On October 31, 2007, the Federal Trade Commission and the federal financial institution regulatory agencies passed the final legislation to incorporate new sections 114 and 315 into the Fair and Accurate Credit Transactions Act of 2003 (FACTA). These new sections are referred to as the Red Flag Rules. Under the Red Flag Rules, every financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, is required to establish a documented Identity Theft Prevention Program that provides for the identification, detection, and response to patterns, practices, or specific activities - known as "red flags" - that could indicate identity theft. Examples of red flag activities include unusual account activity, address discrepancies, fraud alerts on a constituent's consumer report provided by a Credit Reporting Agency, or the attempted use of suspicious account applications.
Since the University provides student loans and collects payment for some services, it is considered a creditor and the FACTA Red Flag Rules apply. All University departments and employees responsible for providing student loans and/or collecting payment for services must participate in the Identity Theft Prevention Program.
Covered in this program are:
- Identifying Covered Accounts
- What covered accounts include
- What covered accounts do not include
- Identifying Red Flags
- Notifications and Warnings from Credit Reporting Agencies
- Suspicious Documents
- Suspicious Personal Identifying Information
- Suspicious Account Activity or Unusual Use of Account
- Alerts from Others
- Preventing Identity Theft Incidents
All University departments must first determine whether there are covered accounts within the business processes of their respective areas. Generally covered accounts distribute reimbursable University funds; extend, renew, or continue credit; and allow the account owner to make multiple payments or transactions.
- Student loans of University funds that are not funded by federal resources and are repaid by a payment schedule.
- Installment payments and short-term loans.
- Accounts that are created for ongoing services and allow students to reimburse when billed or over a period of time.
- Any type of collection account.
- Student loans that are funded by federal resources and only disbursed by the University.
- Fee-for-service applications such as food services, parking passes, commuter services, one-time health services, and the like.
- Collection of fees such as Library fines or parking citations.
- Golden Eagle Card accounts.
In order to identify relevant red flags, University departments that offer or manage covered accounts must review and evaluate the methods utilized to open covered accounts, to allow access to covered accounts, and any previous known occurrences of identity theft.
The following are examples of potential red flags for the listed categories:
- Report of fraud accompanying a credit report from a credit agency.
- Notice or report from a credit agency of a credit freeze on a customer or applicant.
- Notice or report from a credit agency of an active duty alert for the applicant.
- Indication from a credit report of activity that is inconsistent with a campus constituent's usual pattern or activity.
- Identification document or card that appears to be forged, altered, or inauthentic.
- Identification document or card on which a person's photograph or physical description is not consistent with the person presenting the document.
- Other document with information that is not consistent with existing campus constituent's information, such as a person's signature on a check appears forged.
- Application for service that appears to have been altered or forged.
- Identifying information presented that is inconsistent with other information the campus constituent provided, such as inconsistent birth dates.
- Identifying information presented that is inconsistent with other sources of information, such as an address that does not match the address on a driver's license.
- Identifying information presented that is the same as information shown on other applications that were found to be fraudulent.
- Identifying information presented that is consistent with fraudulent activity, such as an invalid phone number or fictitious billing address.
- Social security number presented that is the same as one given by another campus constituent.
- An address or phone number presented that is the same as that of another person who is not a family member, spouse, or roommate.
- Failing to provide complete personal identifying information on an application when reminded to do so. However, as a reminder, by law Social Security numbers must not be required.
- Identifying information that is not consistent with the information on the official record for the campus constituent.
- Change of address for an account followed by a request to change the account holder's name.
- Payments stop on an otherwise consistently up-to-date account.
- Account used in a way that is not consistent with prior use, such as very high activity.
- Mail sent to the account holder is repeatedly returned as undeliverable.
- Notification to the University that a campus constituent is not receiving mail sent by the University.
- Breach in any University or department computer system security.
- Unauthorized access to or use of campus constituent’s account information.
- Notification to the University from a campus constituent, identity theft victim, or law enforcement authority that identity theft has occurred.
- Information from any person that they have opened or are maintaining a fraudulent account for a person engaged in identity theft or know of someone who has done so.
To prevent the likelihood of future identity theft occurring in any manner, all University employees should take the following steps to protect campus constituent identifying information:
- Keep offices and unlocked file cabinets clear of documents containing campus constituent identifying information. Be sure file cabinets, cupboards, and closets containing confidential or personal information remain locked when unattended.
- Never leave document containing confidential or personal information on printers or facsimile machines. Before faxing confidential or personal information, contact the recipient to be sure they are standing by their fax to immediately retrieve the document.
- Undertake complete and secure destruction of paper documents and computer files containing campus constituent information by using a confetti or pulp paper shredder.
- Ensure all computers are password protected and that computers are locked [control/alt/delete, then enter] every time a computer is left unattended.
- Maintain up-to-date computer anti-virus protection at all times.
- Promptly report the loss or theft of any device that stores or transmits University data (e.g., computer, laptop, server, CD, DVD, electronic storage media, or smart phone) to University Police. Users must also promptly submit a Lost/Stolen Computer/Electronic Storage Device Report to IT Security and Compliance.
- Do not dispose, transfer, reassign, or donate any computers, laptops, electronic storage devices, or media, or return any smart phones to a service provider without first cleansing the equipment of any confidential, personal, or proprietary information.
- Departments and business units are responsible for ensuring that confidential information is encrypted on all electronic media.
- Do not send unencrypted protected University data over a public network.
- Do not remove constituent-identifying information from the campus without prior administrator authorization. If approved to do so, ensure that electronic files are encrypted, laptops are password protected, and documents and devices are secured and supervised at all times.
- If social security numbers (SSN) are required for financial reasons or verification of a campus constituent’s identity, request only the last 4 digits. Whenever possible, use the campus identification number (CIN) instead of the SSN.
- Require and keep only campus constituent information that is necessary for University business purposes. University data must be retained, secured, and destroyed in compliance with all legal and regulatory requirements while implementing appropriate best practices.
- Ensure that all Web site requests for confidential information use encrypted transport methods by forcing users to a secured site (i.e., https) and if not available, provide clear notice that the Web site is not secured.
For more information regarding University department responsibilities and program administration related to the CSULA Identity Theft Prevention Program, read the User Guidelines for Identity Theft Prevention.