 Lockout/Tagout Procedures]]
#Require certain identifying information such as name, date of birth, academic records, home address or other identification; and
*** [[Pre-Purchase Review of Products|303.15 Pre-Purchase Review of Products]]
#Verify the individual's identity at time of issuance of individual
*** [[Hazardous Chemical Spill Response|303.16 Hazardous Chemical Spill Response]]
 
*** [[Automated External Defibrillator Protocol|303.17 Automated External Defibrillator Protocol]]
4.2.2.2 Identification card (example: review of driver's license or other government-issued photo identification).
*** [[Safety Inspections|303.18 Safety Inspections]]
 
*** [[Fire Prevention and Emergency Action|303.19 Fire Prevention and Emergency Action]]
==== Existing Accounts ====
*** [[Industrial Hygiene Assistance Request Form|303.20 Industrial Hygiene Assistance Request Form]]
 
*** [[Emergency Telephone Number|303.21 Emergency Telephone Numbers]]
4.2.3.1 In order to detect any of the red flags identified above for an existing covered account, University personnel shall take the following steps to monitor transactions on an account:
*** [[Radiation Safety Manual|303.22 Radiation Safety Manual]]
 
*** [[Confined Space Program|303.23 Confined Space Program]]
#Verify the identification of individuals if they request information (in person, via telephone, via facsimile, via email);
*** [[Animals on Campus|303.24 Animals On Campus]]
#Verify the validity of requests to change billing addresses by mail or email and provide the individual a reasonable means of promptly reporting incorrect billing address changes; and
*** [[Tobacco_and_Related_Product_Restrictions_on_University_Property|303.25 Tobacco and Related Product Restrictions on University Property]]
#Verify changes in banking information given for billing and payment purposes.
*** [[Unmanned Aircraft Systems Policy|303.26 Unmanned Aircraft Systems Policy]]
 
*** [[Theatrical Simulated Firearms Policy|303.27 Theatrical Simulated Firearms Policy]]
==== Consumer ("Credit") Report Requests ====
** [[:Category:Parking and Traffic|304 Parking and Traffic]]
 
*** [[Rules and Regulations|304.1 Rules and Regulations]]
In order to detect any of the red flags identified above in regard to an employment or volunteer position for which a credit or background report is sought, University personnel shall take the following steps to assist in identifying address discrepancies:
*** [[Use of Skateboards and Similar Devices|304.2 Use of Skateboards and Similar Devices]]
 
* [[:Category:Students|400 Students]]
#Require written verification from any applicant that the address provided by the applicant is accurate at the time the request for the credit report is made to the consumer reporting agency; and  
** [[Code of Student Conduct|401 Code of Student Conduct]]
#In the event that notice of an address discrepancy is received, verify that the credit or background report pertains to the applicant for whom the requested report was made and report to the consumer reporting agency an address for the applicant that the University has reasonably confirmed is accurate.
*** <s>401.2 Harassment and Discrimination</s> [[Discrimination, Harassment and Retaliation|See Policy #110]]
 
** [[:Category:Student Organizations|402 Student Organizations]]
=== Response to Red Flags ===
*** [[Organizational Student Conduct Policy|402.1 Organizational Student Conduct Policy]]
 
*** [[Student Organization Web Sites|402.2 Student Organization Web Sites]]
4.3.1 Once potentially fraudulent activity is detected, an employee must act promptly to protect individuals and the University from damages and loss. At a minimum, the employee must gather all related documentation, write a description of the situation, and present this information to the program administrator.
*** [[Recognized Student Organization Food Sales|402.3 Recognized Student Organization Food Sales]]
 
** [[:Category:Student Health|403 Student Health]]
4.3.2 The program administrator will complete additional investigation if necessary to determine whether the attempted transaction was fraudulent or authentic.
*** [[Administrative Health Officer|403.1 Administrative Health Officer]]
 
*** [[Rendering Assistance to Students Who Have Attempted Suicide or Who Exhibit Other Life-Threatening Behaviors|403.2 Rendering Assistance to Students Who Have Attempted Suicide or Who Exhibit Other Life-Threatening Behaviors]]
4.3.3 If a transaction is determined to be fraudulent, appropriate actions must be taken immediately. Actions may include (1) canceling the transaction; (2) notifying and cooperating with appropriate law enforcement personnel; (3) determining the extent of liability of the University; and (4) notifying the individual upon whom fraud has been attempted or whose identifying information has been subjected to a security breach.
*** [[Medical Withdrawals|403.3 Medical Withdrawals]]
 
*** [[Student Death Policy|403.4 Student Death Policy]]
=== Prevention and Mitigation of Identity Theft ===
*** [[Awarding Degrees Posthumously|403.5 Awarding Degrees Posthumously]]
 
** [[:Category:Housing|404 Housing]]
In the event University personnel detect any identified red flags, such personnel shall take one or more of the following steps to prevent and mitigate identity theft, depending on their determination of the degree of risk posed by the red flag:
*** [[Right of Entry/Search and Seizure|404.1 Right of Entry/Search and Seizure]]
 
** [[:Category:Miscellaneous Student Policies|405 Miscellaneous Student Policies]]
#Continue to monitor a covered account for evidence of identity theft; 
*** [[Tunnel Painting|405.1 Tunnel Painting]]
#Contact the individual or applicant (for whom a credit or background report was run);
** [[:Category:Student Withdrawal|406 Student Withdrawal]]
#Change any passwords or other security devices that permit access to covered accounts;
*** [[Withdrawal Policy|406.1 Withdrawal Policy]]
#Refuse to open a new covered account;
* [[Business Operations|500 Business Operations]]
#Provide the individual with a new individual identification number;
** [[Management and Use of University Funds| 501 Management and Use of University Funds]]
#Notify the program administrator for determination of the appropriate step(s) to take;
*** [[Departmental Bookkeeping|501.7 Departmental Bookkeeping]]
#Notify appropriate law enforcement personnel;
*** [[Fixed Asset System|501.17 Fixed Asset System]]
#File or assist in filing a Suspicious Activity Report ("SAR") with the Financial Crimes Enforcement Network, United States Department of the Treasury; and/or
** [[Bookstore|502 Bookstore]]
#Determine that no response is warranted under the particular circumstances.  
** [[University Treasurer|503 University Treasurer]]
 
*** [[State Policies Regarding The Receipt of Funds|503.1 State Policies Regarding the Receipt of Funds]]
==== Protect Identifying Information ====
*** [[Receipting and Depositing Funds|503.2 Receipting and Depositing Funds]]
 
*** [[Collection of Cash Outside University Cashier's Office|503.3 Collection of Cash Outside University Cashier's Office]]
In order to further prevent the likelihood of identity theft occurring with respect to covered accounts, the University will take the following steps to protect individual identifying information:
*** [[Storage and Safeguarding of Funds|503.4 Storage and Safeguarding of Funds]]
 
*** [[Imprest Change Funds|503.5 Imprest Change Funds]]
#Ensure that its website is secure or provide clear notice that the website is not secure;
*** [[Collection of Accounts Receivable|503.6 Collection of Accounts Receivable]]
#Ensure complete and secure destruction of paper documents and computer files containing individual account information when a decision has been made to no longer maintain such information;
*** [[Collection of Checks Returned for Insufficient Funds|503.7 Collection of Checks Returned for Insufficient Funds]]
#Ensure that office computers with access to covered account information are password protected;
*** [[Payment Card Services Policy|503.8 Payment Card Services Policy]]
#Ensure that laptops are password protected and encrypted;
*** [[Collection and Write-Off of University Accounts Receivable|503.9 Collection and Write-Off of University Accounts Receivable]]
#Avoid use of social security numbers;
** [[Central Warehouse|504 Central Warehouse]]
#Ensure the security of the physical facility that contains covered account information;
*** [[Warehouse Stock Items|504.1 Warehouse Stock Items]]
#Ensure that transmission of information is limited and encrypted when necessary;
*** [[Central Receiving|504.2 Central Receiving]]
#Ensure computer virus protection is up to date; and
*** [[Central Shipping|504.3 Central Shipping]]
#Require and keep only the kinds of individual identifying information that is necessary for University purposes.
*** [[Purchasing Items from the Central Warehouse|504.4 Purchasing Items from the Central Warehouse]]
 
** [[Campus Dining|505 Campus Dining]] 
=== Additional Identity Theft Prevention Measures ===
*** [[APPCARDS|505.1 APPCARDS]]
==== Hard Copy Distribution ====
** [[Payroll|506 Payroll]]
Each employee and contractor performing work for the University will comply with the following procedures:
*** [[ASU Payroll Policies|506.1 ASU Payroll Policies]]
 
** [[Facilities and Property Management|507 Facilities and Property Management]] 
#File cabinets, desk drawers, overhead cabinets, and any other storage space containing documents with identifying information will be locked when not in use.
*** [[Association with other University Departments|507.1 Association with other University Departments]]
#Storage rooms containing documents with identifying information and record retention areas will be locked at the end of each workday or when unsupervised.
*** [[Funding and Types of Services|507.2 Funding and Types of Services]]
#Desk workstations, work areas, printers and fax machines, and common shared work areas will be cleared of all documents containing identifying information when not in use.
*** [[Services Provided by the Physical Plant|507.3 Services Provided by the Physical Plant]]
#Whiteboards, dry-erase boards, writing tablets, and other writing surfaces in common shared work areas will be erased, removed, or shredded when not in use.
*** [[Requests for Physical Plant Services|507.4 Requests for Physical Plant Services]]
#When documents containing identifying information are discarded, they will be placed inside a locked shred bin or immediately shredded using a mechanical cross cut or Department of Defense-approved shredding device. Locked shred bins are labeled "Confidential paper shredding and recycling."
*** [[Emergency Maintenance and Repair Service|507.5 Emergency Maintenance and Repair Service]]
 
*** [[Renovations and Alterations|507.6 Renovations and Alterations]]
=== Program Administration ===
*** [[Key and Lock Security|507.7 Key and Lock Security]]
==== Oversight ====
*** [[Heating and Cooling/Environmental Control|507.8 Heating and Cooling/Environmental Control]]
The responsibility for developing, implementing and updating this Program lies with the program administrator designated by the Chancellor. The program administrator shall be responsible for ensuring appropriate training of University staff on the Program, for reviewing any staff reports regarding the detection of red flags and the steps for preventing and mitigating identity theft, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the Program.
*** [[Buildings and Grounds Regulations|507.9 Buildings and Grounds Regulations]]
 
*** [[Motor Vehicle Management|507.10 Motor Vehicle Management]]
==== Staff Training ====
*** [[Recycling Programs|507.11 Recycling Program]]
University employees responsible for implementing the Program shall be trained under the direction of the program administrator in the detection of red flags and the responsive steps to be taken when a red flag is detected.
*** [[Surplus Property|507.12 Surplus Property]]
 
*** [[Borrowing Computer Equipment|507.13 Borrowing Computer Equipment]]
==== Reports ====
*** [[University Space Management|507.14 University Space Management]]
Appropriate staff shall report to the program administrator at least annually on compliance with this Program. The report shall address matters such as the effectiveness of the policies and procedures of the University in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; service provider arrangements; significant incidents involving identity theft and the University's response; and recommendations for material changes to the Program.
*** [[Campus Wayfinding and Signage|507.15 Campus Wayfinding and Signage]]
 
** [[Post Office|508 Post Office]]
==== Service Provider Arrangements ====
*** [[University Postal Service|508.1 University Postal Service]]
In the event the University engages a service provider to perform an activity in connection with one or more covered accounts, the University will take the following steps to ensure the service provider performs its obligations in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft, including the following:
*** [[Campus Mail Service|508.2 Campus Mail Service]]  
 
*** [[U.S. Federal Postal Contract Station|508.3 U.S. Federal Postal Contract Station]]
#Require, by signed contract, that service providers have such policies and procedures in place; and
*** [[Addressing Outgoing Mail|508.4 Addressing Outgoing Mail]]  
#Require, by signed contract, that service providers review the University's Program and report any red flags to the program administrator.  
*** [[United States Mail Rate Classifications|508.5 United States Mail Rate Classifications]]  
 
*** [[Quantity Mailing|508.6 Quantity Mailing]]  
==== Program Updates ====
*** [[Preparing Outgoing Mail|508.7 Preparing Outgoing Mail]]  
The program administrator shall review and update this Program at least annually to reflect changes in risks to individuals and the University from identity theft. In doing so, the program administrator shall consider the University's experiences with identity theft situations, changes in identity theft methods, changes in identity theft detection and prevention methods, and changes in the University's business arrangements with other entities.
*** [[Processing Bulk Mail|508.8 Processing Bulk Mail]]  
 
** [[Purchasing|509 Purchasing]]  
== Additional References ==
*** [[Purchasing Office|509.1 Purchasing Office]]  
This Program incorporates by reference the following policies and procedures:
*** [[Purchase Authorizations|509.2 Purchase Authorizations]]
 
*** [[Solicitation by Salesmen|509.3 Solicitation by Salesmen]]
#[http://policy.appstate.edu/Use_of_Computers_and_Data_Communications Policy on the Use of Computers and Data Communication]  
*** [[Product and Service Demonstrations by Vendors|509.4 Product and Service Demonstrations by Vendors]]
#[http://www.nss.appstate.edu/standards/open-servers-vlan-policy Computer Systems Security Policy]  
*** [[State Purchase Contracts|509.5 State Purchase Contracts]]
#[http://policy.appstate.edu/Remote_Access_Policy Remote Access Policy]
*** [[Solicitation of Bids and Quotations|509.6 Solicitation of Bids and Quotations]]
#[http://policy.appstate.edu/Trusted_Access_Policy Trusted Access Policy]
*** [[Single Source Purchases|509.7 Single Source Purchases]]
#[http://policy.appstate.edu/Network_Risk_Assessment_Policy Network Risk Assessment Policy]
*** [[Purchases from Commercial Vendors|509.8 Purchases from Commercial Vendors]]
#[http://policy.appstate.edu/Virtual_Private_Network_(VPN)_Policy Virtual Private Network (VPN) Policy]  
*** [[Changes to Purchase Orders|509.9 Changes to Purchase Orders]]
#[http://policy.appstate.edu/Wireless_Networking_Policy_and_Process Wireless Networking Policy]  
*** [[Correspondence with Vendors|509.10 Correspondence with Vendors]]
#[http://policy.appstate.edu/Wireless_Networking_Policy_and_Process Wireless to Trusted Network Policy]
*** [[Return of Merchandise to Vendors|509.11 Return of Merchandise to Vendors]]
#[http://policy.appstate.edu/Statement_of_Confidentiality Statement of Confidentiality]
*** [[Purchases from University Facilities|509.12 Purchases from University Facilities]]
 
*** [[Emergency Purchases|509.13 Emergency Purchases]]
== Authority ==
*** [[Blanket Purchase Orders|509.14 Blanket Purchase Orders]]
 
*** [[Rental and Lease of Equipment|509.15 Rental and Lease of Equipment]]
16 CFR Part 681
*** [[Purchase and Rental of Office Machines|509.16 Purchase and Rental of Office Machines]]
*** [[Service Contracts/Maintenance Agreements|509.17 Service Contracts/Maintenance Agreements]]
Fair and Accurate Credit Transactions Act of 2003, Public Law 108-159
*** [[Purchase or Rental of EDP and Computer Related Equipment|509.18 Purchase or Rental of EDP and Computer Related Equipment]]
 
*** [[Excise and Sales Tax|509.19 Excise and Sales Tax]]
North Carolina General Statutes, Chapter 75, Article 2A
*** [[Personal and Professional Service Contracts|509.20 Personal and Professional Service Contracts]]
 
*** [[Indefinite Quantity Contracts|509.21 Indefinite Quantity Contracts]]
== Contact Information ==
*** [[Small Purchases|509.22 Small Purchases]]
 
*** [[Procurement Card Program|509.23 Procurement Card Program]]
 
*** [[Pre-Payments|509.24 Pre-Payments]]
== Original Effective Date ==
** [[:Category:Travel, Transportation, and Expense Reimbursements|510 Travel, Transportation, and Expense Reimbursements]]
 
*** [[Travel and Expense Reimbursement Policy|510.1 Travel and Expense Reimbursement Policy]]
== Revision Dates ==
*** [[Travel to Destinations of Elevated Risk|510.2 Travel to Destinations of Elevated Risk]]
:November 5, 2021 - previously policy 105.5
*** [[International Travel Insurance|510.3 International Travel Insurance]]
** [[Printing and Publications|511 Printing and Publications]]
*** [[Printing Responsibilities|511.1 Printing Responsibilities]]
*** [[Printing Services and Charges|511.2 Printing Services and Charges]]
*** [[Graphic Identity Program|511.3 Graphic Identity Program]]
** [[Budget Administration|512 Budget Administration]]
* [[Human Resources|600 Human Resources]]
** [[Hiring and Separation|601 Hiring and Separation]]
*** [[SHRA Employee Hiring|601.1 SHRA Employee Hiring]]
*** [[SHRA Employee Merit-Based Recruitment and Selection Plan|601.2 SHRA Employee Merit-Based Recruitment and Selection Plan]]
*** [[SHRA Employee Requesting Position Actions|601.3 SHRA Employee Requesting Position Actions]]
*** [[SHRA Employee Separation from Service|601.4 SHRA Employee Separation from Service]]
*** [[SHRA Employee Terminating Employment|601.5 SHRA Employee Terminating Employment]]
*** [[SHRA Grievance and Appeal|601.6 SHRA Grievance and Appeal]]
*** [[SHRA Employee Reduction-in-Force|601.7 SHRA Employee Reduction-in-Force]]
*** [[EHRA Employees|601.8 EHRA Employees]]
*** [[Student Employees|601.9 Student Employees]]
** [[:Category:Terms and Conditions of Employment|602 Terms and Conditions of Employment]]
*** <s>602.1 Equal Opportunity</s> [[Equal Opportunity|See Policy #114]]
*** <s>602.2 Harassment, Discrimination and Retaliation</s> [[Discrimination, Harassment and Retaliation|See Policy #110]]
*** [[Employee Abuse of Alcohol and Other Drugs|602.3 Employee Abuse of Alcohol and Other Drugs]]
*** [[Software Use on Non-State Computers|602.4 Use of Software on Non-State Owned Personal Computers]]
*** [[Age Limitation for Employment and Employee Retention|602.5 Age Limitation for Employment and Employee Retention]]
*** [[Position Management|602.6 Position Management]]
*** [[Personnel Records and Information Disclosure|602.7 Personnel Records and Information Disclosure]]
*** [[Pay and Compensation|602.8 Pay and Compensation]]
*** [[In-Range Adjustment|602.9 In-Range Adjustment]]
*** [[Supplemental Pay|602.10 Supplemental Pay]]
*** [[Employee Responsibilities|602.11 Employee Responsibilities]]
*** [[Work Schedule|602.12 Work Schedule]]
*** [[Changes Affecting Employment|602.13 Changes Affecting Employment]]
*** [[Employee Relations|602.14 Employee Relations]]
*** [[Employee Safety|602.15 Employee Safety]]
*** [[Disciplinary Action Suspension and Dismissal|602.16 Disciplinary Action, Suspension and Dismissal]]
*** [[Disciplinary Suspension Without Pay|602.17 Disciplinary Suspension Without Pay]]
*** [[Demotion|602.18 Demotion]]
*** [[Pre-Disciplinary Conference|602.19 Pre-Disciplinary Conference]]
*** [[Appeal to State Human Resource Commission|602.20 Appeal to State Human Resource Commission]]
*** [[Improper Relationships between Students and Employees|602.21 Improper Relationships between Students and Employees]]
*** [[Mediation for Faculty and EHRA Administrative Personnel|602.22 Mediation for Faculty and EHRA Administrative Personnel]]
*** [[EHRA Non-Faculty Grievances|602.23 EHRA Non-Faculty Grievances]]
*** [[Evaluating Staff Employees|602.24 Evaluating Staff Employees]]
*** [[Daylight Savings Time|602.25 Daylight Savings Time]]
*** [[Adverse Weather and Emergency Closing|602.26 Adverse Weather and Emergency Closing]]
*** [[EHRA Non-faculty Employment|602.27 EHRA Non-faculty Employment]]
*** [[Critical and Essential Staff|<s>602.28 Critical and Essential Staff</s>]] (Repealed)
*** [[On-Call/Emergency Callback Pay|602.29 On-Call/Emergency Callback Pay]]
*** [[Criminal Background Reports|602.30 Criminal Background Reports]]
*** [[EHRA Non-Faculty Performance Management|602.31 EHRA Non-Faculty Performance Management]]
*** [[Workplace Violence|602.32 Workplace Violence]]
*** [[Sponsorship of Employees For United States Permanent Residence|602.33 Sponsorship of Employees For United States Permanent Residence]]
*** [[Non-Salary and Deferred Compensation|602.34 Non-Salary and Deferred Compensation]]
*** [[Employee Relocation Expenses|602.35 Employee Relocation Expenses]]
** [[:Category:Benefits|603 Benefits]]
*** [[Leave|603.1 Leave]]
*** [[Voluntary Shared Leave Program|603.2 Voluntary Shared Leave Program]]
*** [[Insurance and Retirement Benefits|603.3 Insurance and Retirement Benefits]]
*** [[Educational Opportunities|603.4 Educational Opportunities]]
*** [[Services to Employees|603.5 Services to Employees]]
*** [[Filing the Supervisor's Accident Report Form|603.6 Filing the Supervisor's Accident Report Form]]
*** [[Filing Worker's Compensation Claims|603.7 Filing Worker's Compensation Claims]]
*** [[EHRA Benefits|603.8 EHRA Benefits]]
*** [[SHRA Benefits|603.9 SHRA Benefits]]
*** [[Vacation Leave|603.10 Vacation Leave]]
*** [[Sick Leave|603.11 Sick Leave]]
*** [[Leave without Pay Administration|603.12 Leave without Pay Administration]]
*** [[Holiday Leave Administration|603.13 Holiday Leave Administration]]
*** [[FMLA Leave Administration|603.14 FMLA Leave Administration]]
*** [[Family Illness Leave Administration|603.15 Family Illness Leave Administration]]
*** [[Community Service Leave|603.16 Community Service Leave]]
*** [[Military Service Leave and Differential Pay Procedures|603.17 Military Service Leave and Differential Pay Procedures]]
*** [[Emergency Loan Fund|603.18 Emergency Loan Fund]]
** [[:Category:Conflicts of Interest and Commitment|604 Conflicts of Interest and Commitment]]
*** [[Dual Employment|604.1 Dual Employment]]
*** [[Processing Dual Employment Assignments|604.2 Processing Dual Employment Assignments]]
*** [[External Professional Activities of Faculty and Other Professional Staff|604.3 External Professional Activities of Faculty and Other Professional Staff]]
*** [[Secondary Employment|604.4 Secondary Employment]]
*** [[Staff (SHRA) Employee Request for Approval to Engage in Outside Work|604.5 Staff (SHRA) Employee Request for Approval to Engage in Outside Work]]
*** [[Conflict of Interest and Commitment|604.6 Conflict of Interest and Commitment]]
*** [[Political Activities and Public Office Holding|604.7 Political Activities and Public Office Holding]]
* [[Athletics|700 Athletics]]
** [[Department of Athletics Policies and Procedures Manual|701 Department of Athletics Policies and Procedures Manual]]
** [[Trademark/Service Mark Licensing|702 Trademark/Service Mark Licensing]]
* [[University Communications|800 University Communications]]
** [[Responses to Requests|801 Responses to Requests]]
*** [[Media Requests|801.1 Media Requests]]
* [[:Category:Information Technology|900 Information Technology]]
** [[Information Technology Governance Policy|901 Information Technology Governance Policy]]
** [[Data Governance|902 Data Governance]]
** [[Information Security Policy|903 Information Security Policy]]
** [[Infrastructure and Architecture Policy|904 Infrastructure and Architecture Policy]]
** [[Identity and Access Management Policy|905 Identity and Access Management Policy]]
** [[Acceptable Use of Computing and Electronic Resources Policy|906 Acceptable Use of Computing and Electronic Resources Policy]]
** [[General Web Standards|907 General Web Standards]]
** [[E-Mail As Official Means of Communication|908 E-Mail As Official Means of Communication]]
** [[Web Accessibility Standards|909 Web Accessibility Standards]]
** [[Statement of Confidentiality|910 Statement of Confidentiality]]
* [[Audits|1000 Audits]]
** [[Financial and Operational Audits|1001 Financial and Operational Audits]]
** [[Information Systems Audits|1002 Information Systems Audits]]
** [[Bank Accounts, Cash Funds, and Investments|1003 Bank Accounts, Cash Funds, and Investments]]
** [[Accounting_Systems_and_Procedures|1004 Accounting Systems and Procedures]]
** [[Audit Follow-Up Policy|1005 Audit Follow-Up Policy]]
</div>


[[Category:Contents]]
[[Category:Contents]]
[[Category:Governance and Administration]]
[[Category:Records]]

Revision as of 17:24, 3 March 2023

Policy 105.3

Introduction

Program Adoption

1.1.1 As a best practice and using as a guide the Federal Trade Commission's Red Flags Rule (16 CFR Part 681, implementing Section 114 of the Fair and Accurate Credit Transactions Act of 2003, Public Law 108-159) and North Carolina General Statutes, Chapter 75, Article 2A, Appalachian State University (the "University") has developed an Identity Theft Prevention Program (the "Program") described below. This Program was developed with oversight and approval of the Board of Trustees of Appalachian State University (the "Board"). After consideration of the size and complexity of the Universitys operations and account systems, and the nature and scope of the Universitys activities, the Board determined that this Program was appropriate for the University, and approved it on September 24, 2010 (the "Effective Date"). The purpose of this Program is to detect, prevent and mitigate identity theft in connection with any covered account. This Program envisions the implementation of policies and procedures subject to the Chancellor's approval in order to achieve these goals.

Scope

2.1 All University personnel whose employment duties require or allow access to identifying information of other employees or students are responsible for implementing this Program.

Definitions

"Covered Account"

Any account that constitutes a continuing financial relationship or is designed to permit multiple payments or transactions between the University and a person for a service, such as extension of credit, debit cards, Perkins Loans, Federal Family Education Loan Program (FFELP), institutional loans, accounts covered by the Health Insurance Portability and Accountability Act (HIPAA), deposit accounts, scholarship accounts, student accounts, and tuition payment plans.
Any other account that the University offers or maintains for which there is a reasonably foreseeable risk to holders of the account or to the University from identity theft, such as use of consumer reports for employee background checks, credit applications and institutional debit card applications. This may include operations of utilities (e.g., New River Light & Power Company), clinical and research activities, and public service activities.

Identifying Information

Means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including, but not limited to:
  1. name
  2. address
  3. telephone number
  4. social security number
  5. date of birth
  6. government-issued driver's license or identification number
  7. alien registration number
  8. government passport number
  9. employer or taxpayer identification number
  10. individual identification number
  11. computer's Internet Protocol address
  12. bank or other financial account routing code

Identity Theft

Means a fraud committed or attempted using the identifying information of another person without authority [16 CFR 603.2(a)].

Program Administrator

Means the individual designated with primary responsibility for oversight of this Program.

Red Flag

Means a pattern, practice, alert or specific activity that indicates the possible existence of identity theft.

Service Provider

Means a person or entity that provides a service directly to the University.

Policy and Procedure Statements

Identification of Red Flags

4.1.1 In order to identify relevant red flags, the University considers the types of covered accounts it offers or maintains, the methods it provides to open its covered accounts, the methods it provides to access its covered accounts, and its previous experiences with identity theft. Red flags may be detected while implementing existing account opening and servicing procedures (example: individual identification, caller authentication, third party authorization, and address changes).

4.1.2 The University identifies the following as red flags in each of the listed categories:

  1. Notifications and warnings from consumer reporting agencies
    1. Report of fraud accompanying a credit report;
    2. Notice or report from a credit agency of a credit freeze on an applicant;
    3. Notice or report from a credit agency of an active duty alert for an applicant;
    4. Receipt of a notice of address discrepancy in response to a credit report request; and
    5. Indication from a credit report of activity that is inconsistent with an applicant's usual pattern or activity
  2. Suspicious documents
    1. Identification document or card that appears to be forged, altered or inauthentic;
    2. Identification document or card on which a person?s photograph or physical description is not consistent with the person presenting the document;
    3. Other document with information that is not consistent with existing individual information; and
    4. Application that appears to have been altered or forged.
  3. Suspicious personal identifying information
    1. Identifying information that is inconsistent with other information the individual provides (example: inconsistent birth dates);
    2. Identifying information that is inconsistent with other sources of information (example: an address not matching an address on a loan application);
    3. Identifying information that is the same as information shown on other applications that were found to be fraudulent;
    4. Identifying information that is consistent with fraudulent activity (examples: an invalid phone number or fictitious billing address);
    5. Social security number that is the same as one given by another individual;
    6. An address or phone number that is the same as that of another person;
    7. A person fails to provide complete personal identifying information on an application when reminded to do so; and
    8. A person's identifying information is not consistent with the information that is on file for the individual.
  4. Suspicious covered account activity
    1. Change of address for an account followed by a request to change the individual's name;
    2. Payments stop on an otherwise consistently up-to-date account;
    3. Account used in a way that is not consistent with prior use;
    4. Mail sent to the individual is repeatedly returned as undeliverable;
    5. Notice to the University that an individual is not receiving mail sent by the University;
    6. Notice to the University that an account has unauthorized activity;
    7. Breach in the University's computer system security; and
    8. Unauthorized access to or use of individual account information.
  5. Alerts from others
    1. Notice to the University from an identity theft victim, law enforcement officer or other person that the University has opened or is maintaining a fraudulent account for a person engaged in identity theft.

Detection of Red Flags

Student Enrollment

4.2.1.1 In order to detect any of the red flags identified above associated with the enrollment of a student, University personnel shall take the following steps to obtain and verify the identity of the person opening the account:

  1. Require certain identifying information such as name, date of birth, academic records, home address or other identification; and
  2. Verify the individual's identity at time of issuance of individual

4.2.1.2 Identification card (example: review of driver's license or other government-issued photo identification).

New Customers or Clients

4.2.2.1 In order to detect any of the red flags identified above associated with service to a new customer or client, University personnel shall take the following steps to obtain and verify the identity of the person opening the account:

  1. Require certain identifying information such as name, date of birth, academic records, home address or other identification; and
  2. Verify the individual's identity at time of issuance of individual

4.2.2.2 Identification card (example: review of driver's license or other government-issued photo identification).

Existing Accounts

4.2.3.1 In order to detect any of the red flags identified above for an existing covered account, University personnel shall take the following steps to monitor transactions on an account:

  1. Verify the identification of individuals if they request information (in person, via telephone, via facsimile, via email);
  2. Verify the validity of requests to change billing addresses by mail or email and provide the individual a reasonable means of promptly reporting incorrect billing address changes; and
  3. Verify changes in banking information given for billing and payment purposes.

Consumer ("Credit") Report Requests

In order to detect any of the red flags identified above in regard to an employment or volunteer position for which a credit or background report is sought, University personnel shall take the following steps to assist in identifying address discrepancies:

  1. Require written verification from any applicant that the address provided by the applicant is accurate at the time the request for the credit report is made to the consumer reporting agency; and
  2. In the event that notice of an address discrepancy is received, verify that the credit or background report pertains to the applicant for whom the requested report was made and report to the consumer reporting agency an address for the applicant that the University has reasonably confirmed is accurate.

Response to Red Flags

4.3.1 Once potentially fraudulent activity is detected, an employee must act promptly to protect individuals and the University from damages and loss. At a minimum, the employee must gather all related documentation, write a description of the situation, and present this information to the program administrator.

4.3.2 The program administrator will complete additional investigation if necessary to determine whether the attempted transaction was fraudulent or authentic.

4.3.3 If a transaction is determined to be fraudulent, appropriate actions must be taken immediately. Actions may include (1) canceling the transaction; (2) notifying and cooperating with appropriate law enforcement personnel; (3) determining the extent of liability of the University; and (4) notifying the individual upon whom fraud has been attempted or whose identifying information has been subjected to a security breach.

Prevention and Mitigation of Identity Theft

In the event University personnel detect any identified red flags, such personnel shall take one or more of the following steps to prevent and mitigate identity theft, depending on their determination of the degree of risk posed by the red flag:

  1. Continue to monitor a covered account for evidence of identity theft;
  2. Contact the individual or applicant (for whom a credit or background report was run);
  3. Change any passwords or other security devices that permit access to covered accounts;
  4. Refuse to open a new covered account;
  5. Provide the individual with a new individual identification number;
  6. Notify the program administrator for determination of the appropriate step(s) to take;
  7. Notify appropriate law enforcement personnel;
  8. File or assist in filing a Suspicious Activity Report ("SAR") with the Financial Crimes Enforcement Network, United States Department of the Treasury; and/or
  9. Determine that no response is warranted under the particular circumstances.

Protect Identifying Information

In order to further prevent the likelihood of identity theft occurring with respect to covered accounts, the University will take the following steps to protect individual identifying information:

  1. Ensure that its website is secure or provide clear notice that the website is not secure;
  2. Ensure complete and secure destruction of paper documents and computer files containing individual account information when a decision has been made to no longer maintain such information;
  3. Ensure that office computers with access to covered account information are password protected;
  4. Ensure that laptops are password protected and encrypted;
  5. Avoid use of social security numbers;
  6. Ensure the security of the physical facility that contains covered account information;
  7. Ensure that transmission of information is limited and encrypted when necessary;
  8. Ensure computer virus protection is up to date; and
  9. Require and keep only the kinds of individual identifying information that is necessary for University purposes.

Additional Identity Theft Prevention Measures

Hard Copy Distribution

Each employee and contractor performing work for the University will comply with the following procedures:

  1. File cabinets, desk drawers, overhead cabinets, and any other storage space containing documents with identifying information will be locked when not in use.
  2. Storage rooms containing documents with identifying information and record retention areas will be locked at the end of each workday or when unsupervised.
  3. Desk workstations, work areas, printers and fax machines, and common shared work areas will be cleared of all documents containing identifying information when not in use.
  4. Whiteboards, dry-erase boards, writing tablets, and other writing surfaces in common shared work areas will be erased, removed, or shredded when not in use.
  5. When documents containing identifying information are discarded, they will be placed inside a locked shred bin or immediately shredded using a mechanical cross cut or Department of Defense-approved shredding device. Locked shred bins are labeled "Confidential paper shredding and recycling."

Program Administration

Oversight

The responsibility for developing, implementing and updating this Program lies with the program administrator designated by the Chancellor. The program administrator shall be responsible for ensuring appropriate training of University staff on the Program, for reviewing any staff reports regarding the detection of red flags and the steps for preventing and mitigating identity theft, determining which steps of prevention and mitigation should be taken in particular circumstances and considering periodic changes to the Program.

Staff Training

University employees responsible for implementing the Program shall be trained under the direction of the program administrator in the detection of red flags and the responsive steps to be taken when a red flag is detected.

Reports

Appropriate staff shall report to the program administrator at least annually on compliance with this Program. The report shall address matters such as the effectiveness of the policies and procedures of the University in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; service provider arrangements; significant incidents involving identity theft and the University's response; and recommendations for material changes to the Program.

Service Provider Arrangements

In the event the University engages a service provider to perform an activity in connection with one or more covered accounts, the University will take the following steps to ensure the service provider performs its obligations in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft, including the following:

  1. Require, by signed contract, that service providers have such policies and procedures in place; and
  2. Require, by signed contract, that service providers review the University's Program and report any red flags to the program administrator.

Program Updates

The program administrator shall review and update this Program at least annually to reflect changes in risks to individuals and the University from identity theft. In doing so, the program administrator shall consider the University's experiences with identity theft situations, changes in identity theft methods, changes in identity theft detection and prevention methods, and changes in the University's business arrangements with other entities.

Additional References

This Program incorporates by reference the following policies and procedures:

  1. Policy on the Use of Computers and Data Communication
  2. Computer Systems Security Policy
  3. Remote Access Policy
  4. Trusted Access Policy
  5. Network Risk Assessment Policy
  6. Virtual Private Network (VPN) Policy
  7. Wireless Networking Policy
  8. Wireless to Trusted Network Policy
  9. Statement of Confidentiality

Authority

16 CFR Part 681

Fair and Accurate Credit Transactions Act of 2003, Public Law 108-159

North Carolina General Statutes, Chapter 75, Article 2A

Contact Information

Original Effective Date

Revision Dates

November 5, 2021 - previously policy 105.5
Retrieved from "https://policy.appstate.edu/index.php?title=Policy_Manual&oldid=12752"