Identity Theft Prevention Plan

From Appalachian State University Policy Manual

Policy 105.5

Introduction

Program Adoption

As a best practice and using as a guide the Federal Trade Commission's Red Flags Rule (16 CFR Part 681, implementing Section 114 of the Fair and Accurate Credit Transactions Act of 2003, Public Law 108-159) and North Carolina General Statutes, Chapter 75, Article 2A, Appalachian State University (the "University") has developed an Identity Theft Prevention Program (the "Program") described below. This Program was developed with oversight and approval of the Board of Trustees of Appalachian State University (the "Board"). After consideration of the size and complexity of the Universitys operations and account systems, and the nature and scope of the Universitys activities, the Board determined that this Program was appropriate for the University, and approved it on September 24, 2010 (the "Effective Date").

Purpose

The purpose of this Program is to detect, prevent and mitigate identity theft in connection with any covered account. This Program envisions the implementation of policies and procedures subject to the Chancellor's approval in order to achieve these goals. All University personnel whose employment duties require or allow access to identifying information of other employees or students are responsible for implementing this Program.

Scope

Definitions

"Covered account"

  • any account that constitutes a continuing financial relationship or is designed to permit multiple payments or transactions between the University and a person for a service, such as extension of credit, debit cards, Perkins Loans, Federal Family Education Loan Program (FFELP), institutional loans, accounts covered by the Health Insurance Portability and Accountability Act (HIPAA), deposit accounts, scholarship accounts, student accounts, and tuition payment plans.
  • any other account that the University offers or maintains for which there is a reasonably foreseeable risk to holders of the account or to the University from identity theft, such as use of consumer reports for employee background checks, credit applications and institutional debit card applications. This may include operations of utilities (e.g., New River Light & Power Company), clinical and research activities, and public service activities. 3.2 "Identifying information" means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including, but not limited to:
  1. name
  2. address
  3. telephone number
  4. social security number
  5. date of birth
  6. government-issued driver's license or identification number
  7. alien registration number
  8. government passport number
  9. employer or taxpayer identification number
  10. individual identification number
  11. computer's Internet Protocol address
  12. bank or other financial account routing code

Identity theft

means a fraud committed or attempted using the identifying information of another person without authority [16 CFR 603.2(a)].

Program administrator

means the individual designated with primary responsibility for oversight of this Program.

Red flag

means a pattern, practice, alert or specific activity that indicates the possible existence of identity theft.

Service provider

means a person or entity that provides a service directly to the University.

Policy and Procedure Statements

Example policy 1

Example policy 2

Additional References

Authority

Contact Information

Effective Date

Revision Dates