Skip Navigation

Identity Theft Protection Policy : 4:01:05:61

Responsible Executive: Executive Vice President for Business and Finance

I. BACKGROUND

In late 2007 the Federal Trade Commission (FTC) and Federal banking agencies issued a regulation known as the Red Flag Rule under sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACTA) of 2003.  The regulation is intended to reduce the risk of identity theft by requiring strong fraud prevention to protect consumers’ personal data.  The regulation applies to any organization that offers credit or manages a “covered account.”  The Red Flag Rule requires any organization that maintains a “covered account” to establish, document, and maintain an identity theft prevention program that identifies potential Red Flags, detects the occurrence of Red Flags, and appropriately responds to Red Flags.  This Identity Theft Prevention Program is appropriate to the size and complexity of the college and the nature and scope of the college’s activities.

The law requires that a Red Flag policy (from which a Red Flag program will be developed) be approved by either the organization’s governing board or a committee of the board.  Oversight of the program has been assigned to the Executive Vice President for Business and Finance (EVPBF), with program reviews conducted annually.  Red Flag Rules became enforceable on November 1, 2009.

II. PURPOSE

Motlow State Community College (Motlow State) adopted this Identity Theft Prevention Program to enact reasonable policies and procedures to protect students and college employees from damages associated with the compromise of sensitive personal information.

III. DEFINITIONS

  1. Creditor – Any organization, including community colleges, which regularly:
    1. Extends, renews, or continues credit; or
    2. Arranges for someone else to extend, renew, or continue credit; or
    3. Is the assignee of a creditor involved in the decision to extend, renew, or continue credit.
  2. Credit – Deferral of payment of a debt incurred for the purchase of goods or services, including educational services.
  3. Covered account – An account with a creditor used by individuals, families, or households which involves multiple payments to that creditor.
  4. Identifying information – Information which alone, or in combination with other information, can be used to identify a specific individual.  Identifying information includes name, social security number, date of birth, driver’s license number, identification card number, employer or taxpayer identification number, unique electronic identification numbers, address or routing code, or certain electronic account identifiers associated with telephonic communications.
  5. Identity theft – A fraud attempted or committed using identifying information of another person without proper authority.
  6. Red Flag – A pattern, practice, or specific activity which indicates the possibility of identity theft.
  7. Sensitive information – Personal information belonging to any student, staff, or faculty member or other person with whom the college is affiliated.
  8. Service provider – Person providing a service directly to the financial institution or creditor.

IV. SCOPE

Activities in which Motlow State is involved in that require compliance with the Red Flag Rules include:

  1. Offering student tuition and fee payment plans through a contracted provider; and
  2. Employee and student background checks through third party providers
    (Motlow State does not participate in the Federal Perkins Loan program; the Federal Family Education Loan Program; institutional loans to students, faculty, or staff; nor a deferred tuition payment plan delivered by the institution).

V. IDENTIFICATION OF RELEVANT RED FLAGS

The following Red Flags are potential indicators of fraud.  Any time a Red Flag, or a situation closely resembling a Red Flag, is apparent, it should be investigated for verification.

  1. Alerts, notifications, or other warning received from the Attorney General’s Office or consumer reporting agencies.  For example:
    1. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as:
      1. A recent and significant increase in the volume of inquiries;
      2. An unusual number of recently established credit relationships;
      3. A material change in the use of credit, especially with respect to recently established credit relationships; or
      4. An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor.
  2. The presentation of suspicious documents.  For example:
    1. Documents provided for identification appearing to have been altered or forged;
    2. The photograph/physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification;
    3. Other information on the identification that is not consistent with information provided by the person opening a new covered account or customer presenting the identification; and/or
    4. An application appearing to have been altered or forged, or giving the appearance of having been destroyed and reassembled.
  3. The unusual use of, or other suspicious activity related to, a covered account.  For example:
    1. Any student account being used in a manner commonly associated with known patterns of fraud;
    2. Mail sent to the customer that is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer’s covered account;
    3. Motlow State being notified that the customer is not receiving emailed account statements;
    4. Motlow State being notified of unauthorized charges or transactions in connection with a customer’s covered account;
    5. A customer attempts to access information about a deceased student; and/or
    6. Motlow State is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.

VI. DETECTING RED FLAGS

Motlow State uses the following methods to detect Red Flags when opening and maintaining covered accounts:

  1. Procedures are in place to verify a person’s identity when processing any activity to their account including, but not limited to, registration activity, financial aid processing, and business office payments/inquiries.
  2. Receipt of notifications from service providers of Red Flag criteria (i.e., discrepancies in social security number to name, address differences, etc.) are disseminated to specifically identified individuals.
  3. Receipt of notification of suspicious activity by student, law enforcement, or borrower is disseminated to specifically identified individuals.
  4. Equipment inventory coordinator reports that laptop and/or computer equipment with sensitive data has been lost or stolen.
  5. Motlow State has procedures in place to verify changes to sensitive information (e.g. record name changes, SSN changes, updates to banking information for billing and payment purposes, and MyMotlow password resets).
  6. Motlow State performs routine diagnostics on firewalls and the security of electronic data portals.
  7. Security scans are done in regular intervals.

VII. PREVENTING AND MITIGATING IDENTITY THEFT

Motlow State uses the following methods to prevent and to mitigate identity theft when opening and maintaining covered accounts:

  1. Third party agencies that handle sensitive data for the college are evaluated no less than annually to ensure they are in compliance with Red Flag Rules.
  2. All employees are informed and are expected to adhere to Family Educational Rights and Privacy Act (FERPA) laws to verify proper identity and non-disclosure of data to unauthorized persons.
  3. Personal banking information is only obtained and used by appropriate personnel with compliance being maintained regarding security of personal information.
  4. A readmission process is in place to verify a student’s identity when an account has been inactive for a prolonged period.
  5. Students applying for financial aid awards are verified with more than one identifying method to assure that aid is being distributed to the proper person.
  6. Procedures are in place for the proper handling of data including data saved electronically (including on computer hardware, flash drives, and remote drives).  This includes what data should be stored on these devices and what security measures should be taken to prevent loss and/or theft of such data.
  7. Motlow State trains faculty and staff on procedures for dealing with sensitive information and with access requests.
  8. Motlow State reviews internal access to paper, electronic documents and information systems containing sensitive information.
  9. Motlow State provides yearly regular training to educate faculty and staff about risks and liabilities of data loss or theft.

VIII. RESPONDING TO DETECTION OF RED FLAGS

Once a Red Flag has been detected, Motlow State will:

  1. Ask for validation and/or supplemental documentation/identification when a student’s identity is in question.
  2. Check credit card receipts when possible fraudulent charges are reported from a customer’s bank statement.
  3. Verify original student documents when a discrepancy is reported regarding social security number discrepancies to name and other Red Flag issues regarding aged accounts.
  4. Deny access to information or disable an account pending further investigation and resolution of suspicious activity.
  5. Follow-up on reported thefts which possibly involve the compromise of sensitive data.
  6. Notify victims of possible identity theft and proper authorities.
  7. Develop a plan for using all available media to disseminate information concerning an improper disclosure of sensitive information.  The records of current students, former students, and employees should be considered when disseminating the information concerning a breach.

IX. UPDATE OF IDENTITY THEFT PROGRAM

This policy will be reviewed annually to determine whether all aspects of the program are up to date and applicable in the current work environment and will be revised as necessary.

X. PROGRAM ADMINISTRATION

  1. Program Oversight
    1. Motlow State has designated the EVPBF to be responsible for the oversight, development, implementation, and administration of the Identity Theft Prevention Program.
    2. A representative has been assigned from each high-risk area to identify what Red Flags might exist at Motlow State.
  2. Staff Training
    1. Staff training shall be conducted for all employees for whom it is reasonably foreseeable, as determined by the Program Administrator, that may come into contact with covered accounts or identifying information.
  3. Oversight of Service Providers
    Motlow State assumes the responsibility of ensuring that the activities of all service providers are conducted in accordance with reasonable policies and procedures to detect, prevent, and mitigate the risk of identity theft.  Motlow State will either require the contract for the service providers to have Red Flag policies and procedures in place or require the service provider to report any Red Flags to the EVPBF.

SOURCES

CORRESPONDING POLICY

TBR Policy 4.01.05.60

HISTORY

October 28, 2009; approved by the Leadership Council on October 28, 2016

Revised: April 19, 2023

Institutional Oversight Committee Approved: August 22, 2023

President’s Cabinet Approved: August 30, 2023

Effective Date: October 28, 2016; August 30, 2023

Scroll to top